ca role & compliance manager · r12.0 ca role & compliance manager . ... importing from...

Sage DNA Data Management User Guide

r12.0

CA Role & Compliance Manager

This documentation and any related computer software help programs (hereinafter referred to as the

“Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at

any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in

part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA

and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the documentation for

their own internal use, and may make one copy of the related software as reasonably required for back-up and

disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy.

Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for

the product are permitted to have access to such copies.

The right to print copies of the documentation and to make a copy of the related software is limited to the period

during which the applicable license for the Product remains in full force and effect. Should the license terminate for

any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the

Documentation have been returned to CA or destroyed.

EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY

APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING

WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE

OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS

OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT

LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY

ADVISED OF SUCH LOSS OR DAMAGE.

The use of any product referenced in the Documentation is governed by the end user’s applicable license

agreement.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the

restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section

252.227-7014(b)(3), as applicable, or their successors.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Copyright © 2009 CA. All rights reserved.

Contact CA

Contact Technical Support

For your convenience, CA provides one site where you can access the

information you need for your Home Office, Small Business, and Enterprise CA

products. At http://ca.com/support, you can access the following:

■ Online and telephone contact information for technical assistance and

customer services

■ Information about user communities and forums

■ Product and documentation downloads

■ CA Support policies and guidelines

■ Other helpful resources appropriate for your product

Provide Feedback

If you have comments or questions about CA product documentation, you can

send a message to [email protected].

If you would like to provide feedback about CA product documentation,

complete our short customer survey, which is also available on the CA support

website, found at http://ca.com/support.

http://www.ca.com/support

mailto:[email protected]

http://www.casurveys.com/wsb.dll/166/TIPO_2008_Survey.htm



CA Product References

This document references the following CA products:

■ CA Role & Compliance Manager (CA Role & Compliance Manager)

■ CA Identity Manager

Contents 5

Contents

Chapter 1: Introduction 9

About this Guide ................................................................................. 9

Audience ....................................................................................... 10

Role Based Access Control (RBAC) ............................................................... 10

Basic Concepts and Architecture ................................................................. 11

Sage's Technology .............................................................................. 13

Typical Processes ............................................................................... 14

Chapter 2: Sage DNA Data Management 17

Accessing Sage DNA Data Management .......................................................... 17

The Sage DNA Data Management Menu Bar ...................................................... 18

File Menu ................................................................................... 18

View Menu .................................................................................. 19

Import and Export Menus.................................................................... 20

Management Menu .......................................................................... 21

UUID Menu ................................................................................. 21

Batch Menu ................................................................................. 21

Help Menu .................................................................................. 21

Chapter 3: Import and Export Menus 23

Supported Import and Export Platforms .......................................................... 24

CSV Files Converter ............................................................................. 26

Import from CSV Files ....................................................................... 26

Export to CSV Files .......................................................................... 32

CSV Mapper Utility .......................................................................... 34

Active Directory Converter ...................................................................... 35

Import from Active Directory ................................................................ 36

Export Active Directory ...................................................................... 43

RACF Converter ................................................................................. 45 Import from RACF ........................................................................... 46

Export to RACF.............................................................................. 48

MS-SQL Converter .............................................................................. 50

Import from MS-SQL ........................................................................ 50

Export to MS SQL ........................................................................... 52

TIM2Sage Converter ............................................................................ 56

Prerequisites ................................................................................ 56

6 Sage DNA Data Management User Guide

Importing from ITIM ........................................................................ 57

Exporting to ITIM ........................................................................... 62 Control SA Converter............................................................................ 65

Importing from Control SA to Sage .......................................................... 65

Exporting from Sage to Control SA ........................................................... 72

SAP to Sage Converter .......................................................................... 73

Mapping SAP Data to Sage .................................................................. 74

Running the SAP to Sage Converter .......................................................... 77

Generic LDIF to Sage Converter ................................................................. 80

Import from TSS ................................................................................ 84

Import from UNIX ............................................................................... 87 Import Windows Shared Folder .................................................................. 88

Mapping Windows Share Data to Sage ....................................................... 89

BMC Identity Manager Open Services ............................................................ 91

Importing from BMC Identity Management ................................................... 92

Exporting to BMC Identity Management ...................................................... 96

Oracle Identity Manager ......................................................................... 97

Updating Oracle Identity Manager Client JARs ................................................ 98

Importing from Oracle Identity Manager ....................................................101

Exporting from Sage to Oracle Identity Manager .............................................106

Chapter 4: Management Menu 109

Enrich Users Database .........................................................................110

Enrich Resource Database ......................................................................112

Preserving Columns During Enrichment .........................................................113

Sage Database Utility ..........................................................................115

Chapter 5: Unique User ID (UUID) Menu 117

The UUID Interface ............................................................................118

UUID Work Process ............................................................................119

Prepare Company HR and Systems Data ........................................................120

Set Java Package Directory .....................................................................120

Working Directories ............................................................................120 Create and Assign Working Directories ......................................................122

User Databases ................................................................................123

Master vs. Other Databases ................................................................124

Adding New Databases .....................................................................128

Adding Databases from XML Files ...........................................................130

Editing Database UUID-Fields ...............................................................131

Removing Databases .......................................................................133

Indexing the Databases ....................................................................134

Contents 7

UUID Mapping File .............................................................................135

Match Process .................................................................................136 Merge Process .................................................................................138

Chapter 6: UUID Indexing Functions 139

UDB Fields Referencing .........................................................................139

Lookup Functions ..............................................................................139

String Functions ...............................................................................140

Telephone Number Functions ...................................................................143

Name Functions ................................................................................144

Email Address Functions........................................................................145

Address Functions..............................................................................146

Function Composition ..........................................................................147 User-Defined Functions.........................................................................148

Chapter 7: CA Role & Compliance Manager Web Services Interface 151

Policy Functions ................................................................................151

SageLinkBPRService ...........................................................................152

Add Link Checks ...........................................................................152

Remove Link Checks .......................................................................152

SageBasicService ..............................................................................153

Documents Functions ......................................................................153

Entities Database Functions ................................................................153

Configuration Functions ....................................................................153 Sage Policy Functions ......................................................................155

SageDataService ...............................................................................155

Sage Documents Functions .................................................................155

Sage Databases Functions ..................................................................155

Sage Configuration Functions ...............................................................156

Other Sage Retrieval Functions .............................................................156

Remove Link Checks .......................................................................156

SageDiffService ................................................................................157

Sage Entities Differences ...................................................................157 All Entities and Links Differences ............................................................157

SageEntitiesCommonService ...................................................................157

Sage User commonalities ...................................................................157

Sage Roles Commonalities ..................................................................158

Sage Resources Commonalities .............................................................158

SageEntitiesDiffService .........................................................................158

Sage Users Differences .....................................................................158

Sage Roles Differences .....................................................................159


Sage Resources Differences ................................................................159

SageEntitiesDataService .......................................................................159 Sage User Links ............................................................................159

Sage Role Links ............................................................................160

Sage Resource Links .......................................................................160

Example Usage of Sage Web Services...........................................................161

Open a Sage Configuration (SageDataService) ..............................................161

Save a Sage Configuration to the Database (SageBasicService) ..............................162

Compare Two Sage Configurations (SageDiffService) ........................................162

View Entity Changes between Configurations (SageEntitiesDiffService) .......................163

Get Entity Commonalities (SageEntitiesCommonService) ....................................163 View Link Information for Entities (SageEntitiesDataService) .................................163


Chapter 1: Introduction

Most modern enterprise software systems are role-based such as ERP, CRM,

portals, security management. Even operating systems and network operating

systems, and they necessarily rely on accurate and effective specification of

roles.

Implementing role-based systems in an enterprise-level system is a significant

undertaking. Creating a role specification from scratch is complex. Porting

various legacy specifications from existing systems is difficult due to different

and incompatible environments and conventions. Dynamic corporate

environments replete with periodic restructuring, mergers, relocation and

flexible employee mobility all contribute to the problematic nature of

maintaining a coherent access specification.

This chapter introduces the CA Role & Compliance Manager Sage Discovery

and Audit solution to meet this challenge.

This section contains the following topics:

About this Guide (see page 9)

Audience (see page 10)

Role Based Access Control (RBAC) (see page 10)

Basic Concepts and Architecture (see page 11)

Sage's Technology (see page 13)

Typical Processes (see page 14)

About this Guide

This guide describes operations and options that are unique to the Sage DNA

Data Management module. It specifically treats the operations performed from

within the Import, Export and Management menus. In the Management menu

the unique options include Enrich Users DB and Enrich Resources DB. All other

operations that can be performed from within the Sage DNA Data Management

module, are common to the Sage DNA module and are described in the Sage

DNA manual.

Audience


Audience

This guide is intended for Role Engineers who are responsible for the

installation of Sage software, downloading and uploading of users and

resources databases, role discovery and audit operations. Role Engineers are

typically well-trained professionals who are familiar with the target

organization. This guide assumes that the Role Engineer has had professional

training on a Sage system and is familiar with the Sage documentation that

accompanied the Sage installation package.

Familiarity with the Microsoft operating system and applications and relevant

peripheral and remote equipment is also assumed.

Role Based Access Control (RBAC)

Role Based Access Control (RBAC) is a project of the National Institute of

Standards and Technology (NIST) and is intended to create a comprehensive

access security model for the structure and operation of enterprise-level

organizations in a high technology environment. RBAC has now reached

maturity and has been mandated or recommended for implementation by

industry regulations worldwide.

In RBAC, users have roles that provide them with permissions to perform

defined operations, such as read/write, and on objects, such as computer files.

RBAC incorporates the principles of separation of duties and organizational

hierarchy into its model. Separation of duties prohibits a user with a certain

job function to serve in another job function at the same time. Hierarchy

reflects the layered role structure of large organizations but also facilitates

administration and role creation by allowing rights to flow down from senior to

junior roles. The following diagram describes the RBAC model:

Basic Concepts and Architecture



Sage implements RBAC standards without affecting an organization's on-going

operation. Sage implements the concept of a sandbox to separate Sage's

operation from the organization's on-going security environment (production

server). The assumption is that when working with Sage, existing access

definitions must first be imported into a sandbox. A sandbox is an offline PC

computer on which Sage is installed where role discovery and audit activities

are performed without affecting current operations of the organization. All

work on discovering new or refining existing access definitions is performed in

the Sage environment.

Sage defines roles as a group of users that have a common set of privileges.

By users, Sage refers to people or functions: employees, customers, suppliers,

representatives, and so on. A resource is a specific right of access that may be

an operation or object in formal RBAC terms. Thus, a resource can be as

specific as a particular access right (Read/Write/Execute) to a specific file in a

specific file system on a specific machine, and it can also be used to provide a

model for access to a computer system (such as, a user group on that

machine). A privilege is a connection between a user and a resource, indicating

that this user possesses a specific access right. A role can include a set of

users and a set of resources, with the semantics being that all users in the

user set are allowed access to all resources in the resource set.

Most of Sage's work is performed within a proprietary Sage configuration that

is automatically created when access data is imported into Sage. By

configuration, Sage means a data structure that holds a snapshot of the

definition of users, resources and roles (if already defined) as well as the

relevant relationships (privileges) between them.



The following shows the Sage architecture and how it relates to existing

systems in your enterprise:

Sage's Technology


Sage's Technology

Sage is based on advanced pattern recognition technology. Sage provides a

comprehensive set of highly sophisticated solutions to the challenges that

organizations face when implementing and maintaining role-based

management.

Core Technology

An important innovation of Sage lies in the observation that role-based

management revolves around patterns of privileges and access. As such, even

in an organization where privileges are not currently managed by roles, the

actual assignment of privileges roughly follows role-based patterns. Similarly,

deviations and exceptions should be detectable when they do not follow same

patterns.

Sage's technology is designed to uncover the patterns that are hidden in

existing sets of privileges. This is not trivial, since the number of excessive

privileges may sometimes reach 50% of the total number of privileges. Many

users may also be under-privileged or wrongly-privileged. Furthermore, the

problem is extremely complex due to the sheer number of user accounts

typical of large enterprises. Sage combines a set of pattern recognition

techniques and other advanced algorithms and applies them to the special

challenges of roles management.

Other Technology Components

In addition to this core technology, CA has developed substantial additional

technology that is required to deploy a full solution:

■ Sage products use sophisticated algorithms that help the user make

intelligent decisions, while hiding most of the complexity of the problems

they address.

■ Sage products use sophisticated data structures and algorithms in order to

reduce the CPU and memory load to the point where a Sage project can be

fully implemented on a single PC.

■ Sage architecture is designed to allow easy mapping of privileges data

from virtually any ACL-based platform/application, including most

operating systems, databases, directories, applications, and of course,

identity management and provisioning systems.

■ Sage's user-friendly interface facilitates importing privileges data from a

common or proprietary platform and exporting processed data and role

definitions to this or another target platform.

Typical Processes


Typical Processes

The following are the main processes when working with Sage (refer to chapter

4 for a more detailed description):

Import

In a typical implementation, the Role Engineer first imports current access

data from the security administration server. Source documents would

include a users database file, resources database file, roles file (if existing)

and possibly one or more files describing the relationship between one or

more entities (users, resources, roles). Using a direct communications link

to the production server, Sage enables the importing of data from a

variety of formats including: CSV, SQL, and RACF. Sage creates its own

Sage “configuration” document, which contains the known user, role, and

resource information.

Role Discovery

The role discovery process enables the discovery of roles that were not

explicitly defined in the source data as well as the refining of existing roles.

Sage's role discovery tools include searching for and proposing: basic

roles, obvious roles, roles that are almost perfect matches of other roles

and identifying role hierarchy. These options contain sub-menus that

enable fine-tuning Sage's discovery algorithm to adapt it to the specific

configuration that is being analyzed. The results of running these Sage

options are Sage's proposals for role definitions. These roles must be

individually examined to determine their appropriateness and validity for

the organization.

Audit

Sage's basic auditing tools apply Sage's internal logic and built-in

algorithms to an existing configuration to analyze and identify many types

of non-conformities or suspicions related to users, roles, and resources.

The Role Engineer can apply individual tools to analyze a configuration or

can run a comprehensive audit. The output of an audit is the AuditCard,

which contains a list of all suspicious records and the type of suspicion

involved (currently about 50 different types). The AuditCard also contains

a built-in mechanism for tracking progress until resolution is achieved.

Sage Policy Compliance

The Sage Policy Compliance module is an additional audit tool that enables

formulating a unique set of Business Process Rules (BPR) that represent

various constraints on privileges. These rules are formulated independently

of a specific Sage configuration and can then be applied to different

configurations.

Typical Processes


Export

Prior to uploading a processed Sage configuration to the organization's

production server, the differences between the original source data and

processed Sage configuration are examined using an built-in Sage option.

After verifying the differences and making any necessary changes, the

configuration data is directly exported from the Sage interface to the

production computer's format. The export eliminates cross-platform

conversion problems.


Chapter 2: Sage DNA Data

Management


Accessing Sage DNA Data Management (see page 17)

The Sage DNA Data Management Menu Bar (see page 18)

Accessing Sage DNA Data Management

You can access the Sage DNA Data Management application from the Windows

Start menu or from within the Sage Portal client. The Sage DNA Data

Management application opens as follows:

The Sage DNA Data Management Menu Bar


To access Sage DNA Data Management from the Windows Start menu

Click Start, All Programs, CA Role & Compliance Manager ERM, CA Role &

Compliance Manager Data Management Vnumber. The Sage DNA Data

Management window opens.

To access Sage DNA Data Management from the Sage Portal Client

1. Click Start, All Programs, CA Role & Compliance Manager ERM, CA Role &

Compliance Manager Portal Client.

The Sage Portal Client opens to the home page.

2. Click the Data Management icon that appears on the home page.

The Sage DNA Data Management window opens.


