ca role & compliance manager · r12.0 ca role & compliance manager . ... importing from...
TRANSCRIPT
This documentation and any related computer software help programs (hereinafter referred to as the
“Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at
any time.
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in
part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA
and protected by the copyright laws of the United States and international treaties.
Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the documentation for
their own internal use, and may make one copy of the related software as reasonably required for back-up and
disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy.
Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for
the product are permitted to have access to such copies.
The right to print copies of the documentation and to make a copy of the related software is limited to the period
during which the applicable license for the Product remains in full force and effect. Should the license terminate for
any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the
Documentation have been returned to CA or destroyed.
EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY
APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING
WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS
OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT
LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY
ADVISED OF SUCH LOSS OR DAMAGE.
The use of any product referenced in the Documentation is governed by the end user’s applicable license
agreement.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the
restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section
252.227-7014(b)(3), as applicable, or their successors.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Copyright © 2009 CA. All rights reserved.
Contact CA
Contact Technical Support
For your convenience, CA provides one site where you can access the
information you need for your Home Office, Small Business, and Enterprise CA
products. At http://ca.com/support, you can access the following:
■ Online and telephone contact information for technical assistance and
customer services
■ Information about user communities and forums
■ Product and documentation downloads
■ CA Support policies and guidelines
■ Other helpful resources appropriate for your product
Provide Feedback
If you have comments or questions about CA product documentation, you can
send a message to [email protected].
If you would like to provide feedback about CA product documentation,
complete our short customer survey, which is also available on the CA support
website, found at http://ca.com/support.
CA Product References
This document references the following CA products:
■ CA Role & Compliance Manager (CA Role & Compliance Manager)
■ CA Identity Manager
Contents 5
Contents
Chapter 1: Introduction 9
About this Guide ................................................................................. 9
Audience ....................................................................................... 10
Role Based Access Control (RBAC) ............................................................... 10
Basic Concepts and Architecture ................................................................. 11
Sage's Technology .............................................................................. 13
Typical Processes ............................................................................... 14
Chapter 2: Sage DNA Data Management 17
Accessing Sage DNA Data Management .......................................................... 17
The Sage DNA Data Management Menu Bar ...................................................... 18
File Menu ................................................................................... 18
View Menu .................................................................................. 19
Import and Export Menus.................................................................... 20
Management Menu .......................................................................... 21
UUID Menu ................................................................................. 21
Batch Menu ................................................................................. 21
Help Menu .................................................................................. 21
Chapter 3: Import and Export Menus 23
Supported Import and Export Platforms .......................................................... 24
CSV Files Converter ............................................................................. 26
Import from CSV Files ....................................................................... 26
Export to CSV Files .......................................................................... 32
CSV Mapper Utility .......................................................................... 34
Active Directory Converter ...................................................................... 35
Import from Active Directory ................................................................ 36
Export Active Directory ...................................................................... 43
RACF Converter ................................................................................. 45 Import from RACF ........................................................................... 46
Export to RACF.............................................................................. 48
MS-SQL Converter .............................................................................. 50
Import from MS-SQL ........................................................................ 50
Export to MS SQL ........................................................................... 52
TIM2Sage Converter ............................................................................ 56
Prerequisites ................................................................................ 56
6 Sage DNA Data Management User Guide
Importing from ITIM ........................................................................ 57
Exporting to ITIM ........................................................................... 62 Control SA Converter............................................................................ 65
Importing from Control SA to Sage .......................................................... 65
Exporting from Sage to Control SA ........................................................... 72
SAP to Sage Converter .......................................................................... 73
Mapping SAP Data to Sage .................................................................. 74
Running the SAP to Sage Converter .......................................................... 77
Generic LDIF to Sage Converter ................................................................. 80
Import from TSS ................................................................................ 84
Import from UNIX ............................................................................... 87 Import Windows Shared Folder .................................................................. 88
Mapping Windows Share Data to Sage ....................................................... 89
BMC Identity Manager Open Services ............................................................ 91
Importing from BMC Identity Management ................................................... 92
Exporting to BMC Identity Management ...................................................... 96
Oracle Identity Manager ......................................................................... 97
Updating Oracle Identity Manager Client JARs ................................................ 98
Importing from Oracle Identity Manager ....................................................101
Exporting from Sage to Oracle Identity Manager .............................................106
Chapter 4: Management Menu 109
Enrich Users Database .........................................................................110
Enrich Resource Database ......................................................................112
Preserving Columns During Enrichment .........................................................113
Sage Database Utility ..........................................................................115
Chapter 5: Unique User ID (UUID) Menu 117
The UUID Interface ............................................................................118
UUID Work Process ............................................................................119
Prepare Company HR and Systems Data ........................................................120
Set Java Package Directory .....................................................................120
Working Directories ............................................................................120 Create and Assign Working Directories ......................................................122
User Databases ................................................................................123
Master vs. Other Databases ................................................................124
Adding New Databases .....................................................................128
Adding Databases from XML Files ...........................................................130
Editing Database UUID-Fields ...............................................................131
Removing Databases .......................................................................133
Indexing the Databases ....................................................................134
Contents 7
UUID Mapping File .............................................................................135
Match Process .................................................................................136 Merge Process .................................................................................138
Chapter 6: UUID Indexing Functions 139
UDB Fields Referencing .........................................................................139
Lookup Functions ..............................................................................139
String Functions ...............................................................................140
Telephone Number Functions ...................................................................143
Name Functions ................................................................................144
Email Address Functions........................................................................145
Address Functions..............................................................................146
Function Composition ..........................................................................147 User-Defined Functions.........................................................................148
Chapter 7: CA Role & Compliance Manager Web Services Interface 151
Policy Functions ................................................................................151
SageLinkBPRService ...........................................................................152
Add Link Checks ...........................................................................152
Remove Link Checks .......................................................................152
SageBasicService ..............................................................................153
Documents Functions ......................................................................153
Entities Database Functions ................................................................153
Configuration Functions ....................................................................153 Sage Policy Functions ......................................................................155
SageDataService ...............................................................................155
Sage Documents Functions .................................................................155
Sage Databases Functions ..................................................................155
Sage Configuration Functions ...............................................................156
Other Sage Retrieval Functions .............................................................156
Remove Link Checks .......................................................................156
SageDiffService ................................................................................157
Sage Entities Differences ...................................................................157 All Entities and Links Differences ............................................................157
SageEntitiesCommonService ...................................................................157
Sage User commonalities ...................................................................157
Sage Roles Commonalities ..................................................................158
Sage Resources Commonalities .............................................................158
SageEntitiesDiffService .........................................................................158
Sage Users Differences .....................................................................158
Sage Roles Differences .....................................................................159
8 Sage DNA Data Management User Guide
Sage Resources Differences ................................................................159
SageEntitiesDataService .......................................................................159 Sage User Links ............................................................................159
Sage Role Links ............................................................................160
Sage Resource Links .......................................................................160
Example Usage of Sage Web Services...........................................................161
Open a Sage Configuration (SageDataService) ..............................................161
Save a Sage Configuration to the Database (SageBasicService) ..............................162
Compare Two Sage Configurations (SageDiffService) ........................................162
View Entity Changes between Configurations (SageEntitiesDiffService) .......................163
Get Entity Commonalities (SageEntitiesCommonService) ....................................163 View Link Information for Entities (SageEntitiesDataService) .................................163
Chapter 1: Introduction 9
Chapter 1: Introduction
Most modern enterprise software systems are role-based such as ERP, CRM,
portals, security management. Even operating systems and network operating
systems, and they necessarily rely on accurate and effective specification of
roles.
Implementing role-based systems in an enterprise-level system is a significant
undertaking. Creating a role specification from scratch is complex. Porting
various legacy specifications from existing systems is difficult due to different
and incompatible environments and conventions. Dynamic corporate
environments replete with periodic restructuring, mergers, relocation and
flexible employee mobility all contribute to the problematic nature of
maintaining a coherent access specification.
This chapter introduces the CA Role & Compliance Manager Sage Discovery
and Audit solution to meet this challenge.
This section contains the following topics:
About this Guide (see page 9)
Audience (see page 10)
Role Based Access Control (RBAC) (see page 10)
Basic Concepts and Architecture (see page 11)
Sage's Technology (see page 13)
Typical Processes (see page 14)
About this Guide
This guide describes operations and options that are unique to the Sage DNA
Data Management module. It specifically treats the operations performed from
within the Import, Export and Management menus. In the Management menu
the unique options include Enrich Users DB and Enrich Resources DB. All other
operations that can be performed from within the Sage DNA Data Management
module, are common to the Sage DNA module and are described in the Sage
DNA manual.
Audience
10 Sage DNA Data Management User Guide
Audience
This guide is intended for Role Engineers who are responsible for the
installation of Sage software, downloading and uploading of users and
resources databases, role discovery and audit operations. Role Engineers are
typically well-trained professionals who are familiar with the target
organization. This guide assumes that the Role Engineer has had professional
training on a Sage system and is familiar with the Sage documentation that
accompanied the Sage installation package.
Familiarity with the Microsoft operating system and applications and relevant
peripheral and remote equipment is also assumed.
Role Based Access Control (RBAC)
Role Based Access Control (RBAC) is a project of the National Institute of
Standards and Technology (NIST) and is intended to create a comprehensive
access security model for the structure and operation of enterprise-level
organizations in a high technology environment. RBAC has now reached
maturity and has been mandated or recommended for implementation by
industry regulations worldwide.
In RBAC, users have roles that provide them with permissions to perform
defined operations, such as read/write, and on objects, such as computer files.
RBAC incorporates the principles of separation of duties and organizational
hierarchy into its model. Separation of duties prohibits a user with a certain
job function to serve in another job function at the same time. Hierarchy
reflects the layered role structure of large organizations but also facilitates
administration and role creation by allowing rights to flow down from senior to
junior roles. The following diagram describes the RBAC model:
Basic Concepts and Architecture
Chapter 1: Introduction 11
Basic Concepts and Architecture
Sage implements RBAC standards without affecting an organization's on-going
operation. Sage implements the concept of a sandbox to separate Sage's
operation from the organization's on-going security environment (production
server). The assumption is that when working with Sage, existing access
definitions must first be imported into a sandbox. A sandbox is an offline PC
computer on which Sage is installed where role discovery and audit activities
are performed without affecting current operations of the organization. All
work on discovering new or refining existing access definitions is performed in
the Sage environment.
Sage defines roles as a group of users that have a common set of privileges.
By users, Sage refers to people or functions: employees, customers, suppliers,
representatives, and so on. A resource is a specific right of access that may be
an operation or object in formal RBAC terms. Thus, a resource can be as
specific as a particular access right (Read/Write/Execute) to a specific file in a
specific file system on a specific machine, and it can also be used to provide a
model for access to a computer system (such as, a user group on that
machine). A privilege is a connection between a user and a resource, indicating
that this user possesses a specific access right. A role can include a set of
users and a set of resources, with the semantics being that all users in the
user set are allowed access to all resources in the resource set.
Most of Sage's work is performed within a proprietary Sage configuration that
is automatically created when access data is imported into Sage. By
configuration, Sage means a data structure that holds a snapshot of the
definition of users, resources and roles (if already defined) as well as the
relevant relationships (privileges) between them.
Basic Concepts and Architecture
12 Sage DNA Data Management User Guide
The following shows the Sage architecture and how it relates to existing
systems in your enterprise:
Sage's Technology
Chapter 1: Introduction 13
Sage's Technology
Sage is based on advanced pattern recognition technology. Sage provides a
comprehensive set of highly sophisticated solutions to the challenges that
organizations face when implementing and maintaining role-based
management.
Core Technology
An important innovation of Sage lies in the observation that role-based
management revolves around patterns of privileges and access. As such, even
in an organization where privileges are not currently managed by roles, the
actual assignment of privileges roughly follows role-based patterns. Similarly,
deviations and exceptions should be detectable when they do not follow same
patterns.
Sage's technology is designed to uncover the patterns that are hidden in
existing sets of privileges. This is not trivial, since the number of excessive
privileges may sometimes reach 50% of the total number of privileges. Many
users may also be under-privileged or wrongly-privileged. Furthermore, the
problem is extremely complex due to the sheer number of user accounts
typical of large enterprises. Sage combines a set of pattern recognition
techniques and other advanced algorithms and applies them to the special
challenges of roles management.
Other Technology Components
In addition to this core technology, CA has developed substantial additional
technology that is required to deploy a full solution:
■ Sage products use sophisticated algorithms that help the user make
intelligent decisions, while hiding most of the complexity of the problems
they address.
■ Sage products use sophisticated data structures and algorithms in order to
reduce the CPU and memory load to the point where a Sage project can be
fully implemented on a single PC.
■ Sage architecture is designed to allow easy mapping of privileges data
from virtually any ACL-based platform/application, including most
operating systems, databases, directories, applications, and of course,
identity management and provisioning systems.
■ Sage's user-friendly interface facilitates importing privileges data from a
common or proprietary platform and exporting processed data and role
definitions to this or another target platform.
Typical Processes
14 Sage DNA Data Management User Guide
Typical Processes
The following are the main processes when working with Sage (refer to chapter
4 for a more detailed description):
Import
In a typical implementation, the Role Engineer first imports current access
data from the security administration server. Source documents would
include a users database file, resources database file, roles file (if existing)
and possibly one or more files describing the relationship between one or
more entities (users, resources, roles). Using a direct communications link
to the production server, Sage enables the importing of data from a
variety of formats including: CSV, SQL, and RACF. Sage creates its own
Sage “configuration” document, which contains the known user, role, and
resource information.
Role Discovery
The role discovery process enables the discovery of roles that were not
explicitly defined in the source data as well as the refining of existing roles.
Sage's role discovery tools include searching for and proposing: basic
roles, obvious roles, roles that are almost perfect matches of other roles
and identifying role hierarchy. These options contain sub-menus that
enable fine-tuning Sage's discovery algorithm to adapt it to the specific
configuration that is being analyzed. The results of running these Sage
options are Sage's proposals for role definitions. These roles must be
individually examined to determine their appropriateness and validity for
the organization.
Audit
Sage's basic auditing tools apply Sage's internal logic and built-in
algorithms to an existing configuration to analyze and identify many types
of non-conformities or suspicions related to users, roles, and resources.
The Role Engineer can apply individual tools to analyze a configuration or
can run a comprehensive audit. The output of an audit is the AuditCard,
which contains a list of all suspicious records and the type of suspicion
involved (currently about 50 different types). The AuditCard also contains
a built-in mechanism for tracking progress until resolution is achieved.
Sage Policy Compliance
The Sage Policy Compliance module is an additional audit tool that enables
formulating a unique set of Business Process Rules (BPR) that represent
various constraints on privileges. These rules are formulated independently
of a specific Sage configuration and can then be applied to different
configurations.
Typical Processes
Chapter 1: Introduction 15
Export
Prior to uploading a processed Sage configuration to the organization's
production server, the differences between the original source data and
processed Sage configuration are examined using an built-in Sage option.
After verifying the differences and making any necessary changes, the
configuration data is directly exported from the Sage interface to the
production computer's format. The export eliminates cross-platform
conversion problems.
Chapter 2: Sage DNA Data Management 17
Chapter 2: Sage DNA Data
Management
This section contains the following topics:
Accessing Sage DNA Data Management (see page 17)
The Sage DNA Data Management Menu Bar (see page 18)
Accessing Sage DNA Data Management
You can access the Sage DNA Data Management application from the Windows
Start menu or from within the Sage Portal client. The Sage DNA Data
Management application opens as follows:
The Sage DNA Data Management Menu Bar
18 Sage DNA Data Management User Guide
To access Sage DNA Data Management from the Windows Start menu
Click Start, All Programs, CA Role & Compliance Manager ERM, CA Role &
Compliance Manager Data Management Vnumber. The Sage DNA Data
Management window opens.
To access Sage DNA Data Management from the Sage Portal Client
1. Click Start, All Programs, CA Role & Compliance Manager ERM, CA Role &
Compliance Manager Portal Client.
The Sage Portal Client opens to the home page.
2. Click the Data Management icon that appears on the home page.
The Sage DNA Data Management window opens.
The Sage DNA Data Management Menu Bar
The menu bar provides access to most Sage options. The menu bar is
organized by function and includes the following main items: File, View,
Import, Export, Management, Batch, and Help. To avoid navigating complex
menu systems, the most commonly-used Sage options are represented by
icons on the toolbar. However, not all options are included on the menu bar or
toolbar.
File Menu
The File menu contains the following options for file handling and connecting to
external systems and peripheral equipment:
■ Open Sage documents from a file
■ Open Sage documents from a database back-end
■ Configuration enrichment and merger operations
■ Operation of Sage batch functions
The operations in the Sage DNA Data Management File menu are identical to
those described for Sage DNA. Refer to documentation in Chapter 5 File Menu
in the CA Role & Compliance Manager Sage DNA User Guide.
The Sage DNA Data Management Menu Bar
Chapter 2: Sage DNA Data Management 19
View Menu
The View menu provides the following functions
■ Determine how data is displayed in the active document window
■ Review the log file generated by Sage, to look for possible errors that were
encountered during operation.
