4 Replies Latest reply: Oct 12, 2011 6:19 AM by 894039 RSS

    Q: OIA 11g Import User and corresponding Group memberships

    889080
      Hi *,

      Having made some basic experiences with OIA 11g, one thing remains unclear to me. I would like to analyze given users' privileges situation of e.g. ActiveDirectory. That means I would like to import users and their corresponding ActiveDirectory global group membership information. Prior to this I have already imported an entire set of users.

      If I got it right, an "account" is just the information about the user account in a given resource. Right?

      How are group memberships in a resource considered? (E.g. a global group membership in a specific AD resource) Is that referred to as an entitlement?
      How do I import that kind of information? Is that considered an "accounts import"?

      Is there also an approach of importing user & role information? Can I import through CSV files something like:
      user1, role1, role2, role3
      user2, role2, role4
      user3, role1, role3

      Any help is greatly appreciated!
      Cheers
      Nicolas
        • 1. Re: Q: OIA 11g Import User and corresponding Group memberships
          Daniel Redfern
          Hi *,
          Firstly, I found your 'Hi all' clever and somewhat halarious
          If I got it right, an "account" is just the information about the user account in a given resource. Right?
          Yeah near enough, when you import an account into OIA, you're bringing the account ID along with it's associated information and access rights from a given resource

          How are group memberships in a resource considered? (E.g. a global group membership in a specific AD resource) Is that referred to as an entitlement?
          Group Membership is associated as a attribute to an account (not entitlement). In OIA terms, entitlements are granulated access rights that is associated to an attribute

          (Rubbish diagram below || )
          \/

          Account1 -> Attribute1---> Entitlement1
          .................................---> Entitlement2
          ..............-> Attribute2---> Entitlement1
          .................................---> Entitlement2
          .................................---> Entitlement3

          Currently, you cannot import user/role association via CSV because of the approval workflow it has to pass through. You can assign user/role by creating rule correlations

          Regards,
          Daniel
          • 2. Re: Q: OIA 11g Import User and corresponding Group memberships
            889080
            Hi *,
            Hi Daniel,

            Thanks for the reply. It becomes clearer. According to previous post, I setup the following things:

            Resource Type: ActiveDirectory ; ShortName: MAD