The menu bar provides access to most Sage options. The menu bar is

organized by function and includes the following main items: File, View,

Import, Export, Management, Batch, and Help. To avoid navigating complex

menu systems, the most commonly-used Sage options are represented by

icons on the toolbar. However, not all options are included on the menu bar or

toolbar.

File Menu

The File menu contains the following options for file handling and connecting to

external systems and peripheral equipment:

■ Open Sage documents from a file

■ Open Sage documents from a database back-end

■ Configuration enrichment and merger operations

■ Operation of Sage batch functions

The operations in the Sage DNA Data Management File menu are identical to

those described for Sage DNA. Refer to documentation in Chapter 5 File Menu

in the CA Role & Compliance Manager Sage DNA User Guide.



View Menu

The View menu provides the following functions

■ Determine how data is displayed in the active document window

■ Review the log file generated by Sage, to look for possible errors that were

encountered during operation.

■ Review properties and statistics for the active document window

■ Switch view to a related document, such as, the udb of the current

configuration

■ Explore connections of a select set of entities

The operations in the Sage DNA Data Management View menu are identical to

those described for Sage DNA. Refer to documentation in Chapter 7 View Menu

in the CA Role & Compliance Manager Sage DNA User Guide.



Import and Export Menus

The Import and Export menus provide support for importing and exporting

User and User Privilege information to and from Sage DNA Data Management.

The Import menu provides support for importing from the following file types

and platforms:

■ CSV files

■ LDIF files

■ SQL Database

■ Active Directory

■ RACF

■ TSS

■ Unix

■ SAP

■ Windows Shared Folder

■ ITIM V4.5 and V4.6

■ Control SA

The Export menu provides support for exporting to the following file types and

platforms:


■ RACF

■ SQL Database

■ CSV files


■ Control SA

More information:

Import and Export Menus (see page 23)



Management Menu

The Management menu supports functionality for:

■ Enriching Users and Resource databases

■ Evaluate User databases

■ Merging Configurations, User databases, Resource databases, and Audit

Cards

■ Trimming and comparing Configurations

More information:

Management Menu (see page 109)

UUID Menu

The UUID menu lets you access the Unique User ID utility. Use this utility to

consolidate related or duplicate user accounts from the different directories in

your environment.

Batch Menu

The Batch menu supports functionality for:

■ Executing a Batch Command file

The operations in the Sage DNA Data Management Batch menu are identical to

those described for Executing a Batch File in Sage DNA. See Chapter 5 in the

CA Role & Compliance Manager Sage DNA User Guide.

Help Menu

Only version and license information is available under this menu.


Chapter 3: Import and Export Menus

Importing and exporting user and user privileges information to and from Sage

is performed by Sage DNA Data Management. The import process transfers

user information into Sage from the native security systems on which it

resides. The export process returns the information to the native security

systems after creating and modifying roles in Sage DNA.

Sage DNA Data Management provides a number of converters through which

user information is processed. These import and export facilities represent the

most common operating systems used on the native security systems.

The converters are located in the Import and Export menus of Sage DNA Data

Management. The following screen shows the Import and Export menus:


Supported Import and Export Platforms (see page 24)

CSV Files Converter (see page 26)

Active Directory Converter (see page 35)

RACF Converter (see page 45)

MS-SQL Converter (see page 50)

TIM2Sage Converter (see page 56)

Control SA Converter (see page 65)

SAP to Sage Converter (see page 73)

Generic LDIF to Sage Converter (see page 80)

Import from TSS (see page 84)

Import from UNIX (see page 87)

Import Windows Shared Folder (see page 88)

BMC Identity Manager Open Services (see page 91)

Oracle Identity Manager (see page 97)

Supported Import and Export Platforms



The Import and Export menus provide support for importing and exporting

user and user Privilege information to and from Sage DNA Data Management.

To access either the Sage Import or Export converters

1. From the Sage DNA Data Management menu bar, select either Import or

Export.

The menu opens and lists the Import/Export converters.



2. Select the converter that you want to use.

The selected converter opens.

The Import menu provides support for importing from the following file types

and platforms:

■ CSV files

■ LDIF files

■ SQL Database


■ RACF

■ TSS

■ Unix

■ SAP

■ Windows Shared Folder


■ Control SA

The Export menu provides support for exporting to the following file types and

platforms:


■ RACF

■ SQL Database

■ CSV files


■ Control SA

CSV Files Converter


CSV Files Converter

Import from CSV Files

It is often convenient to convert information about users and privileges from

native security systems into simple CSV files. The CSV (Comma Separated

Values) format is the most common import and export format for spreadsheets

and databases. CSV files can then be manipulated and extended using simple

tools such as Excel, if necessary. Sage has its own converter that takes several

CSV files as input and creates a Sage configuration.

Typically, the Sage CSV converter uses several CSV files as input, with each

individual file representing one entity type (such as users and resources

databases) or one relation between two entity types (roles). Some of the files

are optional and if not specified at the time of import will be assumed to be

empty. The converter produces one output file, which is the Sage configuration

file.

Note: The UsersDB and ResDB files are not created and are assumed to be

provided in the same CSV format as used in a Sage configuration.

Entity Files

Users database

The first row in the entity file must be a header row. Each subsequent row

represents a single user, where the row contains the following fields:

■ PersonID - the key, and must be unique

■ UserName

■ Organization

■ Organization Type

■ Field 1 to Field n (optional)

CSV Files Converter


Resources database

The first row in the entity file must be a header row. Each subsequent row

represents a single resource and contains the following fields, where a

combination of Res Name 1, 2, and 3 is the key and is assumed to be

unique

■ Resource Name 1

■ Resource Name 2

■ Resource Name 3

■ Field 1 to Field n (optional)

Roles

The Roles entity file does not require a header row. The is one row per role

definition, each with the following fields:

■ Role Name - must be unique

■ Role Description

■ Role Organization

■ Role Owner

CSV Files Converter


Relations Files

User-Resource Connections

The User-Resource Connections entity file does not require a header row.

The file requires one row per connection, each with the following fields:

■ PersonID

■ Resource Name 1

■ Resource Name 2

■ Resource Name 3

Role-Resource Connections

The Role-Resource Connections entity file does not require a header row.

The file requires one row per connection, each with the following fields:

– RoleID

– Resource Name 1

– Resource Name 2

– Resource Name 3

CSV Files Converter


User-Role Connections

The User-Role Connections entity file does not require a header row. The

file requires one row per connection, each with the following fields:

■ PersonID

■ Role Name

Role-Role Connections

The Role-Role Connections entity file does not require a header row. The

file requires one row per connection, each with the following fields:

■ Role Name (parent)

■ Role Name (child)

CSV Files Converter


Import a CSV File

To import a Sage Configuration from a CSV file

1. Click Import, CSV file from the list.

The Importing to Sage Configuration from CSV Files window opens. . See

the following example of a completed window:

The following table describes how to complete the fields:

Field Description

Sage Configuration

File

Fill in the name of a new configuration file or use

the Browse button to select the existing

configuration file to which to write the imported

data.

Users Database Fill in the name and path of the source file that

contains the users database data. The file can be a

standard Sage users database (.udb) or a CSV

(.txt) file.

Resources Database Fill in the name and path of the source file that

contains the resources database data. The file can

be a standard Sage resources database (.rdb) or a

CSV (.txt) file.

Roles Fill in the name and path of the source file that

contains the role data, generally a CSV (.txt) file.

A Browse button is provided for convenience.

User-Resource Fill in the name and path of the source file that

CSV Files Converter


Field Description

Connections contains the user-resource connections data,

generally a CSV (.txt) file. A Browse button is

provided for convenience.

User-Role

Connections

Fill in the name and path of the source file that

contains the user-role connections data, generally a

CSV (.txt) file. A Browse button is provided for

convenience.

Role-Resource

Connections


contains the role-resource connections data,



Role Hierarchy

Connections


contains the role hierarchy connections data,



Separate by Commas

Separate by

Semicolons

Select the option that indicates which character is

used as separator in the CSV file.

2. Fill in the import window fields as indicated in the table.

Note: Some of the inputs may remain empty. For example, if you import

from a system that does not yet have roles, then you leave the roles file

and all the role connections files fields clear. The output is a Sage

configuration file that can then be opened to perform role discovery and

audit activities.

During the import process, Sage creates a log file in the Sage Logs folder.

This log file is separate from the Sage main log file, and is named

according to Sage's naming convention, which follows:

SageCSVConverter_<username>_<date>_<time>.log. This log file

contains all the errors and misconfigurations that Sage has encountered.

Sage will prompt you to view this log file when the import is finished.

At the end of the conversion process, a message is displayed that indicates

whether errors were detected.

CSV Files Converter


Important! In case of errors, review the log file to ensure that it does not

contain material warnings. The configuration file does not automatically open.

3. To open the configuration file from the File menu select Open from File,

and navigate to the target folder to open it.

Export to CSV Files

Sage can convert a configuration file to CSV files for uploading to an external

security system.

To export a configuration to CSV files

1. Click Export, Export to CSV Files.

The Exporting from Sage Configuration to CSV Files window opens. See the

following example of a completed window.


Field Description

Sage Configuration

File

Use the Browse button to select the configuration

file from which CSV files are to be created.

Roles Fill in the name and path of the target of the file

that will contain the role data. A Browse button is


User-Resource

Connections

Fill in the name and path of the target of the file

that will contain the user-resource connections. A

CSV Files Converter


Field Description

Browse button is provided for convenience.

User-Role

Connections


that will contain the user-role connections. A


Role-Resource

Connections


that will contain the role-resource connections. A


Role Hierarchy

Connections


that will contain the role hierarchy connections. A


Role ID as Number This option is available for compatibility with

previous versions of Sage where a role was

identified by a Role ID (number). Otherwise, it

should be unchecked.

2. Complete the export window fields as indicated in the table

A maximum of five CSV files can be uploaded to the external security

system. These text files can be examined using Notepad or any text editor.

During the export process, Sage DNA Data Management creates a log file

in the Sage Logs folder. This log file is separate from the Sage main log

file, and is named according to Sage's naming convention

SageCSVConverter_<username>_<date>_<time>.log. This log file

contains all the errors and mis-configurations that Sage has encountered.

Sage prompts you to view this log file when the export is finished.

At the end of the conversion process, a message is displayed that indicates

whether errors were detected.

Important! that you review the log file to ensure that it does not contain

material warnings.

CSV Files Converter


CSV Mapper Utility

The CSV Mapper Utility allows you to extract user and resource data from any

CSV file and map that data to create Sage Configuration files, and User and

Resource data bases. The utility does not identify any role relationship that

may exist between the Users and Resources in CSV file.

To map a CSV file to Sage entities

1. Click Import, CSV Mapper Utility.

The CA Role & Compliance Manager CSV Mapper window opens. See the

following example of a completed CSV Mapper window.

The following table describes how ot complete the fields:

Field Description

Source CSV Type or Browse for the Path and Name of the CSV

file that contains the source data.

Field Separator Type the character that is used as a field separator

in the Source CSV file.

Active Directory Converter


Field Description

Target CFG Fill in the name and path of the target CFG file. A


Target UDB Fill in the name and path of the target Users Data

base. A Browse button is provided for convenience.

Target RDB Fill in the name and path of the target Resource

Data base. A Browse button is provided for

convenience.

User Name Select the Column that matches the position of the

User Name in the Source CSV file.

Resource Name I Select the Column that matches the position of the

1st Resource Name in the Source CSV file.

Resource Name II Select the Column that matches the position of the

2nd Resource Name in the Source CSV file.

Resource Name III Select the Column that matches the position of the

3rd Resource Name in the Source CSV file.

2. Complete the fields in the CA Role & Compliance Manager CSV Mapper

window as indicated in the table.

3. Click Convert.

The CSV Mapper Utility creates each of the CFG, UDB, RDB files and

locates them as indicated in the CSV Mapper Utility.


Active Directory (AD) is a Microsoft directory service for storing information

about network-based entities, such as users, groups, applications, files, and

printers. It is the central authority that manages the identities and brokers the

relationships between these distributed resources, thereby enabling them to

work together. It is a mechanism for managing the identities and relationships

of the distributed resources that make up network environments. Since Active

Directory is the central authority for network security, enabling the operating

system to verify a user's identity and control access to network resources, it is

the natural point from which to download users, groups and resources

information into Sage.

After performing role discovery, analysis, definition and audit in Sage, you can

export the new roles, and other changes that were made in the configuration,

back into Active Directory.



Import from Active Directory

Sage allows importing from one or more AD servers. Importing from multiple

servers is useful when there are frequent cross-links between them. At the

moment, Sage can export to only a single AD server.

To import from an Active Directory

1. Click Import, Import from Active Directory.

The Active Directory Wizard opens.


Field Description

Credentials

Server Address

(IP/Domain Name)

Identify the server(s) from which the data is being

imported

Secure Authentication When selected Sage uses the Login Name and

Password used to login to Windows.

Login Name (NT

Domain/User)

Record the login name.

Password Record password.

Port Sage assumes the port is 389 by default. This is the

well-known port for ldap. Change it if necessary.



Field Description

Output Files

Configuration

The name of the Sage configuration to be created

as a result of the import process.

UsersDB The name of the Sage Users database file to be

created.

Resources DB The name of the Sage Resources database file to be

created.

Mapping File The name of an XML file that describes the mapping

of AD attributes to Sage entities. This file is usually

saved after the first time a new mapping is

provided.



2. Fill in the fields in the Active Directory Wizard as indicated in the table.

3. For each AD server from which you wish to import, provide the IP/Domain

Name, as well as port and login credentials.

4. For each server, click Set to accept.

5. To remove, select the relevant entry in the table on the right, and click

Remove.

Passwords are not kept in the registry, so when returning to an AD import

page, most values will be kept, but not the password.

6. Select the relevant entry again in the table, enter the password on the left,

and press Set. Do the same for each AD server.

7. Click Next to continue.

A window similar to the following opens:

8. Navigate to the points in the directory from which information will be

imported (the bases), in this case the respective “DC”. Note that it is

possible to import specific containers from each of the imported AD

servers.

9. Decide what to import. Field descriptions follow:

Field Description

Groups as Roles

All Groups as Roles

Activate this radio button if all groups are to be

considered as Sage roles. In this case, Sage will

import role hierarchy connections for groups that



Field Description

are members of other groups.

All Groups as

Resources

Activate this radio button if all groups are to be

considered as resources. In this case, group

membership will be "flattened" automatically by

Sage, i.e., users will show as members of a group

even if they are a member of a "parent" group of

that group.

Identify Roles by If you have activated this radio button, mark the

check boxes for importing.

Sage Roles

Nested Groups

Distribution Groups

Security Groups

Universal Groups

Global Groups

domain Local Groups

Local Groups

Mark the appropriate check boxes for your import.

Sage roles are roles marked as Sage as such during

a preceding export

Nested Groups. In this mode, primitive groups (i.e.,

that are not parent of other groups, will be

imported as resources, and parent groups will be

imported as Sage roles

All the other options denote types of AD groups that

the user may wish to import as Sage roles.

Note that it is possible to check more than one

option.

Only import groups

directly linked with

users

This option when checked will disable import of

groups that do not have any users as members.

Note that it will also not import groups that have

other groups as members.

Find cross domain

links and verify object

links

This option activates a third pass of Sage AD

import, in which Sage searches for missing links

that are likely associated with external objects and

adds stubs that represent the latter.

Add extended debug

logging

When not selected the Sage log file only includes

Error messages.

When selected the Sage log file includes Error

messages and Warning messages. This can

significantly increase the size of the log file.




A mapping window for Users attributes appears. Similar windows, for Roles

and Resources appear in subsequent steps.

In these windows, fields of each entity type (users, roles and resources)

may be associated with their corresponding Active Directory attribute. The

result of each mapping operation is displayed in the mapping window.

11. To activate the mapping, select the line associated with the Sage attribute

in the mapping table on the right.