■ Review properties and statistics for the active document window
■ Switch view to a related document, such as, the udb of the current
configuration
■ Explore connections of a select set of entities
The operations in the Sage DNA Data Management View menu are identical to
those described for Sage DNA. Refer to documentation in Chapter 7 View Menu
in the CA Role & Compliance Manager Sage DNA User Guide.
The Sage DNA Data Management Menu Bar
20 Sage DNA Data Management User Guide
Import and Export Menus
The Import and Export menus provide support for importing and exporting
User and User Privilege information to and from Sage DNA Data Management.
The Import menu provides support for importing from the following file types
and platforms:
■ CSV files
■ LDIF files
■ SQL Database
■ Active Directory
■ RACF
■ TSS
■ Unix
■ SAP
■ Windows Shared Folder
■ ITIM V4.5 and V4.6
■ Control SA
The Export menu provides support for exporting to the following file types and
platforms:
■ Active Directory
■ RACF
■ SQL Database
■ CSV files
■ ITIM V4.5 and V4.6
■ Control SA
More information:
Import and Export Menus (see page 23)
The Sage DNA Data Management Menu Bar
Chapter 2: Sage DNA Data Management 21
Management Menu
The Management menu supports functionality for:
■ Enriching Users and Resource databases
■ Evaluate User databases
■ Merging Configurations, User databases, Resource databases, and Audit
Cards
■ Trimming and comparing Configurations
More information:
Management Menu (see page 109)
UUID Menu
The UUID menu lets you access the Unique User ID utility. Use this utility to
consolidate related or duplicate user accounts from the different directories in
your environment.
Batch Menu
The Batch menu supports functionality for:
■ Executing a Batch Command file
The operations in the Sage DNA Data Management Batch menu are identical to
those described for Executing a Batch File in Sage DNA. See Chapter 5 in the
CA Role & Compliance Manager Sage DNA User Guide.
Help Menu
Only version and license information is available under this menu.
Chapter 3: Import and Export Menus 23
Chapter 3: Import and Export Menus
Importing and exporting user and user privileges information to and from Sage
is performed by Sage DNA Data Management. The import process transfers
user information into Sage from the native security systems on which it
resides. The export process returns the information to the native security
systems after creating and modifying roles in Sage DNA.
Sage DNA Data Management provides a number of converters through which
user information is processed. These import and export facilities represent the
most common operating systems used on the native security systems.
The converters are located in the Import and Export menus of Sage DNA Data
Management. The following screen shows the Import and Export menus:
This section contains the following topics:
Supported Import and Export Platforms (see page 24)
CSV Files Converter (see page 26)
Active Directory Converter (see page 35)
RACF Converter (see page 45)
MS-SQL Converter (see page 50)
TIM2Sage Converter (see page 56)
Control SA Converter (see page 65)
SAP to Sage Converter (see page 73)
Generic LDIF to Sage Converter (see page 80)
Import from TSS (see page 84)
Import from UNIX (see page 87)
Import Windows Shared Folder (see page 88)
BMC Identity Manager Open Services (see page 91)
Oracle Identity Manager (see page 97)
Supported Import and Export Platforms
24 Sage DNA Data Management User Guide
Supported Import and Export Platforms
The Import and Export menus provide support for importing and exporting
user and user Privilege information to and from Sage DNA Data Management.
To access either the Sage Import or Export converters
1. From the Sage DNA Data Management menu bar, select either Import or
Export.
The menu opens and lists the Import/Export converters.
Supported Import and Export Platforms
Chapter 3: Import and Export Menus 25
2. Select the converter that you want to use.
The selected converter opens.
The Import menu provides support for importing from the following file types
and platforms:
■ CSV files
■ LDIF files
■ SQL Database
■ Active Directory
■ RACF
■ TSS
■ Unix
■ SAP
■ Windows Shared Folder
■ ITIM V4.5 and V4.6
■ Control SA
The Export menu provides support for exporting to the following file types and
platforms:
■ Active Directory
■ RACF
■ SQL Database
■ CSV files
■ ITIM V4.5 and V4.6
■ Control SA
CSV Files Converter
26 Sage DNA Data Management User Guide
CSV Files Converter
Import from CSV Files
It is often convenient to convert information about users and privileges from
native security systems into simple CSV files. The CSV (Comma Separated
Values) format is the most common import and export format for spreadsheets
and databases. CSV files can then be manipulated and extended using simple
tools such as Excel, if necessary. Sage has its own converter that takes several
CSV files as input and creates a Sage configuration.
Typically, the Sage CSV converter uses several CSV files as input, with each
individual file representing one entity type (such as users and resources
databases) or one relation between two entity types (roles). Some of the files
are optional and if not specified at the time of import will be assumed to be
empty. The converter produces one output file, which is the Sage configuration
file.
Note: The UsersDB and ResDB files are not created and are assumed to be
provided in the same CSV format as used in a Sage configuration.
Entity Files
Users database
The first row in the entity file must be a header row. Each subsequent row
represents a single user, where the row contains the following fields:
■ PersonID - the key, and must be unique
■ UserName
■ Organization
■ Organization Type
■ Field 1 to Field n (optional)
CSV Files Converter
Chapter 3: Import and Export Menus 27
Resources database
The first row in the entity file must be a header row. Each subsequent row
represents a single resource and contains the following fields, where a
combination of Res Name 1, 2, and 3 is the key and is assumed to be
unique
■ Resource Name 1
■ Resource Name 2
■ Resource Name 3
■ Field 1 to Field n (optional)
Roles
The Roles entity file does not require a header row. The is one row per role
definition, each with the following fields:
■ Role Name - must be unique
■ Role Description
■ Role Organization
■ Role Owner
CSV Files Converter
28 Sage DNA Data Management User Guide
Relations Files
User-Resource Connections
The User-Resource Connections entity file does not require a header row.
The file requires one row per connection, each with the following fields:
■ PersonID
■ Resource Name 1
■ Resource Name 2
■ Resource Name 3
Role-Resource Connections
The Role-Resource Connections entity file does not require a header row.
The file requires one row per connection, each with the following fields:
– RoleID
– Resource Name 1
– Resource Name 2
– Resource Name 3
CSV Files Converter
Chapter 3: Import and Export Menus 29
User-Role Connections
The User-Role Connections entity file does not require a header row. The
file requires one row per connection, each with the following fields:
■ PersonID
■ Role Name
Role-Role Connections
The Role-Role Connections entity file does not require a header row. The
file requires one row per connection, each with the following fields:
■ Role Name (parent)
■ Role Name (child)
CSV Files Converter
30 Sage DNA Data Management User Guide
Import a CSV File
To import a Sage Configuration from a CSV file
1. Click Import, CSV file from the list.
The Importing to Sage Configuration from CSV Files window opens. . See
the following example of a completed window:
The following table describes how to complete the fields:
Field Description
Sage Configuration
File
Fill in the name of a new configuration file or use
the Browse button to select the existing
configuration file to which to write the imported
data.
Users Database Fill in the name and path of the source file that
contains the users database data. The file can be a
standard Sage users database (.udb) or a CSV
(.txt) file.
Resources Database Fill in the name and path of the source file that
contains the resources database data. The file can
be a standard Sage resources database (.rdb) or a
CSV (.txt) file.
Roles Fill in the name and path of the source file that
contains the role data, generally a CSV (.txt) file.
A Browse button is provided for convenience.
User-Resource Fill in the name and path of the source file that
CSV Files Converter
Chapter 3: Import and Export Menus 31
Field Description
Connections contains the user-resource connections data,
generally a CSV (.txt) file. A Browse button is
provided for convenience.
User-Role
Connections
Fill in the name and path of the source file that
contains the user-role connections data, generally a
CSV (.txt) file. A Browse button is provided for
convenience.
Role-Resource
Connections
Fill in the name and path of the source file that
contains the role-resource connections data,
generally a CSV (.txt) file. A Browse button is
provided for convenience.
Role Hierarchy
Connections
Fill in the name and path of the source file that
contains the role hierarchy connections data,
generally a CSV (.txt) file. A Browse button is
provided for convenience.
Separate by Commas
Separate by
Semicolons
Select the option that indicates which character is
used as separator in the CSV file.
2. Fill in the import window fields as indicated in the table.
Note: Some of the inputs may remain empty. For example, if you import
from a system that does not yet have roles, then you leave the roles file
and all the role connections files fields clear. The output is a Sage
configuration file that can then be opened to perform role discovery and
audit activities.
During the import process, Sage creates a log file in the Sage Logs folder.
This log file is separate from the Sage main log file, and is named
according to Sage's naming convention, which follows:
SageCSVConverter_<username>_<date>_<time>.log. This log file
contains all the errors and misconfigurations that Sage has encountered.
Sage will prompt you to view this log file when the import is finished.
At the end of the conversion process, a message is displayed that indicates
whether errors were detected.
CSV Files Converter
32 Sage DNA Data Management User Guide
Important! In case of errors, review the log file to ensure that it does not
contain material warnings. The configuration file does not automatically open.
3. To open the configuration file from the File menu select Open from File,
and navigate to the target folder to open it.
Export to CSV Files
Sage can convert a configuration file to CSV files for uploading to an external
security system.
To export a configuration to CSV files
1. Click Export, Export to CSV Files.
The Exporting from Sage Configuration to CSV Files window opens. See the
following example of a completed window.
The following table describes how to complete the fields:
Field Description
Sage Configuration
File
Use the Browse button to select the configuration
file from which CSV files are to be created.
Roles Fill in the name and path of the target of the file
that will contain the role data. A Browse button is
provided for convenience.
User-Resource
Connections
Fill in the name and path of the target of the file
that will contain the user-resource connections. A
CSV Files Converter
Chapter 3: Import and Export Menus 33
Field Description
Browse button is provided for convenience.
User-Role
Connections
Fill in the name and path of the target of the file
that will contain the user-role connections. A
Browse button is provided for convenience.
Role-Resource
Connections
Fill in the name and path of the target of the file
that will contain the role-resource connections. A
Browse button is provided for convenience.
Role Hierarchy
Connections
Fill in the name and path of the target of the file
that will contain the role hierarchy connections. A
Browse button is provided for convenience.
Role ID as Number This option is available for compatibility with
previous versions of Sage where a role was
identified by a Role ID (number). Otherwise, it
should be unchecked.
2. Complete the export window fields as indicated in the table
A maximum of five CSV files can be uploaded to the external security
system. These text files can be examined using Notepad or any text editor.
During the export process, Sage DNA Data Management creates a log file
in the Sage Logs folder. This log file is separate from the Sage main log
file, and is named according to Sage's naming convention
SageCSVConverter_<username>_<date>_<time>.log. This log file
contains all the errors and mis-configurations that Sage has encountered.
Sage prompts you to view this log file when the export is finished.
At the end of the conversion process, a message is displayed that indicates
whether errors were detected.
Important! that you review the log file to ensure that it does not contain
material warnings.
CSV Files Converter
34 Sage DNA Data Management User Guide
CSV Mapper Utility
The CSV Mapper Utility allows you to extract user and resource data from any
CSV file and map that data to create Sage Configuration files, and User and
Resource data bases. The utility does not identify any role relationship that
may exist between the Users and Resources in CSV file.
To map a CSV file to Sage entities
1. Click Import, CSV Mapper Utility.
The CA Role & Compliance Manager CSV Mapper window opens. See the
following example of a completed CSV Mapper window.
The following table describes how ot complete the fields:
Field Description
Source CSV Type or Browse for the Path and Name of the CSV
file that contains the source data.
Field Separator Type the character that is used as a field separator
in the Source CSV file.
Active Directory Converter
Chapter 3: Import and Export Menus 35
Field Description
Target CFG Fill in the name and path of the target CFG file. A
Browse button is provided for convenience.
Target UDB Fill in the name and path of the target Users Data
base. A Browse button is provided for convenience.
Target RDB Fill in the name and path of the target Resource
Data base. A Browse button is provided for
convenience.
User Name Select the Column that matches the position of the
User Name in the Source CSV file.
Resource Name I Select the Column that matches the position of the
1st Resource Name in the Source CSV file.
Resource Name II Select the Column that matches the position of the
2nd Resource Name in the Source CSV file.
Resource Name III Select the Column that matches the position of the
3rd Resource Name in the Source CSV file.
2. Complete the fields in the CA Role & Compliance Manager CSV Mapper
window as indicated in the table.
3. Click Convert.
The CSV Mapper Utility creates each of the CFG, UDB, RDB files and
locates them as indicated in the CSV Mapper Utility.
Active Directory Converter
Active Directory (AD) is a Microsoft directory service for storing information
about network-based entities, such as users, groups, applications, files, and
printers. It is the central authority that manages the identities and brokers the
relationships between these distributed resources, thereby enabling them to
work together. It is a mechanism for managing the identities and relationships
of the distributed resources that make up network environments. Since Active
Directory is the central authority for network security, enabling the operating
system to verify a user's identity and control access to network resources, it is
the natural point from which to download users, groups and resources
information into Sage.
After performing role discovery, analysis, definition and audit in Sage, you can
export the new roles, and other changes that were made in the configuration,
back into Active Directory.
Active Directory Converter
36 Sage DNA Data Management User Guide
Import from Active Directory
Sage allows importing from one or more AD servers. Importing from multiple
servers is useful when there are frequent cross-links between them. At the
moment, Sage can export to only a single AD server.
To import from an Active Directory
1. Click Import, Import from Active Directory.
The Active Directory Wizard opens.
The following table describes how to complete the fields:
Field Description
Credentials
Server Address
(IP/Domain Name)
Identify the server(s) from which the data is being
imported
Secure Authentication When selected Sage uses the Login Name and
Password used to login to Windows.
Login Name (NT
Domain/User)
Record the login name.
Password Record password.
Port Sage assumes the port is 389 by default. This is the
well-known port for ldap. Change it if necessary.
Active Directory Converter
Chapter 3: Import and Export Menus 37
Field Description
Output Files
Configuration
The name of the Sage configuration to be created
as a result of the import process.
UsersDB The name of the Sage Users database file to be
created.
Resources DB The name of the Sage Resources database file to be
created.
Mapping File The name of an XML file that describes the mapping
of AD attributes to Sage entities. This file is usually
saved after the first time a new mapping is
provided.
Active Directory Converter
38 Sage DNA Data Management User Guide
2. Fill in the fields in the Active Directory Wizard as indicated in the table.
3. For each AD server from which you wish to import, provide the IP/Domain
Name, as well as port and login credentials.
4. For each server, click Set to accept.
5. To remove, select the relevant entry in the table on the right, and click
Remove.
Passwords are not kept in the registry, so when returning to an AD import
page, most values will be kept, but not the password.
6. Select the relevant entry again in the table, enter the password on the left,
and press Set. Do the same for each AD server.
7. Click Next to continue.
A window similar to the following opens:
8. Navigate to the points in the directory from which information will be
imported (the bases), in this case the respective “DC”. Note that it is
possible to import specific containers from each of the imported AD
servers.
9. Decide what to import. Field descriptions follow:
Field Description
Groups as Roles
All Groups as Roles
Activate this radio button if all groups are to be
considered as Sage roles. In this case, Sage will
import role hierarchy connections for groups that
Active Directory Converter
Chapter 3: Import and Export Menus 39
Field Description
are members of other groups.
All Groups as
Resources
Activate this radio button if all groups are to be
considered as resources. In this case, group
membership will be "flattened" automatically by
Sage, i.e., users will show as members of a group
even if they are a member of a "parent" group of
that group.
Identify Roles by If you have activated this radio button, mark the
check boxes for importing.
Sage Roles
Nested Groups
Distribution Groups
Security Groups
Universal Groups
Global Groups
domain Local Groups
Local Groups
Mark the appropriate check boxes for your import.
Sage roles are roles marked as Sage as such during
a preceding export
Nested Groups. In this mode, primitive groups (i.e.,
that are not parent of other groups, will be
imported as resources, and parent groups will be
imported as Sage roles
All the other options denote types of AD groups that
the user may wish to import as Sage roles.
Note that it is possible to check more than one
option.
Only import groups
directly linked with
users
This option when checked will disable import of
groups that do not have any users as members.
Note that it will also not import groups that have
other groups as members.
Find cross domain
links and verify object
links
This option activates a third pass of Sage AD
import, in which Sage searches for missing links
that are likely associated with external objects and
adds stubs that represent the latter.
Add extended debug
logging
When not selected the Sage log file only includes
Error messages.
When selected the Sage log file includes Error
messages and Warning messages. This can
significantly increase the size of the log file.
Active Directory Converter
40 Sage DNA Data Management User Guide
10. Click Next to continue.
A mapping window for Users attributes appears. Similar windows, for Roles
and Resources appear in subsequent steps.
In these windows, fields of each entity type (users, roles and resources)
may be associated with their corresponding Active Directory attribute. The
result of each mapping operation is displayed in the mapping window.
11. To activate the mapping, select the line associated with the Sage attribute
in the mapping table on the right.
12. Use one of several mechanisms to specify the mapping as below, and
press Set to activate.
13. When mapping AD attributes to Sage entities, take special care to import
unique values into Sage keys, i.e., users' PersonID, roles' Role Name, and
resources' combination of ResName1, 2, and 3.
14. To enable proper mapping of imported attributes back into AD in an export
process,import the CN and DN. Use the Object Name attributes.
Note: Sage imports up to 127 characters for each field, and logs alerts for
objects that exceed such limitation.