12. Use one of several mechanisms to specify the mapping as below, and

press Set to activate.

13. When mapping AD attributes to Sage entities, take special care to import

unique values into Sage keys, i.e., users' PersonID, roles' Role Name, and

resources' combination of ResName1, 2, and 3.

14. To enable proper mapping of imported attributes back into AD in an export

process,import the CN and DN. Use the Object Name attributes.

Note: Sage imports up to 127 characters for each field, and logs alerts for

objects that exceed such limitation.

Field descriptions follow:

Field Description

Data Mapping

Attribute

You choose which of the attributes in the User

schema shall be associated



Field Description

Object Name You choose specific pre-designated schema

attributes ad/or combinations thereof.

CN and DN map to the respective schema

attributes.

CNi maps to the i-th part of the object's DN, from

right to left (i.e. based on the hierarchy), and

beginning from the first container after the DC

values

DNi maps to the i-th part of the object's DCs.

Constant Field You can choose to map a constant field into a Sage

field. For example, it is often preferred to map the

string "Active Directory" to Res Name 3.

Empty Field This allows you to leave a Sage field empty. This is

also the initial default.

Configuration Entity

Field Name

You can choose to provide a title to a Sage field

Set Person ID to

Upper Case (Users

only)

Mark check box to convert the identifiers brought

into the Sage users PersonID field. This is useful

when dealing with several systems where this key

identifier may appear in various case variants.

Ignore Disabled Users

check box (Users

only)

Mark check box to ignore users that are marked as

disabled in AD.

Output Files

Configuration

The name of the target Sage configuration file

(usually new configuration file). A Browse button is


Users DB The name of the target Sage users database

(usually new database). A Browse button is


Resources DB The name of the target Sage resources database

(usually new database). A Browse button is




15. After mapping the fields of all entities, Sage prompts you to save the

mapping into a reusable XML file.

A similar window displays to let you map roles.

When done, Sage starts the import, showing the progress of the import

process. There are three steps to the import process:

■ Import of objects – in this pass, Sage imports all users, roles, and

resources objects

■ Import of links – in this pass, Sage imports all links between objects

■ Verify links – in this pass, Sage complements the configuration with

external objects that are linked to configuration objects. Sage creates

a "stub" for each external object.

When the import process is completed, a message appears providing

statistics on the data that was imported to Sage.

16. Click OK.

During the import process, Sage creates a log file in the Sage Logs folder. This

log file is separate from the Sage main log file, and is named according to

Sage's naming convention

SageADConverter_<username>_<date>_<time>.log. This log file contains all

the errors and mis-configurations that Sage has encountered. Sage prompts

you to view this log file when the import is finished.

Important! Review the log file to ensure that it does not contain material

warnings.



Export Active Directory

The process for exporting your modified Sage configuration data to your Active

Directory server is very similar to that for importing Active Directory

information into Sage DNA. The process differs in the following ways:

■ Only the differences between the imported configuration and the modified

configuration are exported to the Active Directory server. This means that

you need to compare the two configurations and generate a Differences

Report file. You use the Differences Log file as input for the Export process.

■ You can export to only a single Active Directory server at a time.

To export data from Sage DNA Data Management to an Active

Directory server

1. Click Management, Compare Configurations.

The Compare Configurations window opens.

2. Compare your original configuration file to your updated configuration file

and generate a Differences Log file.

3. From the Export menu select Export to Active Directory.

The Active Directory Wizard opens to Step 1.



4. Fill in the Credentials as described for the Import from Active Directory

process.

Note: The export process only supports exporting to a single Active

Directory server at a time.

5. In the Input Files group box, enter the path and file name of the

Differences Log File containing the data to export to the Active Directory

server.

6. Click the Next button to advance to the Set Conversion Options step.

7. From within the Options Group box select the Options that are relevant to

your configuration, and click Next.

The Search Active Directory Objects step in the wizard appears:

RACF Converter


8. On each of the Users, Roles and Resources tabs, map the Sage Entities to

the appropriate Active Directory Attributes.

9. On each of the Users, Roles, and Resources tabs select the location in the

Active Directory to house new Users, Roles and Resources.

10. When appropriate, select the correct DN and CN values for the target

Active Directory from the DN and CN drop down lists.

11. Click Finish to export the modified data to the Active Directory server.

More information:

Import from Active Directory (see page 36)

RACF Converter

The Resource Access Control Facility (RACF) is a security component for IBM

mainframe computers that works together with the existing operating system

to provide system security, resource access control, auditability, accountability

and administrative control. As such, it is the main repository for users, roles

and resources data on mainframe computers.

The main input to the Sage RACF import option requires downloading access

data from RACF using the IRRDBU00 unload utility. This generated text file

should then be segmented according to various line types, each representing a

different type of entity and/or connections. You can add enriched data about

users attributes (for example, from the human resources department

database).

The output is a Sage configuration, with RACF groups appearing as Sage roles

and with RACF profiles as Sage resources.

RACF Converter


Import from RACF

To import data from RACF into Sage

1. Click Import, Import from RACF.

The Importing to Sage Configuration from RACF Files window appears. A

completed example of this window follows:

Use the following instructions complete the fields:

Field Description

Sage Files

Configuration Files Directory

Enter the name and folder of the target

Sage configuration. A Browse button is


Users Database Enter the name and folder of the target

Sage users database. A Browse button is


Resources Database Enter the name and folder of the target

Sage resources database. A Browse button

is provided for convenience.

Options

RACF Platform Name

Record the RACF platform name.

Groups as Roles radio button Activate radio button if Sage is to convert

groups to Sage roles.

Do not activate radio button if Sage is to not

convert groups to Sage roles.

Groups as Resources radio

button

Activate radio button if Sage is to convert

groups to resources.

RACF Converter


Field Description

Do not activate radio button if Sage is to not

convert groups to resources.

Generate Sage Role for UACC

permission check box

Mark Generate Sage Role for UACC

permission check box to have Sage

generate a role for Universal Access (UACC)

permission.

Clear the check box to prevent Sage from

generating a role for Universal Access

(UACC) permission.

Add ACL Entities check box Mark the Add ACL Entities check box to

process Application Control Language (ACL)

scripts.

Clear the check box to prevent Sage from

processing Application Control Language

(ACL) scripts.

Ignore Revoked Users Mark the Ignore Revoked Users check box

to prevent Sage from processing users that

are flagged as Revoked by RACF.

Clear the check box to disregard the

Revoked Users flag on RACF and have sage

process such users.

Input HR file Record the name of the file containing

supplementary users' data, if any.

Input RACF Download File A text file that is generated by running the

IRRDBU00 Unload utility. The file contains

lines that refer to the Users, Groups, Data

Set Profiles and General Resource Profiles.

These lines will be converted into Sage

users, Sage Resources and Sage Roles.

RACF Converter


In the example, all input types are located in the same file name.

Alternatively, input can be divided into separate files depending on line

types. This is done mainly for performance purposes.

2. Click Convert to import.

The configuration is created in the target folder but is not automatically

opened by Sage.

3. To open the file, on the menu bar, select File, Open From File.

If any errors result from the import process, then a Sage message

appears. Check any errors in the SageRACFConverterXXX.log file located in

the Sage Logs folder.

Export to RACF

Exporting involves the reverse process of importing.

To export data from Sage into RACF

1. Click Export, Export to RACF.

The following window opens:

RACF Converter


The following table describes the fields in the Export to RACF window.

In some cases the Export to RACF process only creates partial commands.

This occurs primarily for commands that require the creation of new

accounts. The output cannot be used as is and you must then complete the

missing details in the exported file.

Field Description

Files

Sage Differences File

Enter the name and folder of the Sage

differences file. A Browse button is


RACF Command File Enter the name and folder of the RACF

command file. A Browse button is provided

for convenience.

RACF Restore File Enter the name and folder of the RACF

restore file. A Browse button is provided

for convenience.

Show Result file check box Mark check box to show results file.

Unmark check box not to show results file.

Options

Add User

Add Role

Add Resource

Add User-Resource

Connection

Add User-Role Connection

Add Role-Resource

Connection

Add Role-Role Connection

Remove User

Remove Role

Remove Resource

Remove User-Resource

Connection

Remove User-Role

Connection

Remove Role-Resource

Connection

Remove Role-Role

Connection

Mark check box to activate option in RACF

export file.

Unmark check box not to activate option in

RACF export file.

Note: Either the Add or Remove check

box must be marked but not both.

If a differences file is being used when exporting to RACF, then it will first

have to be generated.

2. Click Convert to export.

MS-SQL Converter


MS-SQL Converter

This section provides instructions for importing from an MS-SQL database and

exporting to an MS-SQL database. This option enables user, role and resource

data in an SQL database to be used as data for creating a Sage configuration

for role discovery and audit purposes. When a processed Sage configuration is

exported back to MS-SQL, the configuration is divided into its component parts

in a format that is compatible with MS-SQL. Later, the Role Engineer can make

minor changes directly on the SQL database using the Open from Database

and Save to Database options. See Chapter 5 in the CA Role & Compliance

Manager Sage DNA User Guide.

Import from MS-SQL

To import data from MS-SQL into Sage

1. Click Import, Import from SQL Database.


2. Fill in the required information, and click Next.


Field Description

Destination

Database

Type

Only MS SQL is available at this time.

Server Identify the server from which the data is being

imported.

MS-SQL Converter


Field Description

Database Identify the name of the database that is being

imported.

Windows

Authentication

Select to use Windows Authentication privileges

to for the User Name and Password.

Overwrite Database

Files

This option is grayed out and is not available

when importing files.

User name Enter the User Name required to log onto the MS

SQL Database.

Password Enter the Password required to log onto the MS

SQL Database.


The following tables describes how to complete the fields:

Field Description

Configuration Files

Directory

Enter the configuration name and folder

in which the resulting Sage configuration

shall reside.

Process Audit Cards This check box is only available if Sage

AuditCards are associated with the

configuration.

Mark Process Audit Cards check box. If

AuditCards already exist for the

MS-SQL Converter


Field Description

configuration that will be receiving the

imported data, the existing AuditCards

will be processed to verify the status of

the previously suspected records.

Unmark Process Audit Cards check box.

Existing AuditCards will not be processed.

Configuration Mark the name of the database to which

data is being imported. A Browse button

is provided for convenience.

3. Specify values and click Next.

4. The import process begins, and a progress bar appears on-screen. When

done, the newly imported configuration can be opened from the target

folder.

Export to MS SQL

To export data from MS-SQL into Sage

1. Click Export, Export to SQL Database.


MS-SQL Converter


The following tables describes how to complete the fields:

Field Description

Configuration Files

Directory

Enter the configuration name and folder

of the Sage configuration file to be

exported. A Browse button is provided for

convenience.

Process Audit Cards check

box

This check box is only available if

AuditCards are associated with the

configuration.

Mark Process Audit Cards check box if

Sage audit data exists for the

configuration and you want the data to

reside on the target computer too.

Unmark Process Audit Cards check box if

it is not necessary to copy the Sage audit

data to the target computer.

Configuration check boxes Mark the name of the database that is

being exported.


3. The Choose Destination Database window opens:

MS-SQL Converter


The following tables describes the fields:

Field Description

Destination

Database Type

Only MS SQL is available at this time.

Server Identify the server to which the data is being

exported.

Database Identify the name of the database to which the

data is being exported.

Windows

Authentication

Select to use Windows Authentication privileges

to for the User Name and Password.

Overwrite Database

Files

Mark the check box to overwrite any existing

database files.

Unmark the check box not to overwrite any

existing database files.

User name Enter the User Name required to log onto the

MS-SQL Database.

Password Enter the Password required to log onto the

MS-SQL Database..

Use Bulk Insert Select Bulk Insert to load to the configuration

content in bulk.

Select Create Local Share for Temporary Files to

allow the system to copy the configuration data

to a temporary file.

Select User Remote Share Directory, to specify

the location to which configuration data is copied

prior to being loaded onto the database.

MS-SQL Converter


4. Click Next.

The export process begins, and a progress bar appears on-screen. Refer to

the following window.

5. Click Finish to complete the export process.

The following is a typical set of Sage-compatible SQL files after a Sage

configuration has been exported to MS-SQL.

6. Verify that similar files are present on the target computer after exporting

a configuration.

TIM2Sage Converter


TIM2Sage Converter

This converter is provided by CA Role & Compliance Manager, and uses the

TIM Java-based API to convert TIM privileges data into Sage configurations.

The converter maps TIM users, roles, accounts, provisioning policies, services,

and groups, into Sage. It allows mapping different TIM fields to Sage fields.

Once the initial mapping setup is complete, re-running this interface requires

only a few clicks.

Prerequisites

This converter supports the following:

■ IBM TIM versions 4.5 and 4.6

■ WebSphere application server version 5.1 and Java version 1.4.2

■ Run on Windows OS

TIM2Sage Converter


Importing from ITIM

Importing from ITIM to Sage requires the following steps:

1. Provide information about the TIM and WebSphere environments (kept in

TIM configuration format)

2. Map TIM fields into Sage fields (kept in XML configuration format)

3. Convert to Sage's standard CSV format and then to a Sage configuration

The process for importing from ITIM V4.5 and ITIM V4.6 is identical. However

you must use the import option that is suitable for each version. The following

description uses ITIM V4.5. You may also use ready connection and mapping

xml files, and run a conversion by clicking the “Convert” button.

To import from ITIM V4.5

1. Click Import, Import from ITIM V4.5.

The ITIM to Sage Converter window opens.

TIM2Sage Converter


Provide the TIM and WebSphere Connection Details

To provide connection details

1. In the Connection group box, click “Edit” to set the ITIM connection

details.

2. Provide TIM credentials

3. Provide the application server home directory (for example

“C:\IBM\WebSphere\AppServer”)

4. Provide the TIM home directory (for example “C:\IBM\itim”)

5. Provide the location of the file called “jaas_login_was.conf” which is

located under “%itim home%\extensions\examples\apps\bin”.

6. Provide the location of the java executable files (the jar and batch files

received with the converter).

7. Save these parameters in an XML file for reuse.

8. Click Done, then save changes to return to the converter window.

9. Click “Test Connection” to test the TIM connection

TIM2Sage Converter


To load previously stored ITIM Credentials file

1. Click Itim Connection file, Open.

2. Select the XML file that contains the previously stored ITIM credentials

information:

All Credentials information is reloaded.

3. Click Done, then Save to return to the converter window.

TIM2Sage Converter


Map TIM Fields into Sage Fields

To map TIM files to Sage fields

1. In the Mapping group box click Edit to set the mapping details.

2. Click Properties file, Open (lower part of the screen) and select the xml

properties file.

3. Map TIM attributes to Sage fields. Save these settings for reuse.

4. Provide the location of the Sage executable file and a directory for

temporary files.

5. Click Done to return the converter window, and then click Convert to

create Sage configuration.

To load previously saved information about the field mapping

1. Click Edit Mapping.

2. The Field Mapping window appears:

TIM2Sage Converter


3. Click Map file, Open (lower part of the screen) and select your previously

saved “xml” map file.

4. Finally, consider enriching the data with a separate HR extract. Use Sage's

Enrich UsersDB" for that purpose.

5. Click Done, then Save to return to the converter window.

TIM2Sage Converter


Exporting to ITIM

Sage DNA Data Management supports exporting to ITIM Versions 4.5 and 4.6.

Input for the export process is similar to that described for Importing from

ITIM. Exporting to V4.5 and V4.6 is identical other than choosing the

appropriate item from the Export to ITIM menu item. This section uses ITIM

V4.5 to illustrate the export process.

Exporting to ITIM requires the following:

■ Provide information about the TIM and WebSphere environments (kept in

TIM configuration format)

■ Map TIM fields into Sage fields (kept in XML configuration format)

■ Create a Sage Differences file by comparing configuration original to the

modified configuration.

To export to ITIM V4.5

1. Compare the original configuration created from the import ITIM to sage

process, to the modified configuration and created a Differences file. You

will need the Differences file lists the differences in a form that can be

accepted by ITIM.

2. Click Export, Export to ITIM V4.5.

The Sage to ITIM converter opens.

TIM2Sage Converter


A Connection Details File was created as part of the Import from ITIM

process. In the ITIM Connection section of the window, enter the Path and

Name of the Connection Details File if it exists.

3. If the Connection Details File is missing then click Edit.

The ITIM to Sage Converter window opens.

4. Enter the ITIM Login Details and Java Configuration details.

In the Field Mapping section, enter the Path and Name of the Mapping

Details file if it exists. If you do not have a current Mapping Details File,

click Edit.

The Attribute Mapping window opens.

TIM2Sage Converter


The Entities Mapping section contains several tabs; Person, Role, Service

and Policy. On each tab map the Sage User Fields to the appropriate TIM

Person Attribute by selecting entries from the TIM Person Attribute and

Sage User Field drop down lists.

5. Click Add to add the selections to the list.

6. On the Policy tab, do the following:

a. Set the Scope from the Scope drop down list

b. Set the Priority level in the Priority edit field.

c. Select the Policy Enabled check box to indicate that the Policy is

enabled.

7. From the Actions to Perform section select the check box for each action

you want to perform during the export process.

8. In the Addition Options section select the checkboxes for any of the

options you want to perform. These include:

■ Force service removal from policies

■ Force removal of linked entities

■ Map app-roles to provisioning policies.

9. In the Map XML File section provide a name for the mapping file and save

the file for future use.

10. Click Done.

You return to the Sage to ITIM converter.

11. In the Source Sage Difference Log section enter the Path and Name of the

Differences Log file created as a result of Compare Configurations process.

12. Click Convert.

A command line window opens and provides information on the converters

progress.

More information:

Map TIM Fields into Sage Fields (see page 60)

Control SA Converter



The Sage-Control-SA Converter provides you with the capability to integrate

Eurekify Sage ERM and Control-SA by automatically synchronizing the

role-based privileges data between the two systems. Using the Sage-Control

SA converter provides a means for you to either import data from Control SA

to Sage or export data from Sage to Control SA. Sage DNA Data Management

supports the import and export between the two systems by either:

■ Entering data in the Sage DNA Data Management GUI

■ Running command line Batch commands.

Sage DNA and Control SA use different but parallel terminology for

components and entities in each of their configurations and files. Use the

following table to familiarize yourself with the terminology used in each

environment for their respective components and entities.

Sage DNA Terminology Control SA Terminology

User Person

Role Job Code

Resource User Group

The converter produces an XML file that maps the ESS (Enterprise

SecurityStation) person, job code, profile, groups and accounts entities to

Sage users, role, resource and link entities. This Map xml file is only used as

part of the Import process.

Importing from Control SA to Sage

Importing data from Control SA to Sage is performed as a two step process:

1. Generate ESS data text files for all relevant tables.

2. Convert the text files into a Sage configuration.



Generating ESS Data Text Files

Generating ESS data text files is performed on the ESS system by running the

Batch.sh command on a series of *.inp files, where each inp file contains data

for a specific ESS entity type. Running the Batch.sh command produces a

*.orig file for each of the treated entities in the form of a semicolon separated

text file.

ESS export batch commands include:

■ ess batchrun -A -F2 -i Read_Person.inp -D Person_data -L ';'

■ ess batchrun -A -F2 -i Read_Profile.inp -D Profile_data -L ';'

■ ess batchrun -A -F2 -i Read_Group.inp -D Group_data -L ';'

■ ess batchrun -A -F2 -i Read_Profile_Profile.inp -D Profile_Profile_data -L ';'

■ ess batchrun -A -F2 -i Read_Group_Profile.inp -D Group_Profile_data -L ';'

■ ess batchrun -A -F2 -i Read_Person_Profile.inp -D Person_Profile_data -L

';'

■ ess batchrun -A -F2 -i Read_Person_Group.inp -D Person_Group_data -L ';'

Where each inp file contains the respective ESS command, such as:

■ read_all * from ent_user;

■ read_all * from job_code;

■ read_all * from user_group;

■ read_all * from jc_jc;

■ read_all * from ug_jc;

■ read_all * from user_jc;

■ read_all user_id ug_name rss_name rss_type from ru_ug;

To run the Batch.sh command

1. Make sure you are the ESS owner.

If you are not the ESS owner then edit the Batch.sh file by changing the -A

option as follows:

-U user -P password

2. Run the Batch.sh command.

This should result in producing a 7 text files, one for each entity:

■ Person_data;

■ Profile_data;

■ Group_data;



■ Profile_Profile_data;

■ Group_Profile_data;

■ Person_Profile_data;

■ Person_Group_data

Convert Text Files into Sage Configurations

You convert each of the created text files into Sage configuration files by

running the Import Control SA converter. This is conducted from within CA

Role & Compliance ManagerDNA Data Management.

To convert ESS data text files into Sage Configuration files

1. Make sure that the ESS data text files are transferred to the computer on

which you have installed Sage DNA Data Management.

2. Click Import, Import from Control SA.

The Control SA Convert window opens.



3. In the Input Files group box enter the path and file name for each of the

respective ESS text files.

4. Select the Get orphan accounts as Sage users check box where the

Person-UG Link File contains accounts without associated Users, called

Orphan Accounts, and you want those accounts to be associated to Sage

Users.

5. In the Map Fields group box, enter the Path and Name of the MapXML File

if it exists. If the file already exists then click the Browse button to locate

the file. The Map XML file contains the details that map the attribute

columns in the ESS table files to their respective field columns in the Sage

Configuration file. If you do not have a current Mapping Fields File, click

Edit.

The Field Mapping window opens.



6. The Entities Field group box contains several tabs; User, Role, and

Resource tabs. Each tab lists the entity field names as they appear for

each entity in the Sage configuration.

7. Use the edit field next to each field name to enter the ESS table file

column value that contains data to be matched to the listed Sage field.

8. If the ESS table files contain header lines, then click the, Person, job code

and group files have header lines check box, and enter the appropriate

name for each column in the adjacent edit field. If the ESS table files do

not contain header lines, then do not select the check box, and enter the

index value (1 based scale) for the ESS table column that contains the

matching data.

9. In the Map xml File group box enter the path and name of the Output map

file. You must include the xml extension as part of the file name.

10. Click Save to save the Map xml file.

11. Click Done to return to Control SA Convert window.

The Map xml file name now appears in the Map XML File field.

12. In the Output Sage Files group box enter the path and file name for each

of the Sage configuration files. One for each of the Configuration entities,

Users DB and Res DB.

13. In the Sage Executable group box enter the location of the Sage DNA Data

Management executable file.

14. Click Save to save the parameters as an XML file, and return to convert

the files at later point.

15. Click Convert to run the converter and produce the Sage configuration

files.

When the conversion process is complete a Done message appears to

confirm successful operation.

16. Click Open to browse and load an XML file containing saved parameters.



Executing a Batch Process

You can convert a cluster of ESS text files by running the converter executable

from the command line. The input for the each set of ESS text files must be

saved as a separate XML file. The content of the XML file would appear similar

to:

<?xml version="1.0 encoding="utf-8 ?>

<Parm>

<PersonFile>CT-SA converter\Persons.txt</PersonFile>

<JCFile>CT-SA convertor\Job_Codes.txt</JCFile>

<UGFile>CT-SA convertor\UserGroups_all.txt</UGFile>

<PersonJCFile>CT-SA convertor\Person_JC.txt</PersonJCFile>

<PersonUGFile>CT-SA convertor\Person_UserGroup.txt</PersonUGFile>

<JCUGFile>CT-SA convertor\JC_UserGroup.txt<\JCUGFile>

<JCJCFile>CT-SA convertor\JC_JC.txt<\JCJCFile>

<cfgFile>CT-SA convertor\bmc.cfg<\cfgFile>

<udbFile>CT-SA convertor\bmc.udb<\udbFile>

<rdbFile>CT-SA convertor\bmc.rdb<\rdbFile>

<exeFile>C:\Program Files\Eurekify\Eurekify Sage Client Tools

V3.0\SOftware\EurekifySageDM-V30.exe<\exeFile>

<\Parm>



Exporting from Sage to Control SA

Sage DNA Data Management supports exporting to CONTROL-SA via ESS

batch. Exporting to CONTROL-SA requires the following:

■ Generate a Sage diff log file by comparing two Sage configurations. The

diff log must contain all the operations which should be reflected in ESS.

■ Use the export application to generate ESS batch text files.

■ In ESS run the generated files and perform all operations.

To export to Control SA

1. Compare the original configuration created from the import CONTROL-SA

to sage process, to the modified configuration and create a Differences file.

2. Click Export, Export to Control SA.

The Control SA Export window opens.

3. In the Sage Diff File group box provide the path and name of the Sage Diff

log file.

4. In the Output group box provide the location for creating the desired

target ESS batch file.

5. Optionally, mark the "Generate temp Job Codes" check box to reflect Sage

direct user-resource links as temporary job codes (profiles) in ESS. If this

check box is not marked direct user-resource links will not be loaded to

ESS.

6. Click Save to save these parameters as an XML file.

7. Click Open to browse for a saved XML file and populate the window with

the parameters saved in the selected XML file.

8. Click Convert to execute the conversion process and produce ESS

formatted command file.

A Done message appears to indicate the process was successfully

completed.

9. Execute the generated command file in ESS to reflect the operations.

SAP to Sage Converter


Generated Commands

The following list includes some examples of the ESS commands generated by

the converter.

Create a new role:

INSERT job_code WITH jc_name="Sage Role 1002";

Link a user to the role:

CONNECT ent_user TO job_code WITH jc_name="Sage Role 1002", user_id="335675";

Link a user group (resource) to the role:

CONNECT user_group TO job_code WITH jc_name="Sage Role 1002",

ug_name="CN=CLA,OU=SecurityGroups,OU=Groups,DC=com", rss_name="AD", rss_type="Win2000";

Executing Difflog Conversion to ESS Batch Run Commands

From a Windows command line, execute the program:

CSAExport.exe <XML parameters file>

The <XML parameters file> can be created by a text editor, or saved to a file

from the CSAExport.exe GUI. For example:

<?xml version="1.0" encoding="utf-8"?>

<Parm>

<DiffFile>C:\Eurekify\test\difflog-Ilan.txt</DiffFile>

<OutputFile>C:\Eurekify\test\ilan.txt</OutputFile>

<GenJC>True</GenJC>

</Parm>

To execute the export as a batch, run the following command line

Ess batchrun -A-i Sage.inp


The SAP to Sage converter extracts data that is housed in SAP tables and

deposits the data in the various Sage Databases according to the Mapping

scheme that you select in the SAP to Sage Converter.



Mapping SAP Data to Sage

The SAP tables and fields used by the SAP to Sage converter are listed:

SAP Table SAP Fields

USR02 mandt, bname

AGR_AGRS mandt, agr_name, agr_child

AGR_USERS mandt, agr_name, bname, to_dat, col_flag

AGR_1251 mandt, agr_name, object, auth, field, low, high,

deleted

AGR_1252 mandt, agr_name, varbl, low, high

Note: Low values in the AGR_1251 table can be represented by variables. In

such instances the variable references Low and High values that are contained

in the AGR_1252 table.

We recommend that you do not trim the tables to remove fields that are not

necessary, since additional fields may be needed in future versions.

The current converter supports several mapping schemes. These are:

■ Map roles to resources

■ Map field values to resources

■ Map authorization objects as resources

■ Map object as roles, field values as resources

Map Roles to Resources

The Map Roles to Resources mapping scheme takes SAP Roles and maps them

to SAGE ERM resources. The SAP role information is taken from the following

SAP tables:

■ USR02 - holds a list of system users

■ AGR_AGRS - links composite roles to their child simple roles

■ AGR_USERS - links users to roles (both composite and simple)

This table shows the relationship between Sage Database entities and their

respective source Table and Fields in a generic SAP database.

Sage Entities and

Links


Users USR02 bname



Sage Entities and

Links


Resources AGR_AGRS agr_child

Roles AGR_AGRS agr_name

User-Role links AGR_USERS bname, agr_name

Role-Resource links AGR_AGRS agr_name, agr_child

User-Resource links AGR_USERS bname, agr_name (only

simple roles)

Map Field Values to Resources

The Map Field Values to Resources mapping scheme takes SAP Objects and

Fields and maps them to Sage ERM resources. The SAP role information is

taken from the following SAP tables.

Sage Entities and

Links


Users USR02 bname

Resources AGR_1251 object, field, low, high



Role-Resource links AGR_1251 agr_name, object, field,

low, high

Role-Role links

(Hierarchy)

AGR_AGRS agr_name, agr_child

Map Authorizaton Objects as Resources

The Map Authorization Objects as Resources mapping scheme takes SAP

Authorization Objects and maps them to Sage ERM resources. The Mapping

scheme only imports to fields that are selected in the FieldsForm window in the

SAP to Sage converter.

Sage Entities and

Links


Users USR02 bname

Resources AGR_1251 auth, object, field, low,

high




Sage Entities and

Links



Role-Resource links AGR_1251 agr_name, auth, object,

field, low, high

Role-Role links

(Hierarchy)

AGR_AGRS agr_name, agr_child

AGR_1251 specifies role Authorization Objects with fields and values.

Map Object as Roles and Fields as Resources

The Map Object as Roles and Fields as Resources mapping scheme maps SAP

Objects to Sage Roles, and maps SAP fields as Sage Resources.

Sage Entities and

Links


Users USR02 bname

Resources AGR_1251 Combinations of field,

low, high values

Roles AGR_1251 object

User-Role links AGR_USERS,

AGR_1251

bname, object

Role-Resource links AGR_1251 object, mixed field, low,

high

AGR_1251 specifies role Authorization Objects with fields and values.



Running the SAP to Sage Converter

To load SAP privileges data into a Sage configuration

1. Create a new database in your MS-SQL Server for the purpose of importing

SAP authorization information into Sage ERM.

2. Import the SAP tables into the new database.

The relevant tables are: USR02, AGR_AGRS, AGR_USERS, AGR_1251,

AGR_1252 and their names must be identical to those written here.

3. Click Import, Import from SAP.

The following window appears:



4. In the Server Name Text field Insert the name of the MS-SQL server you

are using.

5. In the DataBase Name text field, insert the name of the database you are

using for the SAP data.

6. Click Test Connection to verify that the connection details are valid.

7. In the MANDT Value text field, enter the MANDT identifier value for the

SAP environment that you wish to convert. If you do not know the value

contact your SAP administrator.

8. Choose the type of Mapping to use from the available mapping scheme

options.

9. If you select Map authorization objects as resources click Choose Fields.

The FieldsForm window opens.



10. Select which fields should be used to generate Sage resources.

11. If you have separate tables in the database that contain the lists of simple

and/or composite roles then enter their names in the respective Simple

Role Table and Composite Role Table text fields. The table must only

contain the role name as its data.

12. Select the respective check box if you have roles linked to either Users or

Authorization Objects (AO) that do not appear in the role hierarchy.

In these cases, the converter will not be able to tell whether they are

simple or composite. You may choose how to treat them. The default is to

treat them as simple roles.

13. In the Target Configuration field enter the Path and Filename to be used

for the Target Sage configuration file. Click Browse locate the Path.

14. In the Target Users DB field enter the Path and Filename to be used for the

Target Sage Users Database file. Click Browse to locate the Path.

15. In the Target Resource DB field enter the Path and Filename to be used for

the Target Sage Resource Database file. Click Browse to locate the Path.