Field descriptions follow:
Field Description
Data Mapping
Attribute
You choose which of the attributes in the User
schema shall be associated
Active Directory Converter
Chapter 3: Import and Export Menus 41
Field Description
Object Name You choose specific pre-designated schema
attributes ad/or combinations thereof.
CN and DN map to the respective schema
attributes.
CNi maps to the i-th part of the object's DN, from
right to left (i.e. based on the hierarchy), and
beginning from the first container after the DC
values
DNi maps to the i-th part of the object's DCs.
Constant Field You can choose to map a constant field into a Sage
field. For example, it is often preferred to map the
string "Active Directory" to Res Name 3.
Empty Field This allows you to leave a Sage field empty. This is
also the initial default.
Configuration Entity
Field Name
You can choose to provide a title to a Sage field
Set Person ID to
Upper Case (Users
only)
Mark check box to convert the identifiers brought
into the Sage users PersonID field. This is useful
when dealing with several systems where this key
identifier may appear in various case variants.
Ignore Disabled Users
check box (Users
only)
Mark check box to ignore users that are marked as
disabled in AD.
Output Files
Configuration
The name of the target Sage configuration file
(usually new configuration file). A Browse button is
provided for convenience.
Users DB The name of the target Sage users database
(usually new database). A Browse button is
provided for convenience.
Resources DB The name of the target Sage resources database
(usually new database). A Browse button is
provided for convenience.
Active Directory Converter
42 Sage DNA Data Management User Guide
15. After mapping the fields of all entities, Sage prompts you to save the
mapping into a reusable XML file.
A similar window displays to let you map roles.
When done, Sage starts the import, showing the progress of the import
process. There are three steps to the import process:
■ Import of objects – in this pass, Sage imports all users, roles, and
resources objects
■ Import of links – in this pass, Sage imports all links between objects
■ Verify links – in this pass, Sage complements the configuration with
external objects that are linked to configuration objects. Sage creates
a "stub" for each external object.
When the import process is completed, a message appears providing
statistics on the data that was imported to Sage.
16. Click OK.
During the import process, Sage creates a log file in the Sage Logs folder. This
log file is separate from the Sage main log file, and is named according to
Sage's naming convention
SageADConverter_<username>_<date>_<time>.log. This log file contains all
the errors and mis-configurations that Sage has encountered. Sage prompts
you to view this log file when the import is finished.
Important! Review the log file to ensure that it does not contain material
warnings.
Active Directory Converter
Chapter 3: Import and Export Menus 43
Export Active Directory
The process for exporting your modified Sage configuration data to your Active
Directory server is very similar to that for importing Active Directory
information into Sage DNA. The process differs in the following ways:
■ Only the differences between the imported configuration and the modified
configuration are exported to the Active Directory server. This means that
you need to compare the two configurations and generate a Differences
Report file. You use the Differences Log file as input for the Export process.
■ You can export to only a single Active Directory server at a time.
To export data from Sage DNA Data Management to an Active
Directory server
1. Click Management, Compare Configurations.
The Compare Configurations window opens.
2. Compare your original configuration file to your updated configuration file
and generate a Differences Log file.
3. From the Export menu select Export to Active Directory.
The Active Directory Wizard opens to Step 1.
Active Directory Converter
44 Sage DNA Data Management User Guide
4. Fill in the Credentials as described for the Import from Active Directory
process.
Note: The export process only supports exporting to a single Active
Directory server at a time.
5. In the Input Files group box, enter the path and file name of the
Differences Log File containing the data to export to the Active Directory
server.
6. Click the Next button to advance to the Set Conversion Options step.
7. From within the Options Group box select the Options that are relevant to
your configuration, and click Next.
The Search Active Directory Objects step in the wizard appears:
RACF Converter
Chapter 3: Import and Export Menus 45
8. On each of the Users, Roles and Resources tabs, map the Sage Entities to
the appropriate Active Directory Attributes.
9. On each of the Users, Roles, and Resources tabs select the location in the
Active Directory to house new Users, Roles and Resources.
10. When appropriate, select the correct DN and CN values for the target
Active Directory from the DN and CN drop down lists.
11. Click Finish to export the modified data to the Active Directory server.
More information:
Import from Active Directory (see page 36)
RACF Converter
The Resource Access Control Facility (RACF) is a security component for IBM
mainframe computers that works together with the existing operating system
to provide system security, resource access control, auditability, accountability
and administrative control. As such, it is the main repository for users, roles
and resources data on mainframe computers.
The main input to the Sage RACF import option requires downloading access
data from RACF using the IRRDBU00 unload utility. This generated text file
should then be segmented according to various line types, each representing a
different type of entity and/or connections. You can add enriched data about
users attributes (for example, from the human resources department
database).
The output is a Sage configuration, with RACF groups appearing as Sage roles
and with RACF profiles as Sage resources.
RACF Converter
46 Sage DNA Data Management User Guide
Import from RACF
To import data from RACF into Sage
1. Click Import, Import from RACF.
The Importing to Sage Configuration from RACF Files window appears. A
completed example of this window follows:
Use the following instructions complete the fields:
Field Description
Sage Files
Configuration Files Directory
Enter the name and folder of the target
Sage configuration. A Browse button is
provided for convenience.
Users Database Enter the name and folder of the target
Sage users database. A Browse button is
provided for convenience.
Resources Database Enter the name and folder of the target
Sage resources database. A Browse button
is provided for convenience.
Options
RACF Platform Name
Record the RACF platform name.
Groups as Roles radio button Activate radio button if Sage is to convert
groups to Sage roles.
Do not activate radio button if Sage is to not
convert groups to Sage roles.
Groups as Resources radio
button
Activate radio button if Sage is to convert
groups to resources.
RACF Converter
Chapter 3: Import and Export Menus 47
Field Description
Do not activate radio button if Sage is to not
convert groups to resources.
Generate Sage Role for UACC
permission check box
Mark Generate Sage Role for UACC
permission check box to have Sage
generate a role for Universal Access (UACC)
permission.
Clear the check box to prevent Sage from
generating a role for Universal Access
(UACC) permission.
Add ACL Entities check box Mark the Add ACL Entities check box to
process Application Control Language (ACL)
scripts.
Clear the check box to prevent Sage from
processing Application Control Language
(ACL) scripts.
Ignore Revoked Users Mark the Ignore Revoked Users check box
to prevent Sage from processing users that
are flagged as Revoked by RACF.
Clear the check box to disregard the
Revoked Users flag on RACF and have sage
process such users.
Input HR file Record the name of the file containing
supplementary users' data, if any.
Input RACF Download File A text file that is generated by running the
IRRDBU00 Unload utility. The file contains
lines that refer to the Users, Groups, Data
Set Profiles and General Resource Profiles.
These lines will be converted into Sage
users, Sage Resources and Sage Roles.
RACF Converter
48 Sage DNA Data Management User Guide
In the example, all input types are located in the same file name.
Alternatively, input can be divided into separate files depending on line
types. This is done mainly for performance purposes.
2. Click Convert to import.
The configuration is created in the target folder but is not automatically
opened by Sage.
3. To open the file, on the menu bar, select File, Open From File.
If any errors result from the import process, then a Sage message
appears. Check any errors in the SageRACFConverterXXX.log file located in
the Sage Logs folder.
Export to RACF
Exporting involves the reverse process of importing.
To export data from Sage into RACF
1. Click Export, Export to RACF.
The following window opens:
RACF Converter
Chapter 3: Import and Export Menus 49
The following table describes the fields in the Export to RACF window.
In some cases the Export to RACF process only creates partial commands.
This occurs primarily for commands that require the creation of new
accounts. The output cannot be used as is and you must then complete the
missing details in the exported file.
Field Description
Files
Sage Differences File
Enter the name and folder of the Sage
differences file. A Browse button is
provided for convenience.
RACF Command File Enter the name and folder of the RACF
command file. A Browse button is provided
for convenience.
RACF Restore File Enter the name and folder of the RACF
restore file. A Browse button is provided
for convenience.
Show Result file check box Mark check box to show results file.
Unmark check box not to show results file.
Options
Add User
Add Role
Add Resource
Add User-Resource
Connection
Add User-Role Connection
Add Role-Resource
Connection
Add Role-Role Connection
Remove User
Remove Role
Remove Resource
Remove User-Resource
Connection
Remove User-Role
Connection
Remove Role-Resource
Connection
Remove Role-Role
Connection
Mark check box to activate option in RACF
export file.
Unmark check box not to activate option in
RACF export file.
Note: Either the Add or Remove check
box must be marked but not both.
If a differences file is being used when exporting to RACF, then it will first
have to be generated.
2. Click Convert to export.
MS-SQL Converter
50 Sage DNA Data Management User Guide
MS-SQL Converter
This section provides instructions for importing from an MS-SQL database and
exporting to an MS-SQL database. This option enables user, role and resource
data in an SQL database to be used as data for creating a Sage configuration
for role discovery and audit purposes. When a processed Sage configuration is
exported back to MS-SQL, the configuration is divided into its component parts
in a format that is compatible with MS-SQL. Later, the Role Engineer can make
minor changes directly on the SQL database using the Open from Database
and Save to Database options. See Chapter 5 in the CA Role & Compliance
Manager Sage DNA User Guide.
Import from MS-SQL
To import data from MS-SQL into Sage
1. Click Import, Import from SQL Database.
The following window opens:
2. Fill in the required information, and click Next.
The following table describes how to complete the fields:
Field Description
Destination
Database
Type
Only MS SQL is available at this time.
Server Identify the server from which the data is being
imported.
MS-SQL Converter
Chapter 3: Import and Export Menus 51
Field Description
Database Identify the name of the database that is being
imported.
Windows
Authentication
Select to use Windows Authentication privileges
to for the User Name and Password.
Overwrite Database
Files
This option is grayed out and is not available
when importing files.
User name Enter the User Name required to log onto the MS
SQL Database.
Password Enter the Password required to log onto the MS
SQL Database.
The following window opens:
The following tables describes how to complete the fields:
Field Description
Configuration Files
Directory
Enter the configuration name and folder
in which the resulting Sage configuration
shall reside.
Process Audit Cards This check box is only available if Sage
AuditCards are associated with the
configuration.
Mark Process Audit Cards check box. If
AuditCards already exist for the
MS-SQL Converter
52 Sage DNA Data Management User Guide
Field Description
configuration that will be receiving the
imported data, the existing AuditCards
will be processed to verify the status of
the previously suspected records.
Unmark Process Audit Cards check box.
Existing AuditCards will not be processed.
Configuration Mark the name of the database to which
data is being imported. A Browse button
is provided for convenience.
3. Specify values and click Next.
4. The import process begins, and a progress bar appears on-screen. When
done, the newly imported configuration can be opened from the target
folder.
Export to MS SQL
To export data from MS-SQL into Sage
1. Click Export, Export to SQL Database.
The following window opens:
MS-SQL Converter
Chapter 3: Import and Export Menus 53
The following tables describes how to complete the fields:
Field Description
Configuration Files
Directory
Enter the configuration name and folder
of the Sage configuration file to be
exported. A Browse button is provided for
convenience.
Process Audit Cards check
box
This check box is only available if
AuditCards are associated with the
configuration.
Mark Process Audit Cards check box if
Sage audit data exists for the
configuration and you want the data to
reside on the target computer too.
Unmark Process Audit Cards check box if
it is not necessary to copy the Sage audit
data to the target computer.
Configuration check boxes Mark the name of the database that is
being exported.
2. Click Next to continue.
3. The Choose Destination Database window opens:
MS-SQL Converter
54 Sage DNA Data Management User Guide
The following tables describes the fields:
Field Description
Destination
Database Type
Only MS SQL is available at this time.
Server Identify the server to which the data is being
exported.
Database Identify the name of the database to which the
data is being exported.
Windows
Authentication
Select to use Windows Authentication privileges
to for the User Name and Password.
Overwrite Database
Files
Mark the check box to overwrite any existing
database files.
Unmark the check box not to overwrite any
existing database files.
User name Enter the User Name required to log onto the
MS-SQL Database.
Password Enter the Password required to log onto the
MS-SQL Database..
Use Bulk Insert Select Bulk Insert to load to the configuration
content in bulk.
Select Create Local Share for Temporary Files to
allow the system to copy the configuration data
to a temporary file.
Select User Remote Share Directory, to specify
the location to which configuration data is copied
prior to being loaded onto the database.
MS-SQL Converter
Chapter 3: Import and Export Menus 55
4. Click Next.
The export process begins, and a progress bar appears on-screen. Refer to
the following window.
5. Click Finish to complete the export process.
The following is a typical set of Sage-compatible SQL files after a Sage
configuration has been exported to MS-SQL.
6. Verify that similar files are present on the target computer after exporting
a configuration.
TIM2Sage Converter
56 Sage DNA Data Management User Guide
TIM2Sage Converter
This converter is provided by CA Role & Compliance Manager, and uses the
TIM Java-based API to convert TIM privileges data into Sage configurations.
The converter maps TIM users, roles, accounts, provisioning policies, services,
and groups, into Sage. It allows mapping different TIM fields to Sage fields.
Once the initial mapping setup is complete, re-running this interface requires
only a few clicks.
Prerequisites
This converter supports the following:
■ IBM TIM versions 4.5 and 4.6
■ WebSphere application server version 5.1 and Java version 1.4.2
■ Run on Windows OS
TIM2Sage Converter
Chapter 3: Import and Export Menus 57
Importing from ITIM
Importing from ITIM to Sage requires the following steps:
1. Provide information about the TIM and WebSphere environments (kept in
TIM configuration format)
2. Map TIM fields into Sage fields (kept in XML configuration format)
3. Convert to Sage's standard CSV format and then to a Sage configuration
The process for importing from ITIM V4.5 and ITIM V4.6 is identical. However
you must use the import option that is suitable for each version. The following
description uses ITIM V4.5. You may also use ready connection and mapping
xml files, and run a conversion by clicking the “Convert” button.
To import from ITIM V4.5
1. Click Import, Import from ITIM V4.5.
The ITIM to Sage Converter window opens.
TIM2Sage Converter
58 Sage DNA Data Management User Guide
Provide the TIM and WebSphere Connection Details
To provide connection details
1. In the Connection group box, click “Edit” to set the ITIM connection
details.
2. Provide TIM credentials
3. Provide the application server home directory (for example
“C:\IBM\WebSphere\AppServer”)
4. Provide the TIM home directory (for example “C:\IBM\itim”)
5. Provide the location of the file called “jaas_login_was.conf” which is
located under “%itim home%\extensions\examples\apps\bin”.
6. Provide the location of the java executable files (the jar and batch files
received with the converter).
7. Save these parameters in an XML file for reuse.
8. Click Done, then save changes to return to the converter window.
9. Click “Test Connection” to test the TIM connection
TIM2Sage Converter
Chapter 3: Import and Export Menus 59
To load previously stored ITIM Credentials file
1. Click Itim Connection file, Open.
2. Select the XML file that contains the previously stored ITIM credentials
information:
All Credentials information is reloaded.
3. Click Done, then Save to return to the converter window.
TIM2Sage Converter
60 Sage DNA Data Management User Guide
Map TIM Fields into Sage Fields
To map TIM files to Sage fields
1. In the Mapping group box click Edit to set the mapping details.
2. Click Properties file, Open (lower part of the screen) and select the xml
properties file.
3. Map TIM attributes to Sage fields. Save these settings for reuse.
4. Provide the location of the Sage executable file and a directory for
temporary files.
5. Click Done to return the converter window, and then click Convert to
create Sage configuration.
To load previously saved information about the field mapping
1. Click Edit Mapping.
2. The Field Mapping window appears:
TIM2Sage Converter
Chapter 3: Import and Export Menus 61
3. Click Map file, Open (lower part of the screen) and select your previously
saved “xml” map file.
4. Finally, consider enriching the data with a separate HR extract. Use Sage's
Enrich UsersDB" for that purpose.
5. Click Done, then Save to return to the converter window.
TIM2Sage Converter
62 Sage DNA Data Management User Guide
Exporting to ITIM
Sage DNA Data Management supports exporting to ITIM Versions 4.5 and 4.6.
Input for the export process is similar to that described for Importing from
ITIM. Exporting to V4.5 and V4.6 is identical other than choosing the
appropriate item from the Export to ITIM menu item. This section uses ITIM
V4.5 to illustrate the export process.
Exporting to ITIM requires the following:
■ Provide information about the TIM and WebSphere environments (kept in
TIM configuration format)
■ Map TIM fields into Sage fields (kept in XML configuration format)
■ Create a Sage Differences file by comparing configuration original to the
modified configuration.
To export to ITIM V4.5
1. Compare the original configuration created from the import ITIM to sage
process, to the modified configuration and created a Differences file. You
will need the Differences file lists the differences in a form that can be
accepted by ITIM.
2. Click Export, Export to ITIM V4.5.
The Sage to ITIM converter opens.
TIM2Sage Converter
Chapter 3: Import and Export Menus 63
A Connection Details File was created as part of the Import from ITIM
process. In the ITIM Connection section of the window, enter the Path and
Name of the Connection Details File if it exists.
3. If the Connection Details File is missing then click Edit.
The ITIM to Sage Converter window opens.
4. Enter the ITIM Login Details and Java Configuration details.
In the Field Mapping section, enter the Path and Name of the Mapping
Details file if it exists. If you do not have a current Mapping Details File,
click Edit.