16. Click “Convert” and wait for the completion message (it may take a while).

Generic LDIF to Sage Converter



This converter is provided by CA Role & Compliance Manager, and retrieves

data from a given LDIF file. The converter allows mapping different attributes

of LDIF objects to Sage fields. Once a map was designed it can be easily rerun

on the same file or on other LDIF files to produce Sage configurations.

To start an LDIF conversion

1. Click File, Import From External Sources, Import from LDIF File.

The following window appears.



2. Specify the LDIF file to convert and the target Sage configuration files to

be created.

If you have a ready LDIF-Sage map xml file you may supply it as well.

3. Click Start to execute the conversion. Otherwise click Edit Mapping and get

the following screen:



The mapping allows 3 views of LDIF objects.

Map an LDIF object to a Sage entity

The object may either be a user, a role or a resource. In order to

perform the mapping, choose both object and entity and click “Add”.

After choosing a Sage entity for a specific object an attribute mapping

is required. Select attributes for the relevant Sage fields and click “Set”

to add them to the mapping list. You may also map Sage fields to an

OU of the object or to a constant text.

Link Sage entities based on LDIF object attributes

When an LDIF object has an attribute pointing to another object this

link may be reflected in the Sage configuration. Select the source and

destination objects and choose the attributes of the objects that should

match. Click “Add / Set” to add the selected mapping to the list.

Link Sage entities based on attributes of an LDIF object

When an LDIF object represents a link between two other objects this

link may be reflected in the Sage configuration. Choose the object

representing the link and select the source and destination attributes

from the object attributes. For both source and destination attributes

select which field of which entity they should match. Click “Add / Set”

to add the selected mapping to the list.

4. In any stage of the mapping click Show Example to view an example of the

attributes of the selected object. This is designed to assist you when

choosing attribute mappings.



A complete mapping should resemble the following:

5. After you finish mapping all relevant data click Save to save the mapping

to an xml file and return to the conversion window. This mapping may be

edited in the future.

6. When you are pleased with the mapping click Start to perform the actual

data conversion and open the generated Sage configuration.

Import from TSS


Import from TSS

CA Top Secret (TSS) is a security component for IBM mainframe computers

that works together with the existing operating system to provide system

security, resource access control, auditability, accountability and

administrative control. As such, it is the main repository for users, roles and

resources data on mainframe computers.

The main input to the Sage TSS import option requires downloading access

data from TSS using the by generating a TSS List File, and transferring the

generated text file to a location on the Windows system to which Sage has

access. There is also a possibility to add enriched data about users attributes

(for example, from the human resources department database).

The output is a Sage configuration, with TSS profiles appearing as Sage roles

and with TSS groups appearing as Sage resources.

To import data from TSS into Sage

1. Create a TSS List File on the mainframe and transfer the file to a location

that can be accessed by your Windows system.

2. Click Import, Import from TSS.

The following window shows the TSS import window already completed:

The following are instructions for filling in the fields:

Field Description

Sage Files

Sage Configuration File

Enter the name and folder of the target

Sage configuration. A Browse button is


Users Database Enter the name and folder of the target

Sage users database. A Browse button is

Import from TSS


Field Description


Resources Database Enter the name and folder of the target

Sage resources database. A Browse

button is provided for convenience.

Options

TSS List File

Enter the name and folder of the file

Generated using the TSS LIST(ALL)

command. The file is generated on the

TSS computer and then transferred to the

computer on which Sage DNA Data

Management is installed.

Profiles as Roles Activate radio button if Sage is to convert

TSS Profiles to Sage roles.

Do not activate radio button if Sage is to

not convert TSS Profiles to Sage roles.

Groups as Resources Activate radio button if Sage is to convert

groups to resources.

Do not activate radio button if Sage is to

not convert groups to resources.

TSS List File Enter the path to the TSS list file copied

to your Windows system.

Add ACL Entities Mark Process Audit Cards check box to

process Application Control Language

(ACL) scripts.

Unmark Process Audit Cards check box

not to process Application Control

Language (ACL) scripts.

Supplementary HR file Record the name of the file containing

supplementary users data, if any.

Import from TSS


3. Fill in the fields in the Importing window.

4. Click Convert to import.

If any errors result from the import process, then a Sage message

appears.

5. Check any errors in the SageTSSConverterXXX.log file located in the Sage

Logs folder.


opened by Sage.

Import from UNIX


Import from UNIX

The UNIX to Sage converter accepts UNIX IDM files and converts them into

Sage formatted CSV files which can then be transformed into or incorporated

in a Sage configuration. The UNIX Group and Password files serve as input for

the conversion process. You must transfer these source files to a location on

your Windows system that can be accessed by Sage.

To import data from UNIX into Sage

1. Transfer the UNIX Group and Password files to a location on the Windows

system.

2. Click Import, Import from UNIX.

The Unix to Sage Converter window opens.

3. In the Source Unix Files section, enter the location of the UNIX password

and group files.

4. In the Target Sage Files section click Browse to select the target Sage files

to be generated. You must generate a Configuration file, Users file and

Resources file.

5. To treat the UNIX groups as Sage resources select the Groups as

Resources check box.

6. Click Convert to initiate the conversion process and create the Sage

configuration files.


opened by Sage.

Import Windows Shared Folder



Eurekify's customers are often interested in mapping privileges at a finer level

of granularity than that provided by most IdM tools. That is below the level of

groups and or profiles. This converter provides this granularity for Windows

environments by scanning Windows servers for shared folders, and mapping

access rights for those shares to the relevant domain groups and users.

The converter relies on Eurekify's Active Directory (AD) converter to bring in

AD groups, possibly from multiple AD servers and domains, and users. The

converter uses agent-less Windows WMI technology to scan a range of

Windows computers and import their shares as resources. It then links them to

the above AD users and AD groups (imported as Sage roles).



Mapping Windows Share Data to Sage

The scanner connects with each of the machines defined by the user and

queries it for shares. All the acquired shares are translated to Sage resources,

detailing computer name, share name, and access level. For each share, all

permissions are obtained and are translated to Sage user and role links with

resources (the resources being shares). Different access levels of different

users are reflected as separate resources.

To import data from Windows Shared Directories into Sage

1. Click Import, Import from Active Directory.

The Connect Active Directory window opens.

2. Set the Credentials and Output Files fields.

3. Click Next to advance to the next step in the wizard.

4. In the Search Active Directory Objects step, select the All Groups as Roles

option from the Groups as Roles section.



5. Complete the Wizard and generate an Active Directory configuration. This

will serve as Sage Configuration input in the Windows to Sage converter.

6. From the Import menu select Import Windows Shared Directory.

The Windows to Sage Converter opens.

7. In the Original Sage AD Configuration section enter the Path and File name

for the Active Directory configuration that you created.

8. From the Windows Share Scan section, click Scan Shares.

The Scan Windows Shares window opens.

BMC Identity Manager Open Services


9. In the Credentials section enter domain administrator User Name and

Password. You can enter the credentials for any other user that have

permissions to use WMI on the target systems.

10. In the Machines to Scan section, enter the IP ranges to be scanned, by

entering the IP address range and clicking Add. Alternatively you can add

pattern based computer names by selecting the Computer Name by AD

filter checkbox and entering a filter and an AD Server in the respective text

boxes.

11. In the Target Share Files section, enter file names for the Shares Resource

File and Shares Links File text boxes.

12. Click Scan to perform the scan.

A progress bar appears, wait for it to reach finish.

13. Click Close and return to the Windows to Sage Converter window.

14. In the Target Save Configuration section, enter the Path and File name for

the Target Configuration file.

15. Click Merge and wait until the Done message appears.

The new Sage configuration is then ready for use.

More information:

Export Active Directory (see page 43)


This converter maps ESS Persons, Profiles (job codes), Groups and Accounts,

into Sage Users, Roles, Resources and Links.



Importing from BMC Identity Management

To import from BMC Identity Management to Sage

1. Click Import, Import from BMC Identity Manager(OpenServices).

2. Fill in the BMC Identity Management convert (Import) Window.

■ If the files: defaultConnection.xml, defaultMapping.xml exist in the

Sage home directory, Form values will automatically be loaded from

the xml file.

■ XML files must be saved before the import process can be performed.



3. In the Input Details group provide the JBoss Input Detail connection

parameters.

4. Click Test Connection to test the connection parameters.

5. Pre saved parameters can be loaded from an XML file. If file

defaultConnection.xml exists in the Sage home directory, connection

values will automatically be loaded from the xml file.

6. In the Map Fields group enter the map xml file path and directory if it

exists, in the Map XML File text field.

Pre-saved parameters can be loaded from an XML file. If file

defaultMapping.xml exists in the Sage home directory, mapping values will

automatically be loaded from the xml file.

7. If the file does not exist click Edit in the Map Fields group.

The Field Mapping window opens.



8. Fill in the Field Mapping window as indicated.

If the Input details were inserted correctly then the drop down list values

is available.

9. Save your changes and click Done.

The window closes and you return to the BMC Identity Manager window.

10. In the Output Sage Files group enter the target address for the Sage

output configuration files. These include the configuration, Users Database

and Resources Database (cfg, udb and rdb).

11. In the Sage Executable group enter the directory and path to the Sage

Data Management executable file.

12. Click Start Import to initiate the import process.



Exporting to BMC Identity Management

Sage DNA Data Management supports exporting to BMC Identity Management.

Exporting to BMC Identity Management requires the following:

■ Generate a Sage diff log file by comparing two Sage configurations. This

diff log should contain all the operations which will be reflected in ESS.

■ Use the BMC Identity Manager convert (Export) application to perform the

changes.

To export to BMC Identity Management

1. Compare the original configuration created from the import BMC Identity

Management to sage process, to the modified configuration and create a

Differences file.

2. Click Export, Export to BMC Identity Manager (OpenServices).

The BMC Identity Management Convert (Export) window opens:

Oracle Identity Manager


3. In the Input Details group enter the connection details. We recommend

that you use the connection XML file that was used during the import

process.

4. In the Map Fields group enter the mapping field details. If you use the Map

XML File that was used for the import process the details will be extracted

from the file and the relevant fields in the Map Fields window will be

automatically populated. Otherwise click Edit button and enter the details

manually.

5. In the Sage Diff Log group enter the directory and path to the Sage Diff

log file that you created.

6. Click Start Export to start the export process.

A Done message appears to report the completion of the convert process.


The Oracle Identity Manager Converter provides you with the capability to

integrate Eurekify Sage ERM and Oracle Identity Manager by automatically

synchronizing the role-based privileges data between the two systems.

Using the Sage-Oracle Identity Manager Converter you map Oracle Identity

Manager Users, User Groups/Access Policies and Resources Objects to Sage

users, roles, resources and links.



Updating Oracle Identity Manager Client JARs

The first time you run the Oracle Identity Manager (OIM) converter you must

update the converter with OIM client jars.

To update the Oracle Client JARs

1. Click Import, Import from Oracle Identity Manager.

The Oracle Identity Management window opens.



2. Click Update Oracle Client Jars.

The Update OIM Client Jars window opens. The window displays a list of

Jar files for Lib directory, Ext directory and Config directory. Use the

Browse for Directory buttons to locate the associated Oracle Client

directories. These are usually located in the following path <oracle client

install dir>\xlclient.



3. Click Browse for lib directory.

A Browse for Folder window opens.

4. Navigate to, and select the lib folder. Click OK.

5. Repeat the browse and select process for each of the ext and config

directories.

6. Once the location is provided for each folder the Update Jars button

becomes available.

7. Click the Update Jars button to start the update.

When the update is complete the message in the Status box reads Found

all needed files and the updated files for each directory appear with a

Check mark in the adjacent check box.

8. Click Done.



The Update OIM Client Jars window closes and the converter is now ready

to import files.

Importing from Oracle Identity Manager

Importing from the Oracle Identity Manager is performed using the

Sage-to-Oracle Identity Management converter. The process includes:

■ Providing Connection details.

■ Mapping Oracle Identity Manager Users, User Groups/Access Policies and

Resources Objects to their respective Sage entities - users, role, resources

and links.

■ Providing the location for the Sage Output files

■ Providing the location for the Sage Executable file.

Sage DNA and Oracle Identity Manager use different but parallel terminology

for components and entities in each of their configurations and files. Use the

following table to familiarize yourself with the terminology used in each

environment for their respective components and entities.

Sage DNA Terminology Oracle Identity Manager Terminology

User User

Role User Groups/Access Policies

Resource Resource Objects



The converter produces an XML file that maps the Oracle Identity Manager

User, User Groups/Access Policies and Resource Objects to Sage users, role,

resource and link entities. This Map xml file is used as part of the Import

process and can later be used as part of the Export process.

To import from the Oracle Identity Manager

1. Click Import, Import from Oracle Identity Manager.

The Oracle Identity Management window opens.



2. In the Connection Details area enter the values for each field to match

those used on the Oracle Identity Management server.

3. In the Connection Details XML File text box enter the file path and name

for the Connection Details XML file and click Save to save the location of

the Connection Details XML file. If an XML file containing the connection

details already exists then click Open and browse for the file location.

By default, Sage searches for a Connection Details XML file called

defaultSettings.xml located in the <Sage home directory>\OIMConvert. If

the file exists then Sage automatically loads the connection values into the

Connection Details fields.

Once all the connection details are entered the Test Connection button is

enabled.

4. Click Test Connections to validate the values.

If the test is successful a Test Connection Succeeded message is displayed

and the Edit button in the Map Fields group box and the Start Import

button are both enabled.



5. In the Map Fields area click Edit to open the Field Mapping window. For

each of the Sage User, Role and Resource entities listed in the Field

Mapping window provide the value for their respective entities on the

Oracle Identity Manager server.



6. In the Map xml File group box enter the path and name of the Output map

file. You must include the xml extension as part of the file name.

7. Click Save to save the Map xml file.

8. Click Done to return to Oracle Identity Management converter window.

The Map xml file name now appears in the Map XML File field.

By default sage searches for a Map XML file called defaultMapping.xml in

<Sage home directory>\OIMConvert. If the file exists Sage automatically

loads the mapping values contained in that file.

9. In the Output Sage Files area enter the path and file name for each of the

Sage configuration files. One for each of the Configuration, Users DB and

Resource DB files.

10. In the Sage Executable group box enter the location of the Sage DNA Data

Management executable file.

11. Click Start Import to run the converter and produce the Sage configuration

files.

Once the conversion process is complete a Done message appears to

confirm successful operation.



Exporting from Sage to Oracle Identity Manager

Sage DNA Data Management supports exporting to Oracle Identity Manager

via the Oracle identity Management Convert (Export) application.

Exporting to the Oracle Identity Manager requires that you:

■ Generate a Sage diff log file by comparing two Sage configurations. The

diff log must contain all the operations which should be reflected in Oracle

Identity Manager.

■ Use the Oracle identity Management Convert (Export) application to

perform the changes.

To export to Oracle Identity Manager

1. Compare the original configuration generated from the Import from Oracle

Identity Manager to Sage process, to the modified configuration and create

a Differences log file.

2. Click Export, Export from Oracle Identity Manager.

The Oracle Identity Management Convert (Export) window opens:



3. In the Connection Details area enter the values for each field to match

those used on the Oracle Identity Management server. We recommend

that you use the Connection Details XML file to automatically load the

values that were used during the import process. Click Open to navigate to

the previously saved Connection Details XML file.

4. If the NIST style roles to user groups and access policies check box is

checked then roles that are not marked as Access policies [AP] and

connected to resources will be connected to the resources via an access

policy. For example, if the role Role1 is asked to be connected to Res1, a

new Access Policy Role1 will be created. This policy will have Role1 as a

member and will entitle access to Res1.

5. In the Map Fields area click Browse to navigate and select the Map XML file

that was used during the import process.

6. In the Sage Diff Log area provide the Path and Name of the Sage Diff Log

that you generated for the two configuration files.

7. Click Start Export to run the export converter.

If the export process identifies unsupported Oracle Identity Manager

requests, a window appears listing the identified errors.

8. Click No to cancel the export process, or click Yes to continue the export

process while disregarding the errors.


Chapter 4: Management Menu

Changes to users data occur in an ongoing manner on the HR system and to

maintain the Users, Roles and Resources relationship you can enrich the Sage

User and Resource databases by incorporating the latest HR Users and

Resource data.The HR data is used as input for the Sage Pattern Based Audit,

Sage role engineering, Sage compliance.


Enrich Users Database (see page 110)

Enrich Resource Database (see page 112)

Preserving Columns During Enrichment (see page 113)

Sage Database Utility (see page 115)

Enrich Users Database



The Sage DNA Data Management application expects to receive the

supplementary HR data to be merged with the existing users database as a

CSV formatted file. The first column of the Supplementary HR data file must

contain the unique Person ID. This type of Person ID used in the HR file must

match the type of Person ID used in the Sage users.UDB file. For example if

the value for the Person ID in the UDB file is taken from the Users Login

Account then the HR file should also take the Person ID from the Users Login

Account.

■ For every Person ID in the Sage UDB file that has a matching Person ID in

the HR file, Sage replaces the record in the UDB file with the record taken

from the HR file.

■ The resulting Ouput Users Database contains the same number of records,

arranged in the same order, as that for the original sage UDB file.

To enrich a users database

1. Click Management, Enrich Users DB.

The Sage HR Data Merge Converter window opens.



2. In the Users Database text field, enter the path and name of the Sage

Users database that is to receive the supplementary HR data.

3. In the Supplementary HR File text field, enter the path and name of the

file containing the supplementary HR data.

4. In the Output Users Database text field , enter the path and name of the

resulting database file that contains the merged output.

5. From the Options group box, select any of the options that are relevant.

The following table describes the options:

Option Description

Person ID Is Case

Sensitive

Select to take Case into consideration.

Clear Fields that are

empty in the HR file

Select to overwrite fields in the UDB with

empty data if such a field exists in the HR file.

Clear the option to disregard empty fields in

the HR file and keep the existing content in the

UDB.

Clear Fields of the UDB

users that were not

found in the HR file

Select to delete content from UDB user fields,

if a user by the same name does not exist in

the HR file.

Clear the option keep user information in the

UDB even if the User does not exist in the HR

file.

6. Click Enrich.

A new Sage users database is generated and saved in the specified

location.

Enrich Resource Database


Enrich Resource Database

For each set of resources, R1, R2, R3 in the Sage RDB file that has a matching

set of resources in the supplementary resource database file, Sage replaces

the record in the RDB file with the record taken from the supplementary

resource database file.

To enrich a resource database

1. Click Management, Enrich Resource DB.

The Sage HR Data Merge Converter window opens.

2. In the Resource Database text field, enter the path and name of the Sage

Users database that is to receive the supplementary HR data.

3. In the Supplementary Resource DB File text field, enter the path and name

of the file containing the supplementary HR data.

4. In the Output Resource Database text field , enter the path and name of

the resulting database file that contains the merged output.

5. Click Enrich.

A new Sage Resource database is generated and saved in the specified

location.

Preserving Columns During Enrichment



During the enrichment process the original records in the both Sage Users

databases and Resource databases are overwritten with the data from the

Supplementary HR files. The order in which data is arranged in the Sage

databases will be lost if the order of data arrangement in the supplementary

HR files differs from those in Sage database.

If need be, you can preserve the arrangement and content of any column in

the source file by modifying the supplementary HR file before performing the

enrichment process. To prevent any column from being overwritten you must

place an empty column in the parallel position in the supplementary HR file.

The following illustration represents the arrangement and content of a Sage

Users Database:

The following illustration represents the arrangement and content of the

Supplementary HR File.



Notice the following:

■ The column order in the in the Sage User Database is Person ID,

UserName, and Title.

■ The column order in the supplementary file is Person ID, UserName,

OrgName, OrgType, …

In this scenario when the two files are merged, the Title entry for each record

in the Sage User Database would be overwritten by the OrgName entry from

each record in the Supplementary HR File. The Title column is the 3rd column

in the Sage Users Database.

To prevent the Title column from being overwritten, a empty column must be

placed in the 3rd position in the Supplementary HR file. This is done by placing

an additional comma as a place holder in each record of the supplementary file

at the position you want to preserve in the Sage Users Database.

The following illustrates how the Supplementary HR File in the above scenario

is modified to prevent the entries in 3rd column of the Sage Users Database

from being overwritten.

In the figure two commas signifying and empty column now appear in each

record between the original 2nd and 3rd columns, UserName and OrgName

respectively.

Sage Database Utility



The Sage Database Utility let you create a new database when you do not

want to conduct a complete installation of Sage. You should be aware that the

database created using the database utility is based on the most recently

installed version of Sage Client Tools.

If you have upgraded either the Sage Reports tool or Sage Portal since

installing the Client Tool, then creating a database using the Database Utility

causes a downgrade in the database version to the version that was installed

with the Sage Client Tool.

Important! We strongly recommend that you only use the Sage Database

Utility after first consulting with CA Technical Support.

To Use the Sage Database Utility

1. Close all database entities if any are open.

2. Click Management, Sage Database Utility menu item.

The Sage Database Utility window opens.



3. In the Database Name field enter the name of the database on which you

want perform an action.

4. In the SQL Server Name field enter the Server Name on which the

database is located.

5. Click Install to create a new database.

6. Click Remove to delete the database.

7. Click Upgrade to upgrade an existing database.


Chapter 5: Unique User ID (UUID) Menu

The UUID menu lets you access the Unique User ID utility. Use this utility to

consolidate related or duplicate user accounts from the different directories in

your environment.


The UUID Interface (see page 118)

UUID Work Process (see page 119)

Prepare Company HR and Systems Data (see page 120)

Set Java Package Directory (see page 120)

Working Directories (see page 120)

User Databases (see page 123)

UUID Mapping File (see page 135)

Match Process (see page 136)

Merge Process (see page 138)

The UUID Interface


The UUID Interface

To access the UUID interface, click UUID, Launch UUID Tool.

The UUID user interface is divided into several sections that reflect the work

process that you undertake in consolidating the access rights and privileges on

your system. The following is a sample:

The following table describes the sections:

Section Description

Java Package Directory The path in which the UUID package is located.

(this is where the CA Role & Compliance

ManagerMatcher.jar is located)

UUID Mapping File The main settings file that refers to all other

definitions.

UUID Working

Directories

Defines the locations in which the tool can find

source data and deposit temporary output files

that contain consolidated output data. (all

directories here must be on same drive, for

example, C:\)

UUID Work Process


Section Description

User Databases Provide mappings that map each of the accounts

sources (CA Role & Compliance Manager user

databases).

Match Process Provides the file name and directory of the

configuration that results from the matching

process, as well as a few general parameters for

the matching. Also runs the process that

performs the matching process.

Merge Process Provides the file name and directory of the

resulting configuration file that contains the

consolidated access rights based on the above

matching. Also runs the process that performs

the merging process.

UUID Work Process

This section describes the general work flow that you perform when using the

UUID tool.

The general work process is as follows:

1. For each of your company systems you must extract or export the user

data and save it in the form of a CSV file in the same format as a CA Role

& Compliance Manager Users DB (UDB). Each of the csv files should be

renamed so that they use a *.udb extension. If you have imported the full

access rights from those systems in a CA Role & Compliance Manager

configuration, you can use the UDB from these configurations. You must

create a data directory and then place the *.udb, or *.cfg files in the data

directory.

2. Specify the path for the UUID Working Directories: Data Directory, Index

Directory and Output Directory. (note that all directories must be on same

logical drive, e.g., C:\).

3. Define the mapping definitions for matching users to their resources and

accounts across available systems and save the mapping definitions file.

4. Run the Index.

5. Enter the path and name of the configuration file that contains the

matched data in the Match Process section and run the Match process.

6. If desired enter the path and name of the configuration file that contains

the merged data in the Merge Process section and run the Merge process.

Prepare Company HR and Systems Data


Prepare Company HR and Systems Data

Using proprietary pattern recognition technology the UUID tool identifies and

matches users to their accounts across all of your company systems. The

source data used by the UUID tool is the user and account data for each

system saved in the form of a CSV file. The format for this file is exactly the

same as any other Eurekify UDB. If you have imported a full configuration

from a certain system, you can simply use its UDB here.

For each of your company systems:

Copy the *.udb files (or full set of .cfg, .udb, and .rdb) to the data directory.

The Data Directory is referenced as one of the Working Directories. The UDB

files are used by the UUID tool during the matching and merging process.

Set Java Package Directory

The Java Package section in the UUID Tool references the installation directory

that contains the EurekifyMatcher.jar file.

To set the Java Package Directory

1. In the Java Package Directory section click Browse.

A Browse dialog opens.

2. Navigate to and select the <Install Drive>:\Program

Files\Eurekify\Eurekify Sage Client Tools V[version]\Software\UUID

directory (where [version] is V3.2 or V4.0), and click OK.

The selected directory appears in the text field in the Java Package

Directory section.

Working Directories

The Working Directories are a set of directories on your local machine that are

used to house data and deposit output files that contain consolidated output

data. The Data Directory is used to store your *.udb files that contain data

extracted from your various company systems.

Note: All working directories must be placed on same logical drive, such as

C:\.

Working Directory Description

Data Directory Stores data files containing user and account

Working Directories


Working Directory Description

data extracted from the various company

systems.

Index Directory Stores internal UUID files generated as part of

the Indexing process.

Note: Erasing or editing these files causes the

UUID tool to malfunction.

Output Directory Provides a container to house temporary output

files that are for internal use by the UUID tool

only.

Note: Erasing or editing these files will cause the

UUID tool to malfunction.

Working Directories


Create and Assign Working Directories

You need to create each of the working directories on your database server

and then assign their path in the UUID tool.

To create and assign work directories

1. On your local machine, create three directories, one each for your Data

Directory, Index Directory, and Output Directory.

For example using the directory path C:\testdemo\uuid_demo, create the

following directories:

Data Directory

C:\test\uuid_demo\demodata

Index Directory

C:\test\uuid_demo\demoindex

Output Directory

C:\test\uuid_demo\demooutput

2. In the UUID Working Directory section of the UUID tool (highlighted in the

following screen), enter the directory path in the text field for each of the

directories that you created. To search for the directory click Browse.

3. Select the directory, click OK.

The directory path is displayed in the selected Working Directory text field.

User Databases


User Databases

The User Databases section of the UUID Tool (highlighted in the following

screen) is where you define the parameters and settings, and identify data

that is used to consolidate the user access rights and privileges across all

systems in your organization. Your goal is to identify each person in your

organization with the accounts they have access to on each of the systems in

your organization.

In some cases this is straight forward, for example, if the organization's

personnel use the same account ID on all systems. In other cases, it may be

possible to identify the owner of an account because accounts are based on

some naming convention, for example, jdoe for John Doe. In the more difficult

cases, it may be possible to recognize the account owner based on cues in

some of the other account fields, for example, name (free text), address,

phone number, email address, and so on. This information is contained in the

database files, *.UDB files, that you extracted from each of the systems.

User Databases


Master vs. Other Databases

The Master database is usually the database that you extracted from the

system that supports your Human Resources department. Using the User

Databases window you create virtual connections between each User Database

file and a Master Database file based on common information contained in the

Master Database and any of the other databases.

Databases extracted from Human Resources generally contain a broad set of

data on the personnel in your organization and generally reference each

person by a unique employee ID. This ID is the single piece of information that

must be included in a Master Database. In most cases, more information will

allow you to match more accounts more accurately. Thus, any other

information that is available is important to be included in the Master

Database: name, department, title, location, manager, and so on.

Connecting Master and Other Databases

To correlate between users in different databases, definitions are required that

describe and “canonize” the user-related information contained in the

databases. Those definitions are called UUID-Fields. Specifically, the NAME,

GROUP and FUNCTION attributes of the UUID-Fields defined for each database

provide a means to correlate the data.

Using these UUID-Field attributes you create a virtual bridge between each

User Database and the Master Database. When the UUID tool processes the

data in each of the databases, it uses the information in these virtual bridges

to identify each person in the organization with the accounts on each system

to which they have access.

In practice the virtual bridge is referred to as the Group attribute of the

UUID-Field, and the Name and Function attributes define the actions that are

performed on each field in the databases to correlate data between the Master

Database and the other User Databases. To successfully match organization

personnel with their accounts, you must examine each of the User Databases

and create as many UUID-Fields as are needed to link each person listed in the

Master Database to the accounts that are referenced in the User Databases.

User Databases


Example Database Usage and UUID-Field Construction

This example shows two separate databases that treat data for a single

employee in an organization. In Database 1 the employee is referenced by

Person Name and the employee Telephone number is provided in the form

<Area Code-Number>. In Database 2 the employee is referenced by a Person

ID and the employee phone number is provided as two separate fields, Area

Code and Phone Number.

Database 1

Fields in Database 1 Person Name Telephone

Data John Smith 09-7693219

Database 2

Fields in Database 2 Person ID Area Code Phone

Number

Data 1234567 09 7693219

By looking at the phone number in each database you can see that the Phone

Numbers are identical even though they are referred to in slightly different

forms. We can therefore extrapolate from that, that the employee John Smith

in Database 1 is the same individual that is referred to by the Person ID of

1234567 in Database 2. Essentially we have used the data provided by the

phone numbers to build a virtual bridge between the two databases.

UUID-Field Construction in the UUID Tool

In the UUID tool, the Group attribute of the UUID-Fields forms the virtual

bridge. You create UUID-Fields with given Group attributes in the Master

Database for each type of information that you want to use. You then create

UUID-Fields with identical Group attributes in the User Databases that contain

the same type of information that you want to relate to the information in the

Master Database. The functions may vary in structure for the identical Groups

in each database, but the goal is to construct the same data set using the

available fields in the databases. In our simple example, the databases looks

as follows:

Database 1 UUID-Fields

Name Group Function

Database 1_Ex Phone Telephone

Database 2 UUID-Fields

Name Group Function

Database 2_Ex Phone <Area Code>-<Phone Number>

User Databases


Each database contains a UUID-Field with a Group called Phone. The Functions

for each Group vary in structure but the outcome is identical. In the case of

the example a phone number that is in the form <Area Code>-<Phone

Number>.

UUID-Field Elements

Each database can contain several UUID-Fields. Each UUID-Fields has the

following elements: Name, Group, Function, and Weight. The following list

describes these elements:

Name

Specifies a name that is provided for each UUID-Field that is extracted

from the database. The name does not have to be identical across each

database.

Group

Specifies a name that is used for each common data type. The name for

each common data type must be identical in each database.

Function

Specifies the action to be performed on the database fields. This might be

to extract the data contained in a database field, or it might be to extract a

combination of data contained in several fields in the database.

For help on the protocol used to construct combinations click the ? button

in the Fields section of the User Database window. Refer to ???? for a

complete list of the functions available to manipulate database fields and

create UUID-Fields.

Weight

Provides a numeric measure to indicate the internal priority given to each

group within a database. The greater the value the higher the priority. The

UUID tool processes the groups according to their order of priority.

A value of 0 means that this group is not taken into consideration in the

matching process.

User Databases


Naming UUID-Fields

Each database must contain at least one UUID-Field that references the field in

the database that contains the user-account information (Login). The name

provided for that UUID-Field must be provided in the following form:

<Database Name>_ID. The Name provided for any other UUID-Field can take

any form.

For example, for a database called RACF.udb the Name provided for the

UUID-Field relating to the user-account field is RACF_ID.

The purpose of this special UUID-Field is to support the Merge operation (post

matching). It is used to compare to the Person ID field in the merged

configuration.

Note: The ID UUID-Field is not used for the correlation process. It should be

associated with a group of its own, and given a weight of 0.

User Databases


Adding New Databases

You need to include a database for each system in your organization that you

are referencing. These are files that were extracted from each system and

renamed as *.UDB files.