The Attribute Mapping window opens.
TIM2Sage Converter
64 Sage DNA Data Management User Guide
The Entities Mapping section contains several tabs; Person, Role, Service
and Policy. On each tab map the Sage User Fields to the appropriate TIM
Person Attribute by selecting entries from the TIM Person Attribute and
Sage User Field drop down lists.
5. Click Add to add the selections to the list.
6. On the Policy tab, do the following:
a. Set the Scope from the Scope drop down list
b. Set the Priority level in the Priority edit field.
c. Select the Policy Enabled check box to indicate that the Policy is
enabled.
7. From the Actions to Perform section select the check box for each action
you want to perform during the export process.
8. In the Addition Options section select the checkboxes for any of the
options you want to perform. These include:
■ Force service removal from policies
■ Force removal of linked entities
■ Map app-roles to provisioning policies.
9. In the Map XML File section provide a name for the mapping file and save
the file for future use.
10. Click Done.
You return to the Sage to ITIM converter.
11. In the Source Sage Difference Log section enter the Path and Name of the
Differences Log file created as a result of Compare Configurations process.
12. Click Convert.
A command line window opens and provides information on the converters
progress.
More information:
Map TIM Fields into Sage Fields (see page 60)
Control SA Converter
Chapter 3: Import and Export Menus 65
Control SA Converter
The Sage-Control-SA Converter provides you with the capability to integrate
Eurekify Sage ERM and Control-SA by automatically synchronizing the
role-based privileges data between the two systems. Using the Sage-Control
SA converter provides a means for you to either import data from Control SA
to Sage or export data from Sage to Control SA. Sage DNA Data Management
supports the import and export between the two systems by either:
■ Entering data in the Sage DNA Data Management GUI
■ Running command line Batch commands.
Sage DNA and Control SA use different but parallel terminology for
components and entities in each of their configurations and files. Use the
following table to familiarize yourself with the terminology used in each
environment for their respective components and entities.
Sage DNA Terminology Control SA Terminology
User Person
Role Job Code
Resource User Group
The converter produces an XML file that maps the ESS (Enterprise
SecurityStation) person, job code, profile, groups and accounts entities to
Sage users, role, resource and link entities. This Map xml file is only used as
part of the Import process.
Importing from Control SA to Sage
Importing data from Control SA to Sage is performed as a two step process:
1. Generate ESS data text files for all relevant tables.
2. Convert the text files into a Sage configuration.
Control SA Converter
66 Sage DNA Data Management User Guide
Generating ESS Data Text Files
Generating ESS data text files is performed on the ESS system by running the
Batch.sh command on a series of *.inp files, where each inp file contains data
for a specific ESS entity type. Running the Batch.sh command produces a
*.orig file for each of the treated entities in the form of a semicolon separated
text file.
ESS export batch commands include:
■ ess batchrun -A -F2 -i Read_Person.inp -D Person_data -L ';'
■ ess batchrun -A -F2 -i Read_Profile.inp -D Profile_data -L ';'
■ ess batchrun -A -F2 -i Read_Group.inp -D Group_data -L ';'
■ ess batchrun -A -F2 -i Read_Profile_Profile.inp -D Profile_Profile_data -L ';'
■ ess batchrun -A -F2 -i Read_Group_Profile.inp -D Group_Profile_data -L ';'
■ ess batchrun -A -F2 -i Read_Person_Profile.inp -D Person_Profile_data -L
';'
■ ess batchrun -A -F2 -i Read_Person_Group.inp -D Person_Group_data -L ';'
Where each inp file contains the respective ESS command, such as:
■ read_all * from ent_user;
■ read_all * from job_code;
■ read_all * from user_group;
■ read_all * from jc_jc;
■ read_all * from ug_jc;
■ read_all * from user_jc;
■ read_all user_id ug_name rss_name rss_type from ru_ug;
To run the Batch.sh command
1. Make sure you are the ESS owner.
If you are not the ESS owner then edit the Batch.sh file by changing the -A
option as follows:
-U user -P password
2. Run the Batch.sh command.
This should result in producing a 7 text files, one for each entity:
■ Person_data;
■ Profile_data;
■ Group_data;
Control SA Converter
Chapter 3: Import and Export Menus 67
■ Profile_Profile_data;
■ Group_Profile_data;
■ Person_Profile_data;
■ Person_Group_data
Convert Text Files into Sage Configurations
You convert each of the created text files into Sage configuration files by
running the Import Control SA converter. This is conducted from within CA
Role & Compliance ManagerDNA Data Management.
To convert ESS data text files into Sage Configuration files
1. Make sure that the ESS data text files are transferred to the computer on
which you have installed Sage DNA Data Management.
2. Click Import, Import from Control SA.
The Control SA Convert window opens.
Control SA Converter
68 Sage DNA Data Management User Guide
3. In the Input Files group box enter the path and file name for each of the
respective ESS text files.
4. Select the Get orphan accounts as Sage users check box where the
Person-UG Link File contains accounts without associated Users, called
Orphan Accounts, and you want those accounts to be associated to Sage
Users.
5. In the Map Fields group box, enter the Path and Name of the MapXML File
if it exists. If the file already exists then click the Browse button to locate
the file. The Map XML file contains the details that map the attribute
columns in the ESS table files to their respective field columns in the Sage
Configuration file. If you do not have a current Mapping Fields File, click
Edit.
The Field Mapping window opens.
Control SA Converter
70 Sage DNA Data Management User Guide
6. The Entities Field group box contains several tabs; User, Role, and
Resource tabs. Each tab lists the entity field names as they appear for
each entity in the Sage configuration.
7. Use the edit field next to each field name to enter the ESS table file
column value that contains data to be matched to the listed Sage field.
8. If the ESS table files contain header lines, then click the, Person, job code
and group files have header lines check box, and enter the appropriate
name for each column in the adjacent edit field. If the ESS table files do
not contain header lines, then do not select the check box, and enter the
index value (1 based scale) for the ESS table column that contains the
matching data.
9. In the Map xml File group box enter the path and name of the Output map
file. You must include the xml extension as part of the file name.
10. Click Save to save the Map xml file.
11. Click Done to return to Control SA Convert window.
The Map xml file name now appears in the Map XML File field.
12. In the Output Sage Files group box enter the path and file name for each
of the Sage configuration files. One for each of the Configuration entities,
Users DB and Res DB.
13. In the Sage Executable group box enter the location of the Sage DNA Data
Management executable file.
14. Click Save to save the parameters as an XML file, and return to convert
the files at later point.
15. Click Convert to run the converter and produce the Sage configuration
files.
When the conversion process is complete a Done message appears to
confirm successful operation.
16. Click Open to browse and load an XML file containing saved parameters.
Control SA Converter
Chapter 3: Import and Export Menus 71
Executing a Batch Process
You can convert a cluster of ESS text files by running the converter executable
from the command line. The input for the each set of ESS text files must be
saved as a separate XML file. The content of the XML file would appear similar
to:
<?xml version="1.0 encoding="utf-8 ?>
<Parm>
<PersonFile>CT-SA converter\Persons.txt</PersonFile>
<JCFile>CT-SA convertor\Job_Codes.txt</JCFile>
<UGFile>CT-SA convertor\UserGroups_all.txt</UGFile>
<PersonJCFile>CT-SA convertor\Person_JC.txt</PersonJCFile>
<PersonUGFile>CT-SA convertor\Person_UserGroup.txt</PersonUGFile>
<JCUGFile>CT-SA convertor\JC_UserGroup.txt<\JCUGFile>
<JCJCFile>CT-SA convertor\JC_JC.txt<\JCJCFile>
<cfgFile>CT-SA convertor\bmc.cfg<\cfgFile>
<udbFile>CT-SA convertor\bmc.udb<\udbFile>
<rdbFile>CT-SA convertor\bmc.rdb<\rdbFile>
<exeFile>C:\Program Files\Eurekify\Eurekify Sage Client Tools
V3.0\SOftware\EurekifySageDM-V30.exe<\exeFile>
<\Parm>
Control SA Converter
72 Sage DNA Data Management User Guide
Exporting from Sage to Control SA
Sage DNA Data Management supports exporting to CONTROL-SA via ESS
batch. Exporting to CONTROL-SA requires the following:
■ Generate a Sage diff log file by comparing two Sage configurations. The
diff log must contain all the operations which should be reflected in ESS.
■ Use the export application to generate ESS batch text files.
■ In ESS run the generated files and perform all operations.
To export to Control SA
1. Compare the original configuration created from the import CONTROL-SA
to sage process, to the modified configuration and create a Differences file.
2. Click Export, Export to Control SA.
The Control SA Export window opens.
3. In the Sage Diff File group box provide the path and name of the Sage Diff
log file.
4. In the Output group box provide the location for creating the desired
target ESS batch file.
5. Optionally, mark the "Generate temp Job Codes" check box to reflect Sage
direct user-resource links as temporary job codes (profiles) in ESS. If this
check box is not marked direct user-resource links will not be loaded to
ESS.
6. Click Save to save these parameters as an XML file.
7. Click Open to browse for a saved XML file and populate the window with
the parameters saved in the selected XML file.
8. Click Convert to execute the conversion process and produce ESS
formatted command file.
A Done message appears to indicate the process was successfully
completed.
9. Execute the generated command file in ESS to reflect the operations.
SAP to Sage Converter
Chapter 3: Import and Export Menus 73
Generated Commands
The following list includes some examples of the ESS commands generated by
the converter.
Create a new role:
INSERT job_code WITH jc_name="Sage Role 1002";
Link a user to the role:
CONNECT ent_user TO job_code WITH jc_name="Sage Role 1002", user_id="335675";
Link a user group (resource) to the role:
CONNECT user_group TO job_code WITH jc_name="Sage Role 1002",
ug_name="CN=CLA,OU=SecurityGroups,OU=Groups,DC=com", rss_name="AD", rss_type="Win2000";
Executing Difflog Conversion to ESS Batch Run Commands
From a Windows command line, execute the program:
CSAExport.exe <XML parameters file>
The <XML parameters file> can be created by a text editor, or saved to a file
from the CSAExport.exe GUI. For example:
<?xml version="1.0" encoding="utf-8"?>
<Parm>
<DiffFile>C:\Eurekify\test\difflog-Ilan.txt</DiffFile>
<OutputFile>C:\Eurekify\test\ilan.txt</OutputFile>
<GenJC>True</GenJC>
</Parm>
To execute the export as a batch, run the following command line
Ess batchrun -A-i Sage.inp
SAP to Sage Converter
The SAP to Sage converter extracts data that is housed in SAP tables and
deposits the data in the various Sage Databases according to the Mapping
scheme that you select in the SAP to Sage Converter.
SAP to Sage Converter
74 Sage DNA Data Management User Guide
Mapping SAP Data to Sage
The SAP tables and fields used by the SAP to Sage converter are listed:
SAP Table SAP Fields
USR02 mandt, bname
AGR_AGRS mandt, agr_name, agr_child
AGR_USERS mandt, agr_name, bname, to_dat, col_flag
AGR_1251 mandt, agr_name, object, auth, field, low, high,
deleted
AGR_1252 mandt, agr_name, varbl, low, high
Note: Low values in the AGR_1251 table can be represented by variables. In
such instances the variable references Low and High values that are contained
in the AGR_1252 table.
We recommend that you do not trim the tables to remove fields that are not
necessary, since additional fields may be needed in future versions.
The current converter supports several mapping schemes. These are:
■ Map roles to resources
■ Map field values to resources
■ Map authorization objects as resources
■ Map object as roles, field values as resources
Map Roles to Resources
The Map Roles to Resources mapping scheme takes SAP Roles and maps them
to SAGE ERM resources. The SAP role information is taken from the following
SAP tables:
■ USR02 - holds a list of system users
■ AGR_AGRS - links composite roles to their child simple roles
■ AGR_USERS - links users to roles (both composite and simple)
This table shows the relationship between Sage Database entities and their
respective source Table and Fields in a generic SAP database.
Sage Entities and
Links
SAP Table SAP Fields
Users USR02 bname
SAP to Sage Converter
Chapter 3: Import and Export Menus 75
Sage Entities and
Links
SAP Table SAP Fields
Resources AGR_AGRS agr_child
Roles AGR_AGRS agr_name
User-Role links AGR_USERS bname, agr_name
Role-Resource links AGR_AGRS agr_name, agr_child
User-Resource links AGR_USERS bname, agr_name (only
simple roles)
Map Field Values to Resources
The Map Field Values to Resources mapping scheme takes SAP Objects and
Fields and maps them to Sage ERM resources. The SAP role information is
taken from the following SAP tables.
Sage Entities and
Links
SAP Table SAP Fields
Users USR02 bname
Resources AGR_1251 object, field, low, high
Roles AGR_AGRS agr_name
User-Role links AGR_USERS bname, agr_name
Role-Resource links AGR_1251 agr_name, object, field,
low, high
Role-Role links
(Hierarchy)
AGR_AGRS agr_name, agr_child
Map Authorizaton Objects as Resources
The Map Authorization Objects as Resources mapping scheme takes SAP
Authorization Objects and maps them to Sage ERM resources. The Mapping
scheme only imports to fields that are selected in the FieldsForm window in the
SAP to Sage converter.
Sage Entities and
Links
SAP Table SAP Fields
Users USR02 bname
Resources AGR_1251 auth, object, field, low,
high
Roles AGR_AGRS agr_name
SAP to Sage Converter
76 Sage DNA Data Management User Guide
Sage Entities and
Links
SAP Table SAP Fields
User-Role links AGR_USERS bname, agr_name
Role-Resource links AGR_1251 agr_name, auth, object,
field, low, high
Role-Role links
(Hierarchy)
AGR_AGRS agr_name, agr_child
AGR_1251 specifies role Authorization Objects with fields and values.
Map Object as Roles and Fields as Resources
The Map Object as Roles and Fields as Resources mapping scheme maps SAP
Objects to Sage Roles, and maps SAP fields as Sage Resources.
Sage Entities and
Links
SAP Table SAP Fields
Users USR02 bname
Resources AGR_1251 Combinations of field,
low, high values
Roles AGR_1251 object
User-Role links AGR_USERS,
AGR_1251
bname, object
Role-Resource links AGR_1251 object, mixed field, low,
high
AGR_1251 specifies role Authorization Objects with fields and values.
SAP to Sage Converter
Chapter 3: Import and Export Menus 77
Running the SAP to Sage Converter
To load SAP privileges data into a Sage configuration
1. Create a new database in your MS-SQL Server for the purpose of importing
SAP authorization information into Sage ERM.
2. Import the SAP tables into the new database.
The relevant tables are: USR02, AGR_AGRS, AGR_USERS, AGR_1251,
AGR_1252 and their names must be identical to those written here.
3. Click Import, Import from SAP.
The following window appears:
SAP to Sage Converter
78 Sage DNA Data Management User Guide
4. In the Server Name Text field Insert the name of the MS-SQL server you
are using.
5. In the DataBase Name text field, insert the name of the database you are
using for the SAP data.
6. Click Test Connection to verify that the connection details are valid.
7. In the MANDT Value text field, enter the MANDT identifier value for the
SAP environment that you wish to convert. If you do not know the value
contact your SAP administrator.
8. Choose the type of Mapping to use from the available mapping scheme
options.
9. If you select Map authorization objects as resources click Choose Fields.
The FieldsForm window opens.
SAP to Sage Converter
Chapter 3: Import and Export Menus 79
10. Select which fields should be used to generate Sage resources.
11. If you have separate tables in the database that contain the lists of simple
and/or composite roles then enter their names in the respective Simple
Role Table and Composite Role Table text fields. The table must only
contain the role name as its data.
12. Select the respective check box if you have roles linked to either Users or
Authorization Objects (AO) that do not appear in the role hierarchy.
In these cases, the converter will not be able to tell whether they are
simple or composite. You may choose how to treat them. The default is to
treat them as simple roles.
13. In the Target Configuration field enter the Path and Filename to be used
for the Target Sage configuration file. Click Browse locate the Path.
14. In the Target Users DB field enter the Path and Filename to be used for the
Target Sage Users Database file. Click Browse to locate the Path.
15. In the Target Resource DB field enter the Path and Filename to be used for
the Target Sage Resource Database file. Click Browse to locate the Path.
16. Click “Convert” and wait for the completion message (it may take a while).
Generic LDIF to Sage Converter
80 Sage DNA Data Management User Guide
Generic LDIF to Sage Converter
This converter is provided by CA Role & Compliance Manager, and retrieves
data from a given LDIF file. The converter allows mapping different attributes
of LDIF objects to Sage fields. Once a map was designed it can be easily rerun
on the same file or on other LDIF files to produce Sage configurations.
To start an LDIF conversion
1. Click File, Import From External Sources, Import from LDIF File.
The following window appears.
Generic LDIF to Sage Converter
Chapter 3: Import and Export Menus 81
2. Specify the LDIF file to convert and the target Sage configuration files to
be created.
If you have a ready LDIF-Sage map xml file you may supply it as well.
3. Click Start to execute the conversion. Otherwise click Edit Mapping and get
the following screen:
Generic LDIF to Sage Converter
82 Sage DNA Data Management User Guide
The mapping allows 3 views of LDIF objects.
Map an LDIF object to a Sage entity
The object may either be a user, a role or a resource. In order to
perform the mapping, choose both object and entity and click “Add”.
After choosing a Sage entity for a specific object an attribute mapping
is required. Select attributes for the relevant Sage fields and click “Set”
to add them to the mapping list. You may also map Sage fields to an
OU of the object or to a constant text.
Link Sage entities based on LDIF object attributes
When an LDIF object has an attribute pointing to another object this
link may be reflected in the Sage configuration. Select the source and
destination objects and choose the attributes of the objects that should
match. Click “Add / Set” to add the selected mapping to the list.
Link Sage entities based on attributes of an LDIF object
When an LDIF object represents a link between two other objects this
link may be reflected in the Sage configuration. Choose the object
representing the link and select the source and destination attributes
from the object attributes. For both source and destination attributes
select which field of which entity they should match. Click “Add / Set”
to add the selected mapping to the list.
4. In any stage of the mapping click Show Example to view an example of the
attributes of the selected object. This is designed to assist you when
choosing attribute mappings.
Generic LDIF to Sage Converter
Chapter 3: Import and Export Menus 83
A complete mapping should resemble the following:
5. After you finish mapping all relevant data click Save to save the mapping
to an xml file and return to the conversion window. This mapping may be
edited in the future.
6. When you are pleased with the mapping click Start to perform the actual
data conversion and open the generated Sage configuration.
Import from TSS
84 Sage DNA Data Management User Guide
Import from TSS
CA Top Secret (TSS) is a security component for IBM mainframe computers
that works together with the existing operating system to provide system
security, resource access control, auditability, accountability and
administrative control. As such, it is the main repository for users, roles and
resources data on mainframe computers.
The main input to the Sage TSS import option requires downloading access
data from TSS using the by generating a TSS List File, and transferring the
generated text file to a location on the Windows system to which Sage has
access. There is also a possibility to add enriched data about users attributes
(for example, from the human resources department database).
The output is a Sage configuration, with TSS profiles appearing as Sage roles
and with TSS groups appearing as Sage resources.
To import data from TSS into Sage
1. Create a TSS List File on the mainframe and transfer the file to a location
that can be accessed by your Windows system.
2. Click Import, Import from TSS.
The following window shows the TSS import window already completed:
The following are instructions for filling in the fields:
Field Description
Sage Files
Sage Configuration File
Enter the name and folder of the target
Sage configuration. A Browse button is
provided for convenience.
Users Database Enter the name and folder of the target
Sage users database. A Browse button is
Import from TSS
Chapter 3: Import and Export Menus 85
Field Description
provided for convenience.
Resources Database Enter the name and folder of the target
Sage resources database. A Browse
button is provided for convenience.
Options
TSS List File
Enter the name and folder of the file
Generated using the TSS LIST(ALL)
command. The file is generated on the
TSS computer and then transferred to the
computer on which Sage DNA Data
Management is installed.
Profiles as Roles Activate radio button if Sage is to convert
TSS Profiles to Sage roles.
Do not activate radio button if Sage is to
not convert TSS Profiles to Sage roles.
Groups as Resources Activate radio button if Sage is to convert
groups to resources.
Do not activate radio button if Sage is to
not convert groups to resources.
TSS List File Enter the path to the TSS list file copied
to your Windows system.
Add ACL Entities Mark Process Audit Cards check box to
process Application Control Language
(ACL) scripts.
Unmark Process Audit Cards check box
not to process Application Control
Language (ACL) scripts.
Supplementary HR file Record the name of the file containing
supplementary users data, if any.
Import from TSS
86 Sage DNA Data Management User Guide
3. Fill in the fields in the Importing window.
4. Click Convert to import.
If any errors result from the import process, then a Sage message
appears.
5. Check any errors in the SageTSSConverterXXX.log file located in the Sage
Logs folder.
The configuration is created in the target folder but is not automatically
opened by Sage.
Import from UNIX
Chapter 3: Import and Export Menus 87
Import from UNIX
The UNIX to Sage converter accepts UNIX IDM files and converts them into
Sage formatted CSV files which can then be transformed into or incorporated
in a Sage configuration. The UNIX Group and Password files serve as input for
the conversion process. You must transfer these source files to a location on
your Windows system that can be accessed by Sage.
To import data from UNIX into Sage
1. Transfer the UNIX Group and Password files to a location on the Windows
system.
2. Click Import, Import from UNIX.
The Unix to Sage Converter window opens.
3. In the Source Unix Files section, enter the location of the UNIX password
and group files.
4. In the Target Sage Files section click Browse to select the target Sage files
to be generated. You must generate a Configuration file, Users file and
Resources file.
5. To treat the UNIX groups as Sage resources select the Groups as
Resources check box.
6. Click Convert to initiate the conversion process and create the Sage
configuration files.
The configuration is created in the target folder but is not automatically
opened by Sage.
Import Windows Shared Folder
88 Sage DNA Data Management User Guide
Import Windows Shared Folder
Eurekify's customers are often interested in mapping privileges at a finer level
of granularity than that provided by most IdM tools. That is below the level of
groups and or profiles. This converter provides this granularity for Windows
environments by scanning Windows servers for shared folders, and mapping
access rights for those shares to the relevant domain groups and users.
The converter relies on Eurekify's Active Directory (AD) converter to bring in
AD groups, possibly from multiple AD servers and domains, and users. The
converter uses agent-less Windows WMI technology to scan a range of
Windows computers and import their shares as resources. It then links them to
the above AD users and AD groups (imported as Sage roles).
Import Windows Shared Folder
Chapter 3: Import and Export Menus 89
Mapping Windows Share Data to Sage
The scanner connects with each of the machines defined by the user and
queries it for shares. All the acquired shares are translated to Sage resources,
detailing computer name, share name, and access level. For each share, all
permissions are obtained and are translated to Sage user and role links with
resources (the resources being shares). Different access levels of different
users are reflected as separate resources.
To import data from Windows Shared Directories into Sage
1. Click Import, Import from Active Directory.
The Connect Active Directory window opens.
2. Set the Credentials and Output Files fields.
3. Click Next to advance to the next step in the wizard.
4. In the Search Active Directory Objects step, select the All Groups as Roles
option from the Groups as Roles section.
Import Windows Shared Folder
90 Sage DNA Data Management User Guide
5. Complete the Wizard and generate an Active Directory configuration. This
will serve as Sage Configuration input in the Windows to Sage converter.
6. From the Import menu select Import Windows Shared Directory.
The Windows to Sage Converter opens.
7. In the Original Sage AD Configuration section enter the Path and File name
for the Active Directory configuration that you created.
8. From the Windows Share Scan section, click Scan Shares.
The Scan Windows Shares window opens.
BMC Identity Manager Open Services
Chapter 3: Import and Export Menus 91
9. In the Credentials section enter domain administrator User Name and
Password. You can enter the credentials for any other user that have
permissions to use WMI on the target systems.
10. In the Machines to Scan section, enter the IP ranges to be scanned, by
entering the IP address range and clicking Add. Alternatively you can add
pattern based computer names by selecting the Computer Name by AD
filter checkbox and entering a filter and an AD Server in the respective text
boxes.
11. In the Target Share Files section, enter file names for the Shares Resource
File and Shares Links File text boxes.
12. Click Scan to perform the scan.
A progress bar appears, wait for it to reach finish.
13. Click Close and return to the Windows to Sage Converter window.
14. In the Target Save Configuration section, enter the Path and File name for
the Target Configuration file.
15. Click Merge and wait until the Done message appears.
The new Sage configuration is then ready for use.
More information:
Export Active Directory (see page 43)
BMC Identity Manager Open Services
This converter maps ESS Persons, Profiles (job codes), Groups and Accounts,
into Sage Users, Roles, Resources and Links.
BMC Identity Manager Open Services
92 Sage DNA Data Management User Guide
Importing from BMC Identity Management
To import from BMC Identity Management to Sage
1. Click Import, Import from BMC Identity Manager(OpenServices).
2. Fill in the BMC Identity Management convert (Import) Window.
■ If the files: defaultConnection.xml, defaultMapping.xml exist in the
Sage home directory, Form values will automatically be loaded from
the xml file.
■ XML files must be saved before the import process can be performed.
BMC Identity Manager Open Services
Chapter 3: Import and Export Menus 93
3. In the Input Details group provide the JBoss Input Detail connection
parameters.
4. Click Test Connection to test the connection parameters.
5. Pre saved parameters can be loaded from an XML file. If file
defaultConnection.xml exists in the Sage home directory, connection
values will automatically be loaded from the xml file.
6. In the Map Fields group enter the map xml file path and directory if it
exists, in the Map XML File text field.
Pre-saved parameters can be loaded from an XML file. If file
defaultMapping.xml exists in the Sage home directory, mapping values will
automatically be loaded from the xml file.
7. If the file does not exist click Edit in the Map Fields group.
The Field Mapping window opens.
BMC Identity Manager Open Services
Chapter 3: Import and Export Menus 95
8. Fill in the Field Mapping window as indicated.
If the Input details were inserted correctly then the drop down list values
is available.
9. Save your changes and click Done.
The window closes and you return to the BMC Identity Manager window.
10. In the Output Sage Files group enter the target address for the Sage
output configuration files. These include the configuration, Users Database
and Resources Database (cfg, udb and rdb).
11. In the Sage Executable group enter the directory and path to the Sage
Data Management executable file.
12. Click Start Import to initiate the import process.
BMC Identity Manager Open Services
96 Sage DNA Data Management User Guide
Exporting to BMC Identity Management
Sage DNA Data Management supports exporting to BMC Identity Management.
Exporting to BMC Identity Management requires the following:
■ Generate a Sage diff log file by comparing two Sage configurations. This
diff log should contain all the operations which will be reflected in ESS.
■ Use the BMC Identity Manager convert (Export) application to perform the
changes.
To export to BMC Identity Management
1. Compare the original configuration created from the import BMC Identity
Management to sage process, to the modified configuration and create a
Differences file.
2. Click Export, Export to BMC Identity Manager (OpenServices).
The BMC Identity Management Convert (Export) window opens:
Oracle Identity Manager
Chapter 3: Import and Export Menus 97
3. In the Input Details group enter the connection details. We recommend
that you use the connection XML file that was used during the import
process.
4. In the Map Fields group enter the mapping field details. If you use the Map
XML File that was used for the import process the details will be extracted
from the file and the relevant fields in the Map Fields window will be
automatically populated. Otherwise click Edit button and enter the details
manually.
5. In the Sage Diff Log group enter the directory and path to the Sage Diff
log file that you created.
6. Click Start Export to start the export process.
A Done message appears to report the completion of the convert process.
Oracle Identity Manager
The Oracle Identity Manager Converter provides you with the capability to
integrate Eurekify Sage ERM and Oracle Identity Manager by automatically
synchronizing the role-based privileges data between the two systems.
Using the Sage-Oracle Identity Manager Converter you map Oracle Identity
Manager Users, User Groups/Access Policies and Resources Objects to Sage
users, roles, resources and links.
Oracle Identity Manager
98 Sage DNA Data Management User Guide
Updating Oracle Identity Manager Client JARs
The first time you run the Oracle Identity Manager (OIM) converter you must
update the converter with OIM client jars.
To update the Oracle Client JARs
1. Click Import, Import from Oracle Identity Manager.
The Oracle Identity Management window opens.
Oracle Identity Manager
Chapter 3: Import and Export Menus 99
2. Click Update Oracle Client Jars.
The Update OIM Client Jars window opens. The window displays a list of
Jar files for Lib directory, Ext directory and Config directory. Use the
Browse for Directory buttons to locate the associated Oracle Client
directories. These are usually located in the following path <oracle client
install dir>\xlclient.
Oracle Identity Manager
100 Sage DNA Data Management User Guide
3. Click Browse for lib directory.
A Browse for Folder window opens.
4. Navigate to, and select the lib folder. Click OK.
5. Repeat the browse and select process for each of the ext and config
directories.
6. Once the location is provided for each folder the Update Jars button
becomes available.
7. Click the Update Jars button to start the update.
When the update is complete the message in the Status box reads Found
all needed files and the updated files for each directory appear with a
Check mark in the adjacent check box.
8. Click Done.
Oracle Identity Manager
Chapter 3: Import and Export Menus 101
The Update OIM Client Jars window closes and the converter is now ready
to import files.
Importing from Oracle Identity Manager
Importing from the Oracle Identity Manager is performed using the
Sage-to-Oracle Identity Management converter. The process includes:
■ Providing Connection details.
■ Mapping Oracle Identity Manager Users, User Groups/Access Policies and
Resources Objects to their respective Sage entities - users, role, resources
and links.
■ Providing the location for the Sage Output files
■ Providing the location for the Sage Executable file.
Sage DNA and Oracle Identity Manager use different but parallel terminology
for components and entities in each of their configurations and files. Use the
following table to familiarize yourself with the terminology used in each
environment for their respective components and entities.
Sage DNA Terminology Oracle Identity Manager Terminology
User User
Role User Groups/Access Policies
Resource Resource Objects
Oracle Identity Manager
102 Sage DNA Data Management User Guide
The converter produces an XML file that maps the Oracle Identity Manager
User, User Groups/Access Policies and Resource Objects to Sage users, role,
resource and link entities. This Map xml file is used as part of the Import
process and can later be used as part of the Export process.
To import from the Oracle Identity Manager
1. Click Import, Import from Oracle Identity Manager.
The Oracle Identity Management window opens.
Oracle Identity Manager
Chapter 3: Import and Export Menus 103
2. In the Connection Details area enter the values for each field to match
those used on the Oracle Identity Management server.
3. In the Connection Details XML File text box enter the file path and name
for the Connection Details XML file and click Save to save the location of
the Connection Details XML file. If an XML file containing the connection
details already exists then click Open and browse for the file location.
By default, Sage searches for a Connection Details XML file called
defaultSettings.xml located in the <Sage home directory>\OIMConvert. If
the file exists then Sage automatically loads the connection values into the
Connection Details fields.
Once all the connection details are entered the Test Connection button is
enabled.
4. Click Test Connections to validate the values.
If the test is successful a Test Connection Succeeded message is displayed
and the Edit button in the Map Fields group box and the Start Import
button are both enabled.
Oracle Identity Manager
104 Sage DNA Data Management User Guide
5. In the Map Fields area click Edit to open the Field Mapping window. For
each of the Sage User, Role and Resource entities listed in the Field
Mapping window provide the value for their respective entities on the
Oracle Identity Manager server.
Oracle Identity Manager
Chapter 3: Import and Export Menus 105
6. In the Map xml File group box enter the path and name of the Output map
file. You must include the xml extension as part of the file name.
7. Click Save to save the Map xml file.
8. Click Done to return to Oracle Identity Management converter window.
The Map xml file name now appears in the Map XML File field.
By default sage searches for a Map XML file called defaultMapping.xml in
<Sage home directory>\OIMConvert. If the file exists Sage automatically
loads the mapping values contained in that file.
9. In the Output Sage Files area enter the path and file name for each of the
Sage configuration files. One for each of the Configuration, Users DB and
Resource DB files.
10. In the Sage Executable group box enter the location of the Sage DNA Data
Management executable file.
11. Click Start Import to run the converter and produce the Sage configuration
files.
Once the conversion process is complete a Done message appears to
confirm successful operation.
Oracle Identity Manager
106 Sage DNA Data Management User Guide
Exporting from Sage to Oracle Identity Manager
Sage DNA Data Management supports exporting to Oracle Identity Manager
via the Oracle identity Management Convert (Export) application.
Exporting to the Oracle Identity Manager requires that you:
■ Generate a Sage diff log file by comparing two Sage configurations. The
diff log must contain all the operations which should be reflected in Oracle
Identity Manager.
■ Use the Oracle identity Management Convert (Export) application to
perform the changes.
To export to Oracle Identity Manager
1. Compare the original configuration generated from the Import from Oracle
Identity Manager to Sage process, to the modified configuration and create
a Differences log file.
2. Click Export, Export from Oracle Identity Manager.
The Oracle Identity Management Convert (Export) window opens:
Oracle Identity Manager
108 Sage DNA Data Management User Guide
3. In the Connection Details area enter the values for each field to match
those used on the Oracle Identity Management server. We recommend
that you use the Connection Details XML file to automatically load the
values that were used during the import process. Click Open to navigate to
the previously saved Connection Details XML file.
4. If the NIST style roles to user groups and access policies check box is
checked then roles that are not marked as Access policies [AP] and
connected to resources will be connected to the resources via an access
policy. For example, if the role Role1 is asked to be connected to Res1, a
new Access Policy Role1 will be created. This policy will have Role1 as a
member and will entitle access to Res1.
5. In the Map Fields area click Browse to navigate and select the Map XML file
that was used during the import process.
6. In the Sage Diff Log area provide the Path and Name of the Sage Diff Log
that you generated for the two configuration files.
7. Click Start Export to run the export converter.
If the export process identifies unsupported Oracle Identity Manager
requests, a window appears listing the identified errors.
8. Click No to cancel the export process, or click Yes to continue the export
process while disregarding the errors.
Chapter 4: Management Menu 109
Chapter 4: Management Menu
Changes to users data occur in an ongoing manner on the HR system and to
maintain the Users, Roles and Resources relationship you can enrich the Sage
User and Resource databases by incorporating the latest HR Users and
Resource data.The HR data is used as input for the Sage Pattern Based Audit,
Sage role engineering, Sage compliance.