To add a new database

1. Click Add New in the User Databases section of the UUID Tool.

The User Database window opens.

User Databases


2. Click Browse next to the UDB/CFG File Name text field and from the Open

dialog box select the database file that you want to include.

Note: If you later plan to run the Merge Process, you need to select a

Eurekify configuration file (.cfg file) originating from the referenced

systems. Configuration files automatically direct the tool to their User

Database (.udb file). Otherwise, you can select the User Database (.udb

file) directly.

3. Click Open and the selected file name is displayed in the UDB/CFG File

Name text field.

4. Click Save and provide a name for an XML file in the Save As dialog box.

The XML file is the UUID Mapping file and stores all the mapping

parameters associated with the database.

5. Repeat this procedure to add a reference for each User Database that was

extracted from the organization.

The following screen shows references to User Databases for each system

treated in an organization, these include: UsersDB, RACF, WinNT and

Solaris.

User Databases


6. Select the Database that contains the HR data and click Set Master. This

sets the selected database as the Master database.

The database that you select as the Master database must contain an explicit

reference to each of your personnel by name. For this reason it is usually the

database that contains the HR data.

Adding Databases from XML Files

If you already have an XML file from a previous implementation, you can refer

to that XML directly. You do so by using the Add from XML feature in the User

Databases section of the UUID tool.

To add a database from an XML file

1. From the User Databases section click Add from XML.

The Save As window opens.

2. Navigate to the folder that contains your databases saved as XML files and

select the database to add to the mapping file.

3. Click Save.

The database is added to the list of User Databases referenced in the

mapping file.

4. Click Save in the UUID Mapping File section to save the modified list of

databases as part of the mapping file.

User Databases


Editing Database UUID-Fields

At times you may need to modify existing matching UUID-Fields in a database,

add UUID-Fields to a database, or remove UUID-Fields from a database. You

do so by using the Edit feature in the User Databases section of the UUID tool.

To edit a database UUID-Field

1. Select an XML file from the User Databases list.

2. From the User Databases section click Edit.

The User Database window opens displaying the list of UUID-Fields.

3. Select the UUID-Field that you want to edit.

The selected row is highlighted.

User Databases


4. Double-click in any field and the field becomes editable. You now can

manually edit the value for the selected field.

5. When you are satisfied with your changes, click Save to confirm your

changes in the database.

To add a UUID-Field to a database



The User Database window opens displaying the list of UUID-Fields.

3. Enter values in the Name, Group and Function fields.

4. Enter a numeric value in the Weight text field.

5. Click Add.

The new UUID-Field is added to the list of groups in the database.

6. Click Save to confirm your changes in the database.

To remove a UUID-Field from a database



The User Database window opens displaying the list of groups.

3. Select the UUID-Field that you want to remove.


4. Click Remove and the selected group is deleted from the list of groups.

5. Click Save to confirm your changes in the database.

Note: You can define several UUID-Fields having the same Group name. For

example, if the Master Database contains a value for US State (such as, NY),

but it does not exist in a given User Database, you can still use some of the

information that is available in the User Database to match to it. For example,

suppose that the User Database contains telephone number and zip code. In

that case, you can create two fields in the User Database: one will try to

“guess” the state by mapping (lookup function) the telephone area code, and

one will do the same but with the zip. Hopefully at least one of the matches

will succeed and you will get a match.

User Databases


Removing Databases

For any number of reasons you may no longer need to deal with data that is

included in a particular system in your organization. In such cases you need to

remove references in your mapping file to the database. You do so by using

the Remove feature in the User Databases section of the UUID tool.

To remove a database from a mapping file

1. In the UUID tool, load the mapping file that contains the databases to be

removed.

The User Databases referenced in the mapping file are displayed in the

User Databases list.

2. Select the User Database to be removed from the mapping file.


3. Click Remove.

The selected row is deleted from the list.

4. In the UUID Mapping File section click Save to confirm the changes made

to the mapping file.

User Databases


Indexing the Databases

Index the databases referenced in a Mapping file you run the Match or Merge

processes. While indexing the databases the UUID tool scans the data in each

of the databases and loads the data into temporary files that are recorded in

the Index Directory. If any changes are made to the database files or the

Mapping file, then perform the index process again before you perform the

Match or Merge process.

To index the databases

1. After setting the Working Directories, and defining the User Databases in

the UUID tool, save the definitions as a Mapping file. If a Mapping file

already exists click Load and load the mapping file into the UUID tool.

2. In the User Databases section of the UUID tool click Run Index.

The UUID Index window opens and displays a progress bar for the index

process. Depending on the size of your databases this process may take a

couple of minutes.

If an error occurs during the index process, an error message is issued as

part of the progress report displayed in the lower part of the UUID Index

window, and the cause of the error is indicated in the log file.

UUID Mapping File


If you neglected to Save the mapping file prior to trying to Run Index, a

Save As window opens for you to save the file. After saving the file the

UUID Index process begins automatically.

3. (Optional) To view a log of the index process click View Log to open the

log. The log contains a line for each record that was scanned in each of the

databases included in the mapping file.

At the end of the progress display, the message Finished building Index

files is displayed when the index is successfully built.

4. Click Done when the Index process is complete.

UUID Mapping File

The UUID Mapping File is an XML file that stores the parameters that are set in

the UUID Working Directories, User Database, Match Process and Merge

Process sections of the UUID tool. Once the parameters are saved, you can use

the Mapping file to quickly populate the UUID Tool with the saved parameters

instead of manually entering the data each time that you want to run the

Match or Merge process. Alternately you can load mapping file and use it as

the base for editing and saving a new mapping file under a new name.

To use a UUID Mapping File

1. Click Load in the UUID Mapping File section of the UUID tool.

An Open dialog appears in which you can navigate to the location that

contains the mapping files on your local machine. For organizational

purposes we suggest that the UUID Mapping Files be saved in the same

directory that contains the Working Directories.

2. Select an XML and click Open.

The parameters stored in the XML file are loaded into the UUID tool.

Match Process


Match Process

The Match process reads the User Database files referenced in the User

Databases section of the UUID tool and correlates the Users with the account

details in each of the systems. The results of the Match Process are stored in a

configuration file.

To run the Match Process

1. Click Load in the UUID Mapping file section and load a Mapping XML file.

The UUID Tool is populated with the parameters stored in the selected

UUID file.

2. Click Run Index in the Users Databases section.

The listed User Databases are indexed. Depending on the size of the

Databases the indexing process may take a few minutes.

3. Click Run Match in the Match Process section.

The UUID tool processes the databases and tries to correlate every account in

each User Database to one or more potential owners in the Master Database.

The correlation is based on the fields defined for matching, weighted

accordingly. The result is a Matching Configuration, where each of the users in

the Master Database appears In the configuration's User Pane, and each of the

users in the other User Databases (representing accounts) appear in the

configuration's Resource. Res Name 1 is the account ID, taken from the

<Database Name>_ID field in the User Database The name of the source

system appears as Res Name 2. The degree of match is represented in the

score (0-100) and appears as Res Name 3.This information is saved in the

configuration file listed in the Output Config field of the Match Process section.

You can now open the Output Configuration file in Sage DNA and view each

person in the organization and the accounts on each system to which they

have access.

Match Process


Because the matches are represented as a regular Eurekify configuration, you

can also:

■ Review and add/remove/change correlations manually, using the Sage

DNA Workstation

■ Report all correlations, using the Eurekify Reporting facilities

■ Run a certification campaign to confirm the correlations, using the Eurekify

Portal

See the respective user manuals for more details.

When reviewing and correcting correlation in the Sage DNA Workstation, pay

special attention to:

■ Accounts that were not matched at all (Res Name 3 will be empty for

these)

■ Accounts that were matched but with a low probability (low score in Res

Name 3) and thus represent more of a guess than a deterministic

matching

■ Accounts that were matched to multiple people (first note accounts with

Total Number of Users greater than 1; note also that same account may be

matched with different scores, so look out for those as well).

Merge Process


Merge Process

After you run the Match Process, inspect the results, and perform needed

corrections, you now have a finalized configuration file, matching each person

in the organization with their respective accounts on the referenced systems.

You can now proceed to the final stage of creating a final configuration that

links each person in the organization with all their resources in the referenced

systems. This phase is called the Merge Process.

The Merge process reads the configuration files referenced in the User

Databases section of the UUID tool and correlates the Users with the resource

details in each of the systems that are referred to in the tool.

Note: To run the Merge Process, the UUID tool needs to have access to the

configuration files of the referenced systems (.cfg files), and not to the Users

Databases (.udb files).

To run the Merge Process

1. Click Load in the UUID Mapping file section and load a Mapping XML file.

The UUID Tool is populated with the parameters stored in the selected

UUID file.

We assume that you have previously run a Match Process and that the

configuration specified in the Output Config field of the Match Process

section exists and represents the correct matching.

2. Click Run Merge in the Merge Process section.

Eurekify UUID processes the databases and matches each person in the

organization with the resources to which they have access rights and

privileges across each system in the organization. This information is saved

in the configuration file listed in the Output Config field of the Merge

Section.

3. You can now open the Output Configuration file in Sage DNA and view the

each person in the organization and the resources on each system to which

they have access.


Chapter 6: UUID Indexing Functions


UDB Fields Referencing (see page 139)

Lookup Functions (see page 139)

String Functions (see page 140)

Telephone Number Functions (see page 143)

Name Functions (see page 144)

Email Address Functions (see page 145)

Address Functions (see page 146)

Function Composition (see page 147)

User-Defined Functions (see page 148)

UDB Fields Referencing

UDB fields can be referenced directly, for example FirstName, or with the Field

Function, such as Field('FirstName').

If the UDB field contains a space (' ') character, it can only be referenced with

the FIELD function. for example Field('User Name').

Field Referencing

Function name Parameters

Example Results

<Direct> Param1 - field name

FirstName 'John'

Field(fieldname) fieldname -name of a field from the

UDB

Field('First Name') 'John'

Lookup Functions

Translating using a CSV file


Example Results

CsvLookup(csvFilename, value) csvFilename - the CSV file containing

the translation map

value - the value to look-up

String Functions


CsvLookup('areas.csv',

City)

String Functions

String Concatenation


Example Results

+ operator str1 - string

str2 - string

FirstName + LastName 'John Smith'

String Concatenation


Example Results

Concat(str1, str2, separator) str1 - string

str2 - string

separator - string

Concat('Hello','world',', ') 'Hello, world'

Sub String


Example Results

Substr(str,from,to) str - the string

from - starting offset of requested

substring

to - ending offset of requested

substring

Substr('John Smith',5,6) 'Sm'

String Trimming


Example Results

Trim(str) str - string with leading/ending

spaces

Trim(' sentence between

many spaces ')

'sentence between many spaces'

String Functions


String Last Characters


Example Results

LastChars(str,len) str - string

len - integer value specifying the

required length of the tail

LastChars('where is the end',7) 'the end'

String Length


Example Results

Strlen(str) str - string

Strlen('hello world') 11

String Searching


Example Results

StrFind(str,substr) str - string

substr - the string which we

need offset of

StrFind('My favorite color is

red','color')

12

Convert from Integer to String


Example Results

StrOf(int) int - integer value

StrOf(5) '5'

Finding Digits in a String


Example Results

DigitsOf(str) str - string

DigitsOf('john12smith34') '1234'

Replacing Strings


Example Results

StrReplace(strSource,substr,replacing) strSource - source string

String Functions


substr - the substring to be

replaced

replacing - the new sub-string

StrReplace('firstname1lastname

1','1','2')

'firstname2lastname2'

Finding Alphabetic Characters


Example Results

AlphaOf(str) str - string

AlphaOf('a1!@b2#$A1%^B2') 'abAB'

Finding Alpha-Numeric Characters


Example Results

AlphaAndDigitsOf(str) str - string

AlphaAndDigitsOf('a1!@b2#$A1

%^B2')

'a1b2A1B2'

Lower Case Conversion


Example Results

ToLower(str) str - string

ToLower('RRYMON') 'rrymon'

Upper Case Conversion

Function name Parameter

s

Exampl

e

Results

ToUpper(str) str - string

ToUpper('rrymon') 'RRYMON'

Two-way Case Conversion


Example Results

SwapCases(str) str - string

SwapCases('RRymon') 'rrYMON'

Telephone Number Functions


Removing Vowels from a String


Example Results

RemoveVowels(str) str - string

RemoveVowels('johnSMITH') 'jhnSMTH'

Left-to-Right Reversing


Example Results

Reverse(str) str - string

Reverse('john SMITH') 'HTIMS nhoj'

Telephone Number Functions

Finding Country Code


Example Results

TelCountryCode(phone) phone - full phone number

TelCountryCode('+972-8-7654

321')

'972'

Finding Area Code


Example Results

TelAreaCode(phone) phone - full phone number

TelAreaCode('+972-8-7654321

')

'8'

Finding last 7 Digits of a Phone Number


Example Results

Tel7Digits(phone) phone - full phone number

Tel7Digits('+972-9-7467346') '7467346'

Name Functions


Name Functions

Getting First Name


Example Results

FirstName(name) name - full name

FirstName('Ron Rymon') 'Ron'

Getting Last Name


Example Results

LastName(name) Name - full name

LastName('Ron Rymon') 'Rymon'

Getting Middle Name


Example Results

MiddleName(name) Name - full name

MiddleName('Ron Rymon') '' (empty string)

MiddleName('John Ferdinand

Smith')

'Ferdinand'

Getting Middle Initial


Example Results

MiddleInitial(name) Name - full name

MiddleInitial('John Ferdinand

Smith')

'F'

Getting Name Suffix


Example Results

NameSuffix(name) Name - full name, including suffix

NameSuffix ('John Smith, Jr.') 'Jr.'

Email Address Functions


Email Address Functions

Getting User ID from Email Address


Example Results

EmailUserID(emailAddress) emailAddress - full email address

EmailUserID('rrymon@eurekif

y.com')

'rrymon'

Getting Email Domain From Email Address


Example Results

EmailDomain(emailAddress) emailAddress - full email address

EmailDomain('rrymon@eurekif

y.com')

'eurekify.com'

Formatting Email Address


Example Results

EmailConventio

n(format, first,

last, domain)

Create a convention formatted

string of email address

format - one of:

■ Flast

■ Lastf

■ First.last

■ Last.first

■ Last

■ First

first - first name

last - last name

domain - the email domain

EmailConvention('flast','John',

'Smith', 'eurekify.com')

'[email protected]'

EmailConvention('lastf','John',


'[email protected]'

EmailConvention('first.last','Joh

n', 'Smith', 'eurekify.com')

'[email protected]'

EmailConvention('first_last','Jo '[email protected]'

Address Functions


hn', 'Smith', 'eurekify.com')

EmailConvention('last','John',


'[email protected]'

EmailConvention('first','John',


'[email protected]'

Address Functions

Getting Country Name from Address


Example Results

AddressCountry(fullAddress) fullAddress - string of full

address

AddressCountry('Eurekify Ltd.

Hasadna 82, Floor 1, Raanana,

ISRAEL 46345')

Getting City From Address


Example Results

AddressCity(fullAddress) fullAddress - string of full

address

AddressCity('Eurekify Ltd.


ISRAEL 46345')

Getting Street Name from Address


Example Results

AddressStreet(fullAddress) fullAddress - string of full

address

AddressStreet('Eurekify Ltd.


ISRAEL 46345')

Getting State from Address


Example Results

AddressState(fullAddress) fullAddress - string of full

address

Function Composition


AddressState('Eurekify Ltd.


ISRAEL 46345')

String


Example Results

AddressZipCode(fullAddress) fullAddress - string of full

address

AddressZipCode('Eurekify Ltd.


ISRAEL 46345')

'46345'

Getting All Digits from an Address


Example Results

AddressDigits(fullAddress) fullAddress - string of full

address

AddressDigits('Eurekify Ltd.