This section contains the following topics:
Enrich Users Database (see page 110)
Enrich Resource Database (see page 112)
Preserving Columns During Enrichment (see page 113)
Sage Database Utility (see page 115)
Enrich Users Database
110 Sage DNA Data Management User Guide
Enrich Users Database
The Sage DNA Data Management application expects to receive the
supplementary HR data to be merged with the existing users database as a
CSV formatted file. The first column of the Supplementary HR data file must
contain the unique Person ID. This type of Person ID used in the HR file must
match the type of Person ID used in the Sage users.UDB file. For example if
the value for the Person ID in the UDB file is taken from the Users Login
Account then the HR file should also take the Person ID from the Users Login
Account.
■ For every Person ID in the Sage UDB file that has a matching Person ID in
the HR file, Sage replaces the record in the UDB file with the record taken
from the HR file.
■ The resulting Ouput Users Database contains the same number of records,
arranged in the same order, as that for the original sage UDB file.
To enrich a users database
1. Click Management, Enrich Users DB.
The Sage HR Data Merge Converter window opens.
Enrich Users Database
Chapter 4: Management Menu 111
2. In the Users Database text field, enter the path and name of the Sage
Users database that is to receive the supplementary HR data.
3. In the Supplementary HR File text field, enter the path and name of the
file containing the supplementary HR data.
4. In the Output Users Database text field , enter the path and name of the
resulting database file that contains the merged output.
5. From the Options group box, select any of the options that are relevant.
The following table describes the options:
Option Description
Person ID Is Case
Sensitive
Select to take Case into consideration.
Clear Fields that are
empty in the HR file
Select to overwrite fields in the UDB with
empty data if such a field exists in the HR file.
Clear the option to disregard empty fields in
the HR file and keep the existing content in the
UDB.
Clear Fields of the UDB
users that were not
found in the HR file
Select to delete content from UDB user fields,
if a user by the same name does not exist in
the HR file.
Clear the option keep user information in the
UDB even if the User does not exist in the HR
file.
6. Click Enrich.
A new Sage users database is generated and saved in the specified
location.
Enrich Resource Database
112 Sage DNA Data Management User Guide
Enrich Resource Database
For each set of resources, R1, R2, R3 in the Sage RDB file that has a matching
set of resources in the supplementary resource database file, Sage replaces
the record in the RDB file with the record taken from the supplementary
resource database file.
To enrich a resource database
1. Click Management, Enrich Resource DB.
The Sage HR Data Merge Converter window opens.
2. In the Resource Database text field, enter the path and name of the Sage
Users database that is to receive the supplementary HR data.
3. In the Supplementary Resource DB File text field, enter the path and name
of the file containing the supplementary HR data.
4. In the Output Resource Database text field , enter the path and name of
the resulting database file that contains the merged output.
5. Click Enrich.
A new Sage Resource database is generated and saved in the specified
location.
Preserving Columns During Enrichment
Chapter 4: Management Menu 113
Preserving Columns During Enrichment
During the enrichment process the original records in the both Sage Users
databases and Resource databases are overwritten with the data from the
Supplementary HR files. The order in which data is arranged in the Sage
databases will be lost if the order of data arrangement in the supplementary
HR files differs from those in Sage database.
If need be, you can preserve the arrangement and content of any column in
the source file by modifying the supplementary HR file before performing the
enrichment process. To prevent any column from being overwritten you must
place an empty column in the parallel position in the supplementary HR file.
The following illustration represents the arrangement and content of a Sage
Users Database:
The following illustration represents the arrangement and content of the
Supplementary HR File.
Preserving Columns During Enrichment
114 Sage DNA Data Management User Guide
Notice the following:
■ The column order in the in the Sage User Database is Person ID,
UserName, and Title.
■ The column order in the supplementary file is Person ID, UserName,
OrgName, OrgType, …
In this scenario when the two files are merged, the Title entry for each record
in the Sage User Database would be overwritten by the OrgName entry from
each record in the Supplementary HR File. The Title column is the 3rd column
in the Sage Users Database.
To prevent the Title column from being overwritten, a empty column must be
placed in the 3rd position in the Supplementary HR file. This is done by placing
an additional comma as a place holder in each record of the supplementary file
at the position you want to preserve in the Sage Users Database.
The following illustrates how the Supplementary HR File in the above scenario
is modified to prevent the entries in 3rd column of the Sage Users Database
from being overwritten.
In the figure two commas signifying and empty column now appear in each
record between the original 2nd and 3rd columns, UserName and OrgName
respectively.
Sage Database Utility
Chapter 4: Management Menu 115
Sage Database Utility
The Sage Database Utility let you create a new database when you do not
want to conduct a complete installation of Sage. You should be aware that the
database created using the database utility is based on the most recently
installed version of Sage Client Tools.
If you have upgraded either the Sage Reports tool or Sage Portal since
installing the Client Tool, then creating a database using the Database Utility
causes a downgrade in the database version to the version that was installed
with the Sage Client Tool.
Important! We strongly recommend that you only use the Sage Database
Utility after first consulting with CA Technical Support.
To Use the Sage Database Utility
1. Close all database entities if any are open.
2. Click Management, Sage Database Utility menu item.
The Sage Database Utility window opens.
Sage Database Utility
116 Sage DNA Data Management User Guide
3. In the Database Name field enter the name of the database on which you
want perform an action.
4. In the SQL Server Name field enter the Server Name on which the
database is located.
5. Click Install to create a new database.
6. Click Remove to delete the database.
7. Click Upgrade to upgrade an existing database.
Chapter 5: Unique User ID (UUID) Menu 117
Chapter 5: Unique User ID (UUID) Menu
The UUID menu lets you access the Unique User ID utility. Use this utility to
consolidate related or duplicate user accounts from the different directories in
your environment.
This section contains the following topics:
The UUID Interface (see page 118)
UUID Work Process (see page 119)
Prepare Company HR and Systems Data (see page 120)
Set Java Package Directory (see page 120)
Working Directories (see page 120)
User Databases (see page 123)
UUID Mapping File (see page 135)
Match Process (see page 136)
Merge Process (see page 138)
The UUID Interface
118 Sage DNA Data Management User Guide
The UUID Interface
To access the UUID interface, click UUID, Launch UUID Tool.
The UUID user interface is divided into several sections that reflect the work
process that you undertake in consolidating the access rights and privileges on
your system. The following is a sample:
The following table describes the sections:
Section Description
Java Package Directory The path in which the UUID package is located.
(this is where the CA Role & Compliance
ManagerMatcher.jar is located)
UUID Mapping File The main settings file that refers to all other
definitions.
UUID Working
Directories
Defines the locations in which the tool can find
source data and deposit temporary output files
that contain consolidated output data. (all
directories here must be on same drive, for
example, C:\)
UUID Work Process
Chapter 5: Unique User ID (UUID) Menu 119
Section Description
User Databases Provide mappings that map each of the accounts
sources (CA Role & Compliance Manager user
databases).
Match Process Provides the file name and directory of the
configuration that results from the matching
process, as well as a few general parameters for
the matching. Also runs the process that
performs the matching process.
Merge Process Provides the file name and directory of the
resulting configuration file that contains the
consolidated access rights based on the above
matching. Also runs the process that performs
the merging process.
UUID Work Process
This section describes the general work flow that you perform when using the
UUID tool.
The general work process is as follows:
1. For each of your company systems you must extract or export the user
data and save it in the form of a CSV file in the same format as a CA Role
& Compliance Manager Users DB (UDB). Each of the csv files should be
renamed so that they use a *.udb extension. If you have imported the full
access rights from those systems in a CA Role & Compliance Manager
configuration, you can use the UDB from these configurations. You must
create a data directory and then place the *.udb, or *.cfg files in the data
directory.
2. Specify the path for the UUID Working Directories: Data Directory, Index
Directory and Output Directory. (note that all directories must be on same
logical drive, e.g., C:\).
3. Define the mapping definitions for matching users to their resources and
accounts across available systems and save the mapping definitions file.
4. Run the Index.
5. Enter the path and name of the configuration file that contains the
matched data in the Match Process section and run the Match process.
6. If desired enter the path and name of the configuration file that contains
the merged data in the Merge Process section and run the Merge process.
Prepare Company HR and Systems Data
120 Sage DNA Data Management User Guide
Prepare Company HR and Systems Data
Using proprietary pattern recognition technology the UUID tool identifies and
matches users to their accounts across all of your company systems. The
source data used by the UUID tool is the user and account data for each
system saved in the form of a CSV file. The format for this file is exactly the
same as any other Eurekify UDB. If you have imported a full configuration
from a certain system, you can simply use its UDB here.
For each of your company systems:
Copy the *.udb files (or full set of .cfg, .udb, and .rdb) to the data directory.
The Data Directory is referenced as one of the Working Directories. The UDB
files are used by the UUID tool during the matching and merging process.
Set Java Package Directory
The Java Package section in the UUID Tool references the installation directory
that contains the EurekifyMatcher.jar file.
To set the Java Package Directory
1. In the Java Package Directory section click Browse.
A Browse dialog opens.
2. Navigate to and select the <Install Drive>:\Program
Files\Eurekify\Eurekify Sage Client Tools V[version]\Software\UUID
directory (where [version] is V3.2 or V4.0), and click OK.
The selected directory appears in the text field in the Java Package
Directory section.
Working Directories
The Working Directories are a set of directories on your local machine that are
used to house data and deposit output files that contain consolidated output
data. The Data Directory is used to store your *.udb files that contain data
extracted from your various company systems.
Note: All working directories must be placed on same logical drive, such as
C:\.
Working Directory Description
Data Directory Stores data files containing user and account
Working Directories
Chapter 5: Unique User ID (UUID) Menu 121
Working Directory Description
data extracted from the various company
systems.
Index Directory Stores internal UUID files generated as part of
the Indexing process.
Note: Erasing or editing these files causes the
UUID tool to malfunction.
Output Directory Provides a container to house temporary output
files that are for internal use by the UUID tool
only.
Note: Erasing or editing these files will cause the
UUID tool to malfunction.
Working Directories
122 Sage DNA Data Management User Guide
Create and Assign Working Directories
You need to create each of the working directories on your database server
and then assign their path in the UUID tool.
To create and assign work directories
1. On your local machine, create three directories, one each for your Data
Directory, Index Directory, and Output Directory.
For example using the directory path C:\testdemo\uuid_demo, create the
following directories:
Data Directory
C:\test\uuid_demo\demodata
Index Directory
C:\test\uuid_demo\demoindex
Output Directory
C:\test\uuid_demo\demooutput
2. In the UUID Working Directory section of the UUID tool (highlighted in the
following screen), enter the directory path in the text field for each of the
directories that you created. To search for the directory click Browse.
3. Select the directory, click OK.
The directory path is displayed in the selected Working Directory text field.
User Databases
Chapter 5: Unique User ID (UUID) Menu 123
User Databases
The User Databases section of the UUID Tool (highlighted in the following
screen) is where you define the parameters and settings, and identify data
that is used to consolidate the user access rights and privileges across all
systems in your organization. Your goal is to identify each person in your
organization with the accounts they have access to on each of the systems in
your organization.
In some cases this is straight forward, for example, if the organization's
personnel use the same account ID on all systems. In other cases, it may be
possible to identify the owner of an account because accounts are based on
some naming convention, for example, jdoe for John Doe. In the more difficult
cases, it may be possible to recognize the account owner based on cues in
some of the other account fields, for example, name (free text), address,
phone number, email address, and so on. This information is contained in the
database files, *.UDB files, that you extracted from each of the systems.
User Databases
124 Sage DNA Data Management User Guide
Master vs. Other Databases
The Master database is usually the database that you extracted from the
system that supports your Human Resources department. Using the User
Databases window you create virtual connections between each User Database
file and a Master Database file based on common information contained in the
Master Database and any of the other databases.
Databases extracted from Human Resources generally contain a broad set of
data on the personnel in your organization and generally reference each
person by a unique employee ID. This ID is the single piece of information that
must be included in a Master Database. In most cases, more information will
allow you to match more accounts more accurately. Thus, any other
information that is available is important to be included in the Master
Database: name, department, title, location, manager, and so on.
Connecting Master and Other Databases
To correlate between users in different databases, definitions are required that
describe and “canonize” the user-related information contained in the
databases. Those definitions are called UUID-Fields. Specifically, the NAME,
GROUP and FUNCTION attributes of the UUID-Fields defined for each database
provide a means to correlate the data.
Using these UUID-Field attributes you create a virtual bridge between each
User Database and the Master Database. When the UUID tool processes the
data in each of the databases, it uses the information in these virtual bridges
to identify each person in the organization with the accounts on each system
to which they have access.
In practice the virtual bridge is referred to as the Group attribute of the
UUID-Field, and the Name and Function attributes define the actions that are
performed on each field in the databases to correlate data between the Master
Database and the other User Databases. To successfully match organization
personnel with their accounts, you must examine each of the User Databases
and create as many UUID-Fields as are needed to link each person listed in the
Master Database to the accounts that are referenced in the User Databases.
User Databases
Chapter 5: Unique User ID (UUID) Menu 125
Example Database Usage and UUID-Field Construction
This example shows two separate databases that treat data for a single
employee in an organization. In Database 1 the employee is referenced by
Person Name and the employee Telephone number is provided in the form
<Area Code-Number>. In Database 2 the employee is referenced by a Person
ID and the employee phone number is provided as two separate fields, Area
Code and Phone Number.
Database 1
Fields in Database 1 Person Name Telephone
Data John Smith 09-7693219
Database 2
Fields in Database 2 Person ID Area Code Phone
Number
Data 1234567 09 7693219
By looking at the phone number in each database you can see that the Phone
Numbers are identical even though they are referred to in slightly different
forms. We can therefore extrapolate from that, that the employee John Smith
in Database 1 is the same individual that is referred to by the Person ID of
1234567 in Database 2. Essentially we have used the data provided by the
phone numbers to build a virtual bridge between the two databases.
UUID-Field Construction in the UUID Tool
In the UUID tool, the Group attribute of the UUID-Fields forms the virtual
bridge. You create UUID-Fields with given Group attributes in the Master
Database for each type of information that you want to use. You then create
UUID-Fields with identical Group attributes in the User Databases that contain
the same type of information that you want to relate to the information in the
Master Database. The functions may vary in structure for the identical Groups
in each database, but the goal is to construct the same data set using the
available fields in the databases. In our simple example, the databases looks
as follows:
Database 1 UUID-Fields
Name Group Function
Database 1_Ex Phone Telephone
Database 2 UUID-Fields
Name Group Function
Database 2_Ex Phone <Area Code>-<Phone Number>
User Databases
126 Sage DNA Data Management User Guide
Each database contains a UUID-Field with a Group called Phone. The Functions
for each Group vary in structure but the outcome is identical. In the case of
the example a phone number that is in the form <Area Code>-<Phone
Number>.
UUID-Field Elements
Each database can contain several UUID-Fields. Each UUID-Fields has the
following elements: Name, Group, Function, and Weight. The following list
describes these elements:
Name
Specifies a name that is provided for each UUID-Field that is extracted
from the database. The name does not have to be identical across each
database.
Group
Specifies a name that is used for each common data type. The name for
each common data type must be identical in each database.
Function
Specifies the action to be performed on the database fields. This might be
to extract the data contained in a database field, or it might be to extract a
combination of data contained in several fields in the database.
For help on the protocol used to construct combinations click the ? button
in the Fields section of the User Database window. Refer to ???? for a
complete list of the functions available to manipulate database fields and
create UUID-Fields.
Weight
Provides a numeric measure to indicate the internal priority given to each
group within a database. The greater the value the higher the priority. The
UUID tool processes the groups according to their order of priority.
A value of 0 means that this group is not taken into consideration in the
matching process.
User Databases
Chapter 5: Unique User ID (UUID) Menu 127
Naming UUID-Fields
Each database must contain at least one UUID-Field that references the field in
the database that contains the user-account information (Login). The name
provided for that UUID-Field must be provided in the following form:
<Database Name>_ID. The Name provided for any other UUID-Field can take
any form.
For example, for a database called RACF.udb the Name provided for the
UUID-Field relating to the user-account field is RACF_ID.
The purpose of this special UUID-Field is to support the Merge operation (post
matching). It is used to compare to the Person ID field in the merged
configuration.
Note: The ID UUID-Field is not used for the correlation process. It should be
associated with a group of its own, and given a weight of 0.
User Databases
128 Sage DNA Data Management User Guide
Adding New Databases
You need to include a database for each system in your organization that you
are referencing. These are files that were extracted from each system and
renamed as *.UDB files.
To add a new database
1. Click Add New in the User Databases section of the UUID Tool.
The User Database window opens.
User Databases
Chapter 5: Unique User ID (UUID) Menu 129
2. Click Browse next to the UDB/CFG File Name text field and from the Open
dialog box select the database file that you want to include.
Note: If you later plan to run the Merge Process, you need to select a
Eurekify configuration file (.cfg file) originating from the referenced
systems. Configuration files automatically direct the tool to their User
Database (.udb file). Otherwise, you can select the User Database (.udb
file) directly.
3. Click Open and the selected file name is displayed in the UDB/CFG File
Name text field.
4. Click Save and provide a name for an XML file in the Save As dialog box.
The XML file is the UUID Mapping file and stores all the mapping
parameters associated with the database.
5. Repeat this procedure to add a reference for each User Database that was
extracted from the organization.
The following screen shows references to User Databases for each system
treated in an organization, these include: UsersDB, RACF, WinNT and
Solaris.
User Databases
130 Sage DNA Data Management User Guide
6. Select the Database that contains the HR data and click Set Master. This
sets the selected database as the Master database.
The database that you select as the Master database must contain an explicit
reference to each of your personnel by name. For this reason it is usually the
database that contains the HR data.
Adding Databases from XML Files
If you already have an XML file from a previous implementation, you can refer
to that XML directly. You do so by using the Add from XML feature in the User
Databases section of the UUID tool.
To add a database from an XML file
1. From the User Databases section click Add from XML.
The Save As window opens.
2. Navigate to the folder that contains your databases saved as XML files and
select the database to add to the mapping file.
3. Click Save.
The database is added to the list of User Databases referenced in the
mapping file.
4. Click Save in the UUID Mapping File section to save the modified list of
databases as part of the mapping file.
User Databases
Chapter 5: Unique User ID (UUID) Menu 131
Editing Database UUID-Fields
At times you may need to modify existing matching UUID-Fields in a database,
add UUID-Fields to a database, or remove UUID-Fields from a database. You
do so by using the Edit feature in the User Databases section of the UUID tool.
To edit a database UUID-Field
1. Select an XML file from the User Databases list.
2. From the User Databases section click Edit.
The User Database window opens displaying the list of UUID-Fields.
3. Select the UUID-Field that you want to edit.
The selected row is highlighted.
User Databases
132 Sage DNA Data Management User Guide
4. Double-click in any field and the field becomes editable. You now can
manually edit the value for the selected field.
5. When you are satisfied with your changes, click Save to confirm your
changes in the database.
To add a UUID-Field to a database
1. Select an XML file from the User Databases list.
2. From the User Databases section click Edit.
The User Database window opens displaying the list of UUID-Fields.
3. Enter values in the Name, Group and Function fields.
4. Enter a numeric value in the Weight text field.
5. Click Add.
The new UUID-Field is added to the list of groups in the database.
6. Click Save to confirm your changes in the database.
To remove a UUID-Field from a database
1. Select an XML file from the User Databases list.
2. From the User Databases section click Edit.
The User Database window opens displaying the list of groups.
3. Select the UUID-Field that you want to remove.
The selected row is highlighted.
4. Click Remove and the selected group is deleted from the list of groups.
5. Click Save to confirm your changes in the database.
Note: You can define several UUID-Fields having the same Group name. For
example, if the Master Database contains a value for US State (such as, NY),
but it does not exist in a given User Database, you can still use some of the
information that is available in the User Database to match to it. For example,
suppose that the User Database contains telephone number and zip code. In
that case, you can create two fields in the User Database: one will try to
“guess” the state by mapping (lookup function) the telephone area code, and
one will do the same but with the zip. Hopefully at least one of the matches
will succeed and you will get a match.
User Databases
Chapter 5: Unique User ID (UUID) Menu 133
Removing Databases
For any number of reasons you may no longer need to deal with data that is
included in a particular system in your organization. In such cases you need to
remove references in your mapping file to the database. You do so by using
the Remove feature in the User Databases section of the UUID tool.
To remove a database from a mapping file
1. In the UUID tool, load the mapping file that contains the databases to be
removed.
The User Databases referenced in the mapping file are displayed in the
User Databases list.
2. Select the User Database to be removed from the mapping file.
The selected row is highlighted.
3. Click Remove.
The selected row is deleted from the list.
4. In the UUID Mapping File section click Save to confirm the changes made
to the mapping file.
User Databases
134 Sage DNA Data Management User Guide
Indexing the Databases
Index the databases referenced in a Mapping file you run the Match or Merge
processes. While indexing the databases the UUID tool scans the data in each
of the databases and loads the data into temporary files that are recorded in
the Index Directory. If any changes are made to the database files or the
Mapping file, then perform the index process again before you perform the
Match or Merge process.
To index the databases
1. After setting the Working Directories, and defining the User Databases in
the UUID tool, save the definitions as a Mapping file. If a Mapping file
already exists click Load and load the mapping file into the UUID tool.
2. In the User Databases section of the UUID tool click Run Index.
The UUID Index window opens and displays a progress bar for the index
process. Depending on the size of your databases this process may take a
couple of minutes.
If an error occurs during the index process, an error message is issued as
part of the progress report displayed in the lower part of the UUID Index
window, and the cause of the error is indicated in the log file.
UUID Mapping File
Chapter 5: Unique User ID (UUID) Menu 135
If you neglected to Save the mapping file prior to trying to Run Index, a
Save As window opens for you to save the file. After saving the file the
UUID Index process begins automatically.
3. (Optional) To view a log of the index process click View Log to open the
log. The log contains a line for each record that was scanned in each of the
databases included in the mapping file.
At the end of the progress display, the message Finished building Index
files is displayed when the index is successfully built.
4. Click Done when the Index process is complete.
UUID Mapping File
The UUID Mapping File is an XML file that stores the parameters that are set in
the UUID Working Directories, User Database, Match Process and Merge
Process sections of the UUID tool. Once the parameters are saved, you can use
the Mapping file to quickly populate the UUID Tool with the saved parameters
instead of manually entering the data each time that you want to run the
Match or Merge process. Alternately you can load mapping file and use it as
the base for editing and saving a new mapping file under a new name.
To use a UUID Mapping File
1. Click Load in the UUID Mapping File section of the UUID tool.
An Open dialog appears in which you can navigate to the location that
contains the mapping files on your local machine. For organizational
purposes we suggest that the UUID Mapping Files be saved in the same
directory that contains the Working Directories.
2. Select an XML and click Open.
The parameters stored in the XML file are loaded into the UUID tool.
Match Process
136 Sage DNA Data Management User Guide
Match Process
The Match process reads the User Database files referenced in the User
Databases section of the UUID tool and correlates the Users with the account
details in each of the systems. The results of the Match Process are stored in a
configuration file.
To run the Match Process
1. Click Load in the UUID Mapping file section and load a Mapping XML file.
The UUID Tool is populated with the parameters stored in the selected
UUID file.
2. Click Run Index in the Users Databases section.
The listed User Databases are indexed. Depending on the size of the
Databases the indexing process may take a few minutes.
3. Click Run Match in the Match Process section.
The UUID tool processes the databases and tries to correlate every account in
each User Database to one or more potential owners in the Master Database.
The correlation is based on the fields defined for matching, weighted
accordingly. The result is a Matching Configuration, where each of the users in
the Master Database appears In the configuration's User Pane, and each of the
users in the other User Databases (representing accounts) appear in the
configuration's Resource. Res Name 1 is the account ID, taken from the
<Database Name>_ID field in the User Database The name of the source
system appears as Res Name 2. The degree of match is represented in the
score (0-100) and appears as Res Name 3.This information is saved in the
configuration file listed in the Output Config field of the Match Process section.
You can now open the Output Configuration file in Sage DNA and view each
person in the organization and the accounts on each system to which they
have access.
Match Process
Chapter 5: Unique User ID (UUID) Menu 137
Because the matches are represented as a regular Eurekify configuration, you
can also:
■ Review and add/remove/change correlations manually, using the Sage
DNA Workstation
■ Report all correlations, using the Eurekify Reporting facilities
■ Run a certification campaign to confirm the correlations, using the Eurekify
Portal
See the respective user manuals for more details.
When reviewing and correcting correlation in the Sage DNA Workstation, pay
special attention to:
■ Accounts that were not matched at all (Res Name 3 will be empty for
these)
■ Accounts that were matched but with a low probability (low score in Res
Name 3) and thus represent more of a guess than a deterministic
matching
■ Accounts that were matched to multiple people (first note accounts with
Total Number of Users greater than 1; note also that same account may be
matched with different scores, so look out for those as well).
Merge Process
138 Sage DNA Data Management User Guide
Merge Process
After you run the Match Process, inspect the results, and perform needed
corrections, you now have a finalized configuration file, matching each person
in the organization with their respective accounts on the referenced systems.
You can now proceed to the final stage of creating a final configuration that
links each person in the organization with all their resources in the referenced
systems. This phase is called the Merge Process.
The Merge process reads the configuration files referenced in the User
Databases section of the UUID tool and correlates the Users with the resource
details in each of the systems that are referred to in the tool.
Note: To run the Merge Process, the UUID tool needs to have access to the
configuration files of the referenced systems (.cfg files), and not to the Users
Databases (.udb files).
To run the Merge Process
1. Click Load in the UUID Mapping file section and load a Mapping XML file.
The UUID Tool is populated with the parameters stored in the selected
UUID file.
We assume that you have previously run a Match Process and that the
configuration specified in the Output Config field of the Match Process
section exists and represents the correct matching.
2. Click Run Merge in the Merge Process section.
Eurekify UUID processes the databases and matches each person in the
organization with the resources to which they have access rights and
privileges across each system in the organization. This information is saved
in the configuration file listed in the Output Config field of the Merge
Section.
3. You can now open the Output Configuration file in Sage DNA and view the
each person in the organization and the resources on each system to which
they have access.
Chapter 6: UUID Indexing Functions 139
Chapter 6: UUID Indexing Functions
This section contains the following topics:
UDB Fields Referencing (see page 139)
Lookup Functions (see page 139)
String Functions (see page 140)
Telephone Number Functions (see page 143)
Name Functions (see page 144)
Email Address Functions (see page 145)
Address Functions (see page 146)
Function Composition (see page 147)
User-Defined Functions (see page 148)
UDB Fields Referencing
UDB fields can be referenced directly, for example FirstName, or with the Field
Function, such as Field('FirstName').
If the UDB field contains a space (' ') character, it can only be referenced with
the FIELD function. for example Field('User Name').
Field Referencing
Function name Parameters
Example Results
<Direct> Param1 - field name
FirstName 'John'
Field(fieldname) fieldname -name of a field from the
UDB
Field('First Name') 'John'
Lookup Functions
Translating using a CSV file
Function name Parameters
Example Results
CsvLookup(csvFilename, value) csvFilename - the CSV file containing
the translation map
value - the value to look-up
String Functions
140 Sage DNA Data Management User Guide
CsvLookup('areas.csv',
City)
String Functions
String Concatenation
Function name Parameters
Example Results
+ operator str1 - string
str2 - string
FirstName + LastName 'John Smith'
String Concatenation
Function name Parameters
Example Results
Concat(str1, str2, separator) str1 - string
str2 - string
separator - string
Concat('Hello','world',', ') 'Hello, world'
Sub String
Function name Parameters
Example Results
Substr(str,from,to) str - the string
from - starting offset of requested
substring
to - ending offset of requested
substring
Substr('John Smith',5,6) 'Sm'
String Trimming
Function name Parameters
Example Results
Trim(str) str - string with leading/ending
spaces
Trim(' sentence between
many spaces ')
'sentence between many spaces'
String Functions
Chapter 6: UUID Indexing Functions 141
String Last Characters
Function name Parameters
Example Results
LastChars(str,len) str - string
len - integer value specifying the
required length of the tail
LastChars('where is the end',7) 'the end'
String Length
Function name Parameters
Example Results
Strlen(str) str - string
Strlen('hello world') 11
String Searching
Function name Parameters
Example Results
StrFind(str,substr) str - string
substr - the string which we
need offset of
StrFind('My favorite color is
red','color')
12
Convert from Integer to String
Function name Parameters
Example Results
StrOf(int) int - integer value
StrOf(5) '5'
Finding Digits in a String
Function name Parameters
Example Results
DigitsOf(str) str - string
DigitsOf('john12smith34') '1234'
Replacing Strings
Function name Parameters
Example Results
StrReplace(strSource,substr,replacing) strSource - source string
String Functions
142 Sage DNA Data Management User Guide
substr - the substring to be
replaced
replacing - the new sub-string
StrReplace('firstname1lastname
1','1','2')
'firstname2lastname2'
Finding Alphabetic Characters
Function name Parameters
Example Results
AlphaOf(str) str - string
AlphaOf('a1!@b2#$A1%^B2') 'abAB'
Finding Alpha-Numeric Characters
Function name Parameters
Example Results
AlphaAndDigitsOf(str) str - string
AlphaAndDigitsOf('a1!@b2#$A1
%^B2')
'a1b2A1B2'
Lower Case Conversion
Function name Parameters
Example Results
ToLower(str) str - string
ToLower('RRYMON') 'rrymon'
Upper Case Conversion
Function name Parameter
s
Exampl
e
Results
ToUpper(str) str - string
ToUpper('rrymon') 'RRYMON'
Two-way Case Conversion
Function name Parameters
Example Results
SwapCases(str) str - string
SwapCases('RRymon') 'rrYMON'
Telephone Number Functions
Chapter 6: UUID Indexing Functions 143
Removing Vowels from a String
Function name Parameters
Example Results
RemoveVowels(str) str - string
RemoveVowels('johnSMITH') 'jhnSMTH'
Left-to-Right Reversing
Function name Parameters
Example Results
Reverse(str) str - string
Reverse('john SMITH') 'HTIMS nhoj'
Telephone Number Functions
Finding Country Code
Function name Parameters
Example Results
TelCountryCode(phone) phone - full phone number
TelCountryCode('+972-8-7654
321')
'972'
Finding Area Code
Function name Parameters
Example Results
TelAreaCode(phone) phone - full phone number
TelAreaCode('+972-8-7654321
')
'8'
Finding last 7 Digits of a Phone Number
Function name Parameters
Example Results
Tel7Digits(phone) phone - full phone number
Tel7Digits('+972-9-7467346') '7467346'
Name Functions
144 Sage DNA Data Management User Guide
Name Functions
Getting First Name
Function name Parameters
Example Results
FirstName(name) name - full name
FirstName('Ron Rymon') 'Ron'
Getting Last Name
Function name Parameters
Example Results
LastName(name) Name - full name
LastName('Ron Rymon') 'Rymon'
Getting Middle Name
Function name Parameters
Example Results
MiddleName(name) Name - full name
MiddleName('Ron Rymon') '' (empty string)
MiddleName('John Ferdinand
Smith')
'Ferdinand'
Getting Middle Initial
Function name Parameters
Example Results
MiddleInitial(name) Name - full name
MiddleInitial('John Ferdinand
Smith')
'F'
Getting Name Suffix
Function name Parameters
Example Results
NameSuffix(name) Name - full name, including suffix
NameSuffix ('John Smith, Jr.') 'Jr.'
Email Address Functions
Chapter 6: UUID Indexing Functions 145
Email Address Functions
Getting User ID from Email Address
Function name Parameters
Example Results
EmailUserID(emailAddress) emailAddress - full email address
EmailUserID('rrymon@eurekif
y.com')
'rrymon'
Getting Email Domain From Email Address
Function name Parameters
Example Results
EmailDomain(emailAddress) emailAddress - full email address
EmailDomain('rrymon@eurekif
y.com')
'eurekify.com'
Formatting Email Address
Function name Parameters
Example Results
EmailConventio
n(format, first,
last, domain)
Create a convention formatted
string of email address
format - one of:
■ Flast
■ Lastf
■ First.last
■ Last.first
■ Last
■ First
first - first name
last - last name
domain - the email domain
EmailConvention('flast','John',
'Smith', 'eurekify.com')
EmailConvention('lastf','John',
'Smith', 'eurekify.com')
EmailConvention('first.last','Joh
n', 'Smith', 'eurekify.com')
EmailConvention('first_last','Jo '[email protected]'
Address Functions
146 Sage DNA Data Management User Guide
hn', 'Smith', 'eurekify.com')
EmailConvention('last','John',
'Smith', 'eurekify.com')
EmailConvention('first','John',
'Smith', 'eurekify.com')
Address Functions
Getting Country Name from Address
Function name Parameters
Example Results
AddressCountry(fullAddress) fullAddress - string of full
address
AddressCountry('Eurekify Ltd.
Hasadna 82, Floor 1, Raanana,
ISRAEL 46345')
Getting City From Address
Function name Parameters
Example Results
AddressCity(fullAddress) fullAddress - string of full
address
AddressCity('Eurekify Ltd.
Hasadna 82, Floor 1, Raanana,
ISRAEL 46345')
Getting Street Name from Address
Function name Parameters
Example Results
AddressStreet(fullAddress) fullAddress - string of full
address
AddressStreet('Eurekify Ltd.
Hasadna 82, Floor 1, Raanana,
ISRAEL 46345')
Getting State from Address
Function name Parameters
Example Results
AddressState(fullAddress) fullAddress - string of full
address
Function Composition
Chapter 6: UUID Indexing Functions 147
AddressState('Eurekify Ltd.
Hasadna 82, Floor 1, Raanana,
ISRAEL 46345')
String
Function name Parameters
Example Results
AddressZipCode(fullAddress) fullAddress - string of full
address
AddressZipCode('Eurekify Ltd.
Hasadna 82, Floor 1, Raanana,
ISRAEL 46345')
'46345'
Getting All Digits from an Address
Function name Parameters
Example Results
AddressDigits(fullAddress) fullAddress - string of full
address
AddressDigits('Eurekify Ltd.