ISRAEL 46345')

'82 1 46345'

Function Composition

It is possible to compose functions, for example: ToLower(AlphaOf('A1B2C3'))

=> 'abc'

User-Defined Functions



It is possible for users to use their own defined and implemented functions.

The declaration of such functions is done in an XML file named

“userJarsDef.xml”. The format of the file is:

[set the jars variable for your book]

<indexFunction

jarFilename="c:\dev\uuid\userJar.jar"

implClass="EvalSubstring"

function="UserPrivateSubstring" />

</jars>

The function implementation is expected to be found in the specified JAR file.

The specified class should extend the class:

com.eurekify.matcher.indexer.evalfunctions. EvalFunc

The default-constructor of the class should define the number parameters this

function accepts:

numberOfParameters = 1;

The class should implement the method:

public void run(Stack<Object> stack) throws EurekifyEvaluationException

First the stack needs to be checked with the function

checkTheStack(stack);

The parameters passed to the function are retrieved from the stack using:

String strParam = getStringParam(stack);

Or:

int intParam = getIntParam(stack);

The result of the function should be pushed back to the stack using

stack.push(result);

Example implementation class:

import java.util.Stack;

import com.eurekify.matcher.indexer.evalfunctions.*;

public class EvalSubstring extends EvalFunc {



public EvalSubstring() {

numberOfParameters = 3;

}

public void run(Stack<Object> inStack) throws EurekifyEvaluationException

{

// check the stack

checkTheStack(inStack);

// get the parameter from the stack

int to = getIntParam(inStack);

int from = getIntParam(inStack);

String str = getStringParam(inStack);

String result = str.substring(from, to);

// push the result on the stack

inStack.push(result);

}

}


Chapter 7: CA Role & Compliance

Manager Web Services Interface

The primary purpose of the web services interface is to make CA Role &

Compliance Manager data and services available to third party applications.

The services provide an assortment of functions and allows for interaction with

CA Role & Compliance Manager data stored on a database.

The CA Role & Compliance Manager Web Services Interface is intended to be

used by Software Engineers to extract, modify or manipulate data housed in

CA Role & Compliance Manager databases and to integrate such data in Web

Clients that integrates.


Policy Functions (see page 151)

SageLinkBPRService (see page 152)

SageBasicService (see page 153)

SageDataService (see page 155)

SageDiffService (see page 157)

SageEntitiesCommonService (see page 157)

SageEntitiesDiffService (see page 158)

SageEntitiesDataService (see page 159)

Example Usage of Sage Web Services (see page 161)

Policy Functions

Function Description

bpr_new_bpr_file Adds a new business policy file

bpr_new_rule Adds a new business policy rule

bpr_new_rule_entity Adds a new business policy rule entity

SageLinkBPRService


SageLinkBPRService

SageLinkBPRService provides a mechanism for checking requested links

between two CA Role & Compliance Manager entities against CA Role &

Compliance Manager Business Process Roles. For each link type the service

reports a prediction of BPR violations that the link causes.

The functions exposed by the LinkBPRService have a common Parameter:

Parameter Description

getAllAlerts The parameter defines the extent to which the check

finds and retrieves BPR alert violations.

Type: Boolean

True: The check finds and retrieves all possible alert

violations.

False: The check stops after retrieving the first alert

violation that it finds.

The SageLinkBPRService exposes the functions listed in the topics that follow.

Add Link Checks


add_user_role_check_bpr Check for BPR violations for a user-role link

add_user_resource_check_bpr Check for BPR violations for a user-resource link.

add_role_role_check_bpr Check for BPR violations for a role-role link.

add_role_resource_check_bpr Check for BPR violations for a role-resource link

Remove Link Checks


remove_user_role_check_bpr Check for BPR violations for a user-role link.

remove_user_resource_check_bpr Check for BPR violations for a user-resource link.

remove_role_role_check_bpr Check for BPR violations for a role-role link.

remove_role_resource_check_bpr Check for BPR violations for a role-resource link.

SageBasicService


SageBasicService

SageBasicService.asmx provides write access of identity/role management

data for Sage usage on a database.

All functions of this service return an integer value where:

■ 0 signifies success

■ 1 signifies failure.

The following topics list the functions that the Sage Basic Service exposes.

Documents Functions


new_udb Creates a new CA Role & Compliance ManagerUsers Database

UDB.

new_rdb Creates a new CA Role & Compliance ManagerResources Database

RDB.

new_cfg Creates a new CA Role & Compliance Managerconfiguration.

Entities Database Functions


udb_new_user Adds a new user to an existing UDB.

udb_new_user_field Adds a user field value to an existing user.

rdb_new_resource Adds a new resource to an existing RDB.

rdb_new_resource_field Adds a new resource field value to an existing

resource.

new_field_name Adds a new field to an existing entities DB

(UDB/RDB).

Configuration Functions


cfg_new_configuration_user Adds a user from a UDB to an existing

SageBasicService



configuration.

cfg_new_configuration_role Adds a new role to an existing configuration.

cfg_new_configuration_resource Adds a new resource from an RDB to an existing

configuration.

cfg_remove_configuration_user Removes a user from a configuration without

removing the user from the UDB.

cfg_remove_configuration_role Removes a role from a configuration.

cfg_remove_configuration_resource Removes a resource from a configuration

without removing the resource from the RDB.

cfg_new_user_role_link Adds a user-role link.

cfg_new_user_resource_link Adds a user-resource link.

cfg_new_role_role_link Adds a role-role link (role hierarchy).

cfg_new_resource_role_link Adds a resource-role link.

cfg_remove_user_resource_link Removes a user-resource link.

cfg_remove_user_role_link Removes a user-role link.

cfg_remove_resource_role_link Removes a resource-role link.

cfg_remove_role_role_link Removes role-role link (role hierarchy).

cfg_change_user_field Change a user field (Non mandatory fields

should be named "FieldValue#").

cfg_change_resource_field Change a resource field.

cfg_change_role_field Change a role field (Non mandatory fields should

be named "FieldValue#").

SageDataService


Sage Policy Functions


bpr_new_bpr_file Adds a new business policy file.

bpr_new_rule Adds a new business policy rule.

bpr_new_rule_entity Adds a new business policy rule entity.

SageDataService

SageDataService.asmx provides read access of fundamental Sage data from a

database. The links retrieved by this service are direct links.

The Sage Data Service exposes the functions listed in the following sections.

Sage Documents Functions


data_source_get_configurations Gets all Sage configurations stored on a

database.

data_source_get_auditcards Gets all Sage auditcards stored on a database.

data_source_get_bprs Gets all Sage BPR files stored on a database.

Sage Databases Functions


udb_get_users Gets all users from a UDB.

rdb_get_resources Gets all resources from a RDB.

database_get_fields Gets all field names of a Sage entities DB

(UDB/RDB).

SageDataService


Sage Configuration Functions


cfg_get_databases Gets the Sage configuration UDB and RDB.

cfg_get_properties Gets the configuration properties.

cfg_get_roles Gets all the configuration roles.

cfg_get_configuration_users Gets the configuration users.

cfg_get_configuration_resources Gets the configuration resources.

cfg_get_user_role_links Gets all the configuration user-role links.

cfg_get_user_resource_links Gets all the configuration user-resource links.

cfg_get_role_role_links Gets all the configuration role-role links (role

hierarchy).

cfg_get_role_resource_links Gets all the configuration role-resource links.

Other Sage Retrieval Functions


auditcard_get_alerts Gets all the auditcard alerts.

bpr_get_rules Gets all the BPR file rules.

Remove Link Checks


remove_user_role_check_bpr Check for BPR violations for a user-role link.

remove_user_resource_check_bpr Check for BPR violations for a user-resource link.

remove_role_role_check_bpr Check for BPR violations for a role-role link.

remove_role_resource_check_bpr Check for BPR violations for a role-resource link.

SageDiffService


SageDiffService

SageDiffService.asmx provides fundamental reports on differences between

two Sage configurations. The following sections list the functions that the Sage

Diff Service exposes.

Sage Entities Differences


users_get_added Gets the users that appear in the updated configuration but

do not appear in the original configuration.

roles_get_added Gets the roles that appear in the updated configuration but

do not appear in the original configuration.

resources_get_added Gets the resources that appear in the updated configuration

but do not appear in the original configuration.

users_get_removed Gets the users that do not appear in the updated

configuration but do appear in the original configuration.

roles_get_removed Gets the roles that do not appear in the updated


resources_get_removed Gets the resources that do not appear in the updated


All Entities and Links Differences

getAllDiff - all the above differences in one function.

SageEntitiesCommonService

SageEntitiesCommonService.asmx provides fundamental reports on

commonalities between two Sage entities of the same type inside a

configuration. This service deals with direct links. The following sections list the

functions that the Sage Entities Common Service exposes.

Sage User commonalities


users_get_common_roles Gets all roles common to both users.

SageEntitiesDiffService



users_get_common_resources Gets all resources common to both users.

Sage Roles Commonalities


roles_get_common_users Gets all users common to both roles.

roles_get_common_resources Gets all resources common to both roles.

Sage Resources Commonalities


resources_get_common_users Gets all users common to both resources.

resources_get_common_roles Gets all roles common to both resources.

SageEntitiesDiffService

SageEntitiesDiffService.asmx provides reports on differences in a single entity

between two Sage configurations. The following sections list the functions that

the SageEntitiesDiffService exposes.

Sage Users Differences


user_get_added_roles Gets roles linked to the first user and not the

second.

user_get_added_resources Gets resources linked to the first user and not

the second.

user_get_removed_roles Gets roles linked to the second user and not the

first.

user_get_removed_resources Gets resources linked to the second user and not

the first.

SageEntitiesDataService


Sage Roles Differences


role_get_added_users Gets users linked to the first role and not the

second.

role_get_added_resources Gets resources linked to the first role and not

the second.

role_get_removed_users Gets users linked to the second role and not the

first.

role_get_removed_resources Gets the resources linked to the second role and

not the first.

Sage Resources Differences


resource_get_added_users Gets users linked to the first resource and not the second.

resource_get_added_roles Gets roles linked to the first resource and not the second.

resource_get_removed_users Gets the users linked to the second resource and not the

first.

resource_get_removed_roles Gets the roles linked to the second resource and not the

first.


SageEntitiesDataServicea.smx provides more extensive and detailed reports

on Sage entities links. The following sections list the functions that the

SageEntitiesDataService exposes.

Sage User Links


user_get_direct_roles Gets the roles directly linked to the user.

user_get_dual_roles Gets the role dually linked to the user.

user_get_indirect_roles Gets the roles indirectly linked to the user.

user_get_direct_resources Gets the resources directly linked to the user.




user_get_dual_resources Gets the resources dually linked to the user.

user_get_indirect_resources Gets the resources indirectly linked to the user.

Sage Role Links


role_get_direct_users Gets the users directly linked to the role.

role_get_dual_users Gets the users dually linked to the role.

role_get_indirect_users Gets the users indirectly linked to the role.

role_get_parent_roles Gets the roles' parent roles.

role_get_child_roles Gets the roles' child roles.

role_get_direct_resources Gets the roles’ directly linked resources.

role_get_dual_resources Gets the roles’ dually linked resources.

role_get_indirect_resources Gets the roles’ indirectly resources.

Sage Resource Links


resource_get_direct_users Gets the users directly linked to the

resource.

resource_get_dual_users Gets the users dually linked to the

resource.

resource_get_indirect_users Gets the users indirectly linked to

the resource.

resource_get_direct_roles Gets the roles directly linked to the

resource.

resource_get_dual_roles Gets the roles dually linked to the

resource.

resource_get_indirect_roles Gets the roles indirectly linked to

the resource.

Example Usage of Sage Web Services



This section provides a number of examples of how you can use the Sage Web

Services interface.

Open a Sage Configuration (SageDataService)

Open a Sage configuration in accordance with the Sage structure.

In preparation retrieve all the configurations stored on the database

(SageDataService. data_source_get_configurations).

To open a Sage configuration

1. After securing the configuration name retrieve both the UDB and RDB used

by the configuration (SageDataService. cfg_get_databases). Optionally,

also get the configuration properties (SageDataService.

cfg_get_properties).

2. Using the UDB name get the users and their fields

(SageDataService.udb_get_users and

SageDataService.database_get_fields to get the field names).

3. Do the same for the RDB (SageDataService.rdb_get_resources and

SageDataService.database_get_fields to get the field names).

4. Now that you have both the UDB and RDB you can open the configuration

itself. First, obtain all the configuration roles

(SageDataService.cfg_get_roles). After the roles are present get all the

configuration users and resources.

■ SageDataService.cfg_get_configuration_users.

■ SageDataService.cfg_get_configuration_users.

5. Once all the configuration entities are present, retrieve the configuration

links i.e. user-role, user-resource, role-role, role-resource links

(SageDataService.cfg_get_user_role_links, SageDataService.

cfg_get_user_resource_links, SageDataService.cfg_get_role_role_links and

SageDataService. cfg_get_role_resource_links)



Save a Sage Configuration to the Database (SageBasicService)

Save some identity/role management data as a Sage configuration in the

database.

If you do not wish to use existing Sage user and resource databases (UDB and

RDB), create new UDB and RDB (SageBasicService.new_udb and

SageBasicService.new_rdb). After creating the Sage DBs, populate them with

users and resources (SageBasicService.udb_new_user and

SageBasicService.rdb_new_resource). Sage users and resources may also

have fields (SageBasicService.udb_new_user_field and

SageBasicService.rdb_new_resource_field) and these fields may be named

(SageBasicService.new_field_name).

To save a Sage configuration to the database

1. Create a new Sage configuration and relate it to a UDB and a RDB

(SageBasicService.new_cfg)

2. Populate the configuration with roles

(SageBasicService.cfg_new_configuration_role)

3. Next, relate the relevant users and resources from the UDB/RDB to the

configuration

■ SageBasicService.cfg_new_configuration_user

■ SageBasicService.cfg_new_configuration_resource.

4. Update the configuration links: user-role, user-resource, role-role and

role-resource (SageBasicService.cfg_new_user_role_link,

SageBasicService.cfg_new_user_resource_link,

SageBasicService.cfg_new_role_role_link,

SageBasicService.cfg_new_role_resource_link).

Compare Two Sage Configurations (SageDiffService)

Get reports at varying granularity on differences between two sage

configurations.

A complete and comprehensive report on all differences between two Sage

configurations can be obtained. This report details the addition and removal of

Sage entities (users, resources and roles) and and of links (user-role,

user-resource, role-role and role-resource). The function providing this report

is SageDiffService.diff_get_all.

Otherwise, any combination of add/remove with user/resource/role as well as

user-role/user-resource/role-role/role-resource can be received. These

combinations allow for a specific report on a single aspect of the differences

between the two configurations.



View Entity Changes between Configurations (SageEntitiesDiffService)

This service allows you to view the changes made to a specific entity between

two configurations. For each entity (user, resource, role) get added/removed

direct links with any other type of entity. For example, for a specific user get

the role links that were added between the configurations. Otherwise, for a

specific resource get the user links that were removed between the

configurations.

The hidden assumption in this usage is that one configuration is a base

configuration and the other is an updated version of the base configuration.

Get Entity Commonalities (SageEntitiesCommonService)

For two specific entities of the same type (user, resource, role) get the links,

that are common to both, with any other type of entity. For example for two

users in a configuration, get all resources that the users have in common, and

that are directly linked to both users. For two roles, get all users which are

directly linked to both roles.

View Link Information for Entities (SageEntitiesDataService)

For a specific Sage entity (user, role, resource), get any type of link (direct,

dual, indirect) with any of the other types of entities in the configuration.

For example, for a specific user get all indirectly linked resources. Similarly, for

a specific role, get all dually linked resources (resources which are both

directly linked to the role and are linked to some child-role of the role).