Hasadna 82, Floor 1, Raanana,
ISRAEL 46345')
'82 1 46345'
Function Composition
It is possible to compose functions, for example: ToLower(AlphaOf('A1B2C3'))
=> 'abc'
User-Defined Functions
148 Sage DNA Data Management User Guide
User-Defined Functions
It is possible for users to use their own defined and implemented functions.
The declaration of such functions is done in an XML file named
“userJarsDef.xml”. The format of the file is:
[set the jars variable for your book]
<indexFunction
jarFilename="c:\dev\uuid\userJar.jar"
implClass="EvalSubstring"
function="UserPrivateSubstring" />
</jars>
The function implementation is expected to be found in the specified JAR file.
The specified class should extend the class:
com.eurekify.matcher.indexer.evalfunctions. EvalFunc
The default-constructor of the class should define the number parameters this
function accepts:
numberOfParameters = 1;
The class should implement the method:
public void run(Stack<Object> stack) throws EurekifyEvaluationException
First the stack needs to be checked with the function
checkTheStack(stack);
The parameters passed to the function are retrieved from the stack using:
String strParam = getStringParam(stack);
Or:
int intParam = getIntParam(stack);
The result of the function should be pushed back to the stack using
stack.push(result);
Example implementation class:
import java.util.Stack;
import com.eurekify.matcher.indexer.evalfunctions.*;
public class EvalSubstring extends EvalFunc {
User-Defined Functions
Chapter 6: UUID Indexing Functions 149
public EvalSubstring() {
numberOfParameters = 3;
}
public void run(Stack<Object> inStack) throws EurekifyEvaluationException
{
// check the stack
checkTheStack(inStack);
// get the parameter from the stack
int to = getIntParam(inStack);
int from = getIntParam(inStack);
String str = getStringParam(inStack);
String result = str.substring(from, to);
// push the result on the stack
inStack.push(result);
}
}
Chapter 7: CA Role & Compliance Manager Web Services Interface 151
Chapter 7: CA Role & Compliance
Manager Web Services Interface
The primary purpose of the web services interface is to make CA Role &
Compliance Manager data and services available to third party applications.
The services provide an assortment of functions and allows for interaction with
CA Role & Compliance Manager data stored on a database.
The CA Role & Compliance Manager Web Services Interface is intended to be
used by Software Engineers to extract, modify or manipulate data housed in
CA Role & Compliance Manager databases and to integrate such data in Web
Clients that integrates.
This section contains the following topics:
Policy Functions (see page 151)
SageLinkBPRService (see page 152)
SageBasicService (see page 153)
SageDataService (see page 155)
SageDiffService (see page 157)
SageEntitiesCommonService (see page 157)
SageEntitiesDiffService (see page 158)
SageEntitiesDataService (see page 159)
Example Usage of Sage Web Services (see page 161)
Policy Functions
Function Description
bpr_new_bpr_file Adds a new business policy file
bpr_new_rule Adds a new business policy rule
bpr_new_rule_entity Adds a new business policy rule entity
SageLinkBPRService
152 Sage DNA Data Management User Guide
SageLinkBPRService
SageLinkBPRService provides a mechanism for checking requested links
between two CA Role & Compliance Manager entities against CA Role &
Compliance Manager Business Process Roles. For each link type the service
reports a prediction of BPR violations that the link causes.
The functions exposed by the LinkBPRService have a common Parameter:
Parameter Description
getAllAlerts The parameter defines the extent to which the check
finds and retrieves BPR alert violations.
Type: Boolean
True: The check finds and retrieves all possible alert
violations.
False: The check stops after retrieving the first alert
violation that it finds.
The SageLinkBPRService exposes the functions listed in the topics that follow.
Add Link Checks
Function Description
add_user_role_check_bpr Check for BPR violations for a user-role link
add_user_resource_check_bpr Check for BPR violations for a user-resource link.
add_role_role_check_bpr Check for BPR violations for a role-role link.
add_role_resource_check_bpr Check for BPR violations for a role-resource link
Remove Link Checks
Function Description
remove_user_role_check_bpr Check for BPR violations for a user-role link.
remove_user_resource_check_bpr Check for BPR violations for a user-resource link.
remove_role_role_check_bpr Check for BPR violations for a role-role link.
remove_role_resource_check_bpr Check for BPR violations for a role-resource link.
SageBasicService
Chapter 7: CA Role & Compliance Manager Web Services Interface 153
SageBasicService
SageBasicService.asmx provides write access of identity/role management
data for Sage usage on a database.
All functions of this service return an integer value where:
■ 0 signifies success
■ 1 signifies failure.
The following topics list the functions that the Sage Basic Service exposes.
Documents Functions
Function Description
new_udb Creates a new CA Role & Compliance ManagerUsers Database
UDB.
new_rdb Creates a new CA Role & Compliance ManagerResources Database
RDB.
new_cfg Creates a new CA Role & Compliance Managerconfiguration.
Entities Database Functions
Function Description
udb_new_user Adds a new user to an existing UDB.
udb_new_user_field Adds a user field value to an existing user.
rdb_new_resource Adds a new resource to an existing RDB.
rdb_new_resource_field Adds a new resource field value to an existing
resource.
new_field_name Adds a new field to an existing entities DB
(UDB/RDB).
Configuration Functions
Function Description
cfg_new_configuration_user Adds a user from a UDB to an existing
SageBasicService
154 Sage DNA Data Management User Guide
Function Description
configuration.
cfg_new_configuration_role Adds a new role to an existing configuration.
cfg_new_configuration_resource Adds a new resource from an RDB to an existing
configuration.
cfg_remove_configuration_user Removes a user from a configuration without
removing the user from the UDB.
cfg_remove_configuration_role Removes a role from a configuration.
cfg_remove_configuration_resource Removes a resource from a configuration
without removing the resource from the RDB.
cfg_new_user_role_link Adds a user-role link.
cfg_new_user_resource_link Adds a user-resource link.
cfg_new_role_role_link Adds a role-role link (role hierarchy).
cfg_new_resource_role_link Adds a resource-role link.
cfg_remove_user_resource_link Removes a user-resource link.
cfg_remove_user_role_link Removes a user-role link.
cfg_remove_resource_role_link Removes a resource-role link.
cfg_remove_role_role_link Removes role-role link (role hierarchy).
cfg_change_user_field Change a user field (Non mandatory fields
should be named "FieldValue#").
cfg_change_resource_field Change a resource field.
cfg_change_role_field Change a role field (Non mandatory fields should
be named "FieldValue#").
SageDataService
Chapter 7: CA Role & Compliance Manager Web Services Interface 155
Sage Policy Functions
Function Description
bpr_new_bpr_file Adds a new business policy file.
bpr_new_rule Adds a new business policy rule.
bpr_new_rule_entity Adds a new business policy rule entity.
SageDataService
SageDataService.asmx provides read access of fundamental Sage data from a
database. The links retrieved by this service are direct links.
The Sage Data Service exposes the functions listed in the following sections.
Sage Documents Functions
Function Description
data_source_get_configurations Gets all Sage configurations stored on a
database.
data_source_get_auditcards Gets all Sage auditcards stored on a database.
data_source_get_bprs Gets all Sage BPR files stored on a database.
Sage Databases Functions
Function Description
udb_get_users Gets all users from a UDB.
rdb_get_resources Gets all resources from a RDB.
database_get_fields Gets all field names of a Sage entities DB
(UDB/RDB).
SageDataService
156 Sage DNA Data Management User Guide
Sage Configuration Functions
Function Description
cfg_get_databases Gets the Sage configuration UDB and RDB.
cfg_get_properties Gets the configuration properties.
cfg_get_roles Gets all the configuration roles.
cfg_get_configuration_users Gets the configuration users.
cfg_get_configuration_resources Gets the configuration resources.
cfg_get_user_role_links Gets all the configuration user-role links.
cfg_get_user_resource_links Gets all the configuration user-resource links.
cfg_get_role_role_links Gets all the configuration role-role links (role
hierarchy).
cfg_get_role_resource_links Gets all the configuration role-resource links.
Other Sage Retrieval Functions
Function Description
auditcard_get_alerts Gets all the auditcard alerts.
bpr_get_rules Gets all the BPR file rules.
Remove Link Checks
Function Description
remove_user_role_check_bpr Check for BPR violations for a user-role link.
remove_user_resource_check_bpr Check for BPR violations for a user-resource link.
remove_role_role_check_bpr Check for BPR violations for a role-role link.
remove_role_resource_check_bpr Check for BPR violations for a role-resource link.
SageDiffService
Chapter 7: CA Role & Compliance Manager Web Services Interface 157
SageDiffService
SageDiffService.asmx provides fundamental reports on differences between
two Sage configurations. The following sections list the functions that the Sage
Diff Service exposes.
Sage Entities Differences
Function Description
users_get_added Gets the users that appear in the updated configuration but
do not appear in the original configuration.
roles_get_added Gets the roles that appear in the updated configuration but
do not appear in the original configuration.
resources_get_added Gets the resources that appear in the updated configuration
but do not appear in the original configuration.
users_get_removed Gets the users that do not appear in the updated
configuration but do appear in the original configuration.
roles_get_removed Gets the roles that do not appear in the updated
configuration but do appear in the original configuration.
resources_get_removed Gets the resources that do not appear in the updated
configuration but do appear in the original configuration.
All Entities and Links Differences
getAllDiff - all the above differences in one function.
SageEntitiesCommonService
SageEntitiesCommonService.asmx provides fundamental reports on
commonalities between two Sage entities of the same type inside a
configuration. This service deals with direct links. The following sections list the
functions that the Sage Entities Common Service exposes.
Sage User commonalities
Function Description
users_get_common_roles Gets all roles common to both users.
SageEntitiesDiffService
158 Sage DNA Data Management User Guide
Function Description
users_get_common_resources Gets all resources common to both users.
Sage Roles Commonalities
Function Description
roles_get_common_users Gets all users common to both roles.
roles_get_common_resources Gets all resources common to both roles.
Sage Resources Commonalities
Function Description
resources_get_common_users Gets all users common to both resources.
resources_get_common_roles Gets all roles common to both resources.
SageEntitiesDiffService
SageEntitiesDiffService.asmx provides reports on differences in a single entity
between two Sage configurations. The following sections list the functions that
the SageEntitiesDiffService exposes.
Sage Users Differences
Function Description
user_get_added_roles Gets roles linked to the first user and not the
second.
user_get_added_resources Gets resources linked to the first user and not
the second.
user_get_removed_roles Gets roles linked to the second user and not the
first.
user_get_removed_resources Gets resources linked to the second user and not
the first.
SageEntitiesDataService
Chapter 7: CA Role & Compliance Manager Web Services Interface 159
Sage Roles Differences
Function Description
role_get_added_users Gets users linked to the first role and not the
second.
role_get_added_resources Gets resources linked to the first role and not
the second.
role_get_removed_users Gets users linked to the second role and not the
first.
role_get_removed_resources Gets the resources linked to the second role and
not the first.
Sage Resources Differences
Function Description
resource_get_added_users Gets users linked to the first resource and not the second.
resource_get_added_roles Gets roles linked to the first resource and not the second.
resource_get_removed_users Gets the users linked to the second resource and not the
first.
resource_get_removed_roles Gets the roles linked to the second resource and not the
first.
SageEntitiesDataService
SageEntitiesDataServicea.smx provides more extensive and detailed reports
on Sage entities links. The following sections list the functions that the
SageEntitiesDataService exposes.
Sage User Links
Function Description
user_get_direct_roles Gets the roles directly linked to the user.
user_get_dual_roles Gets the role dually linked to the user.
user_get_indirect_roles Gets the roles indirectly linked to the user.
user_get_direct_resources Gets the resources directly linked to the user.
SageEntitiesDataService
160 Sage DNA Data Management User Guide
Function Description
user_get_dual_resources Gets the resources dually linked to the user.
user_get_indirect_resources Gets the resources indirectly linked to the user.
Sage Role Links
Function Description
role_get_direct_users Gets the users directly linked to the role.
role_get_dual_users Gets the users dually linked to the role.
role_get_indirect_users Gets the users indirectly linked to the role.
role_get_parent_roles Gets the roles' parent roles.
role_get_child_roles Gets the roles' child roles.
role_get_direct_resources Gets the roles’ directly linked resources.
role_get_dual_resources Gets the roles’ dually linked resources.
role_get_indirect_resources Gets the roles’ indirectly resources.
Sage Resource Links
Function Description
resource_get_direct_users Gets the users directly linked to the
resource.
resource_get_dual_users Gets the users dually linked to the
resource.
resource_get_indirect_users Gets the users indirectly linked to
the resource.
resource_get_direct_roles Gets the roles directly linked to the
resource.
resource_get_dual_roles Gets the roles dually linked to the
resource.
resource_get_indirect_roles Gets the roles indirectly linked to
the resource.
Example Usage of Sage Web Services
Chapter 7: CA Role & Compliance Manager Web Services Interface 161
Example Usage of Sage Web Services
This section provides a number of examples of how you can use the Sage Web
Services interface.
Open a Sage Configuration (SageDataService)
Open a Sage configuration in accordance with the Sage structure.
In preparation retrieve all the configurations stored on the database
(SageDataService. data_source_get_configurations).
To open a Sage configuration
1. After securing the configuration name retrieve both the UDB and RDB used
by the configuration (SageDataService. cfg_get_databases). Optionally,
also get the configuration properties (SageDataService.
cfg_get_properties).
2. Using the UDB name get the users and their fields
(SageDataService.udb_get_users and
SageDataService.database_get_fields to get the field names).
3. Do the same for the RDB (SageDataService.rdb_get_resources and
SageDataService.database_get_fields to get the field names).
4. Now that you have both the UDB and RDB you can open the configuration
itself. First, obtain all the configuration roles
(SageDataService.cfg_get_roles). After the roles are present get all the
configuration users and resources.
■ SageDataService.cfg_get_configuration_users.
■ SageDataService.cfg_get_configuration_users.
5. Once all the configuration entities are present, retrieve the configuration
links i.e. user-role, user-resource, role-role, role-resource links
(SageDataService.cfg_get_user_role_links, SageDataService.
cfg_get_user_resource_links, SageDataService.cfg_get_role_role_links and
SageDataService. cfg_get_role_resource_links)
Example Usage of Sage Web Services
162 Sage DNA Data Management User Guide
Save a Sage Configuration to the Database (SageBasicService)
Save some identity/role management data as a Sage configuration in the
database.
If you do not wish to use existing Sage user and resource databases (UDB and
RDB), create new UDB and RDB (SageBasicService.new_udb and
SageBasicService.new_rdb). After creating the Sage DBs, populate them with
users and resources (SageBasicService.udb_new_user and
SageBasicService.rdb_new_resource). Sage users and resources may also
have fields (SageBasicService.udb_new_user_field and
SageBasicService.rdb_new_resource_field) and these fields may be named
(SageBasicService.new_field_name).
To save a Sage configuration to the database
1. Create a new Sage configuration and relate it to a UDB and a RDB
(SageBasicService.new_cfg)
2. Populate the configuration with roles
(SageBasicService.cfg_new_configuration_role)
3. Next, relate the relevant users and resources from the UDB/RDB to the
configuration
■ SageBasicService.cfg_new_configuration_user
■ SageBasicService.cfg_new_configuration_resource.
4. Update the configuration links: user-role, user-resource, role-role and
role-resource (SageBasicService.cfg_new_user_role_link,
SageBasicService.cfg_new_user_resource_link,
SageBasicService.cfg_new_role_role_link,
SageBasicService.cfg_new_role_resource_link).
Compare Two Sage Configurations (SageDiffService)
Get reports at varying granularity on differences between two sage
configurations.
A complete and comprehensive report on all differences between two Sage
configurations can be obtained. This report details the addition and removal of
Sage entities (users, resources and roles) and and of links (user-role,
user-resource, role-role and role-resource). The function providing this report
is SageDiffService.diff_get_all.
Otherwise, any combination of add/remove with user/resource/role as well as
user-role/user-resource/role-role/role-resource can be received. These
combinations allow for a specific report on a single aspect of the differences
between the two configurations.
Example Usage of Sage Web Services
Chapter 7: CA Role & Compliance Manager Web Services Interface 163
View Entity Changes between Configurations (SageEntitiesDiffService)
This service allows you to view the changes made to a specific entity between
two configurations. For each entity (user, resource, role) get added/removed
direct links with any other type of entity. For example, for a specific user get
the role links that were added between the configurations. Otherwise, for a
specific resource get the user links that were removed between the
configurations.
The hidden assumption in this usage is that one configuration is a base
configuration and the other is an updated version of the base configuration.
Get Entity Commonalities (SageEntitiesCommonService)
For two specific entities of the same type (user, resource, role) get the links,
that are common to both, with any other type of entity. For example for two
users in a configuration, get all resources that the users have in common, and
that are directly linked to both users. For two roles, get all users which are
directly linked to both roles.
View Link Information for Entities (SageEntitiesDataService)
For a specific Sage entity (user, role, resource), get any type of link (direct,
dual, indirect) with any of the other types of entities in the configuration.
For example, for a specific user get all indirectly linked resources. Similarly, for
a specific role, get all dually linked resources (resources which are both
directly linked to the role and are linked to some child-role of the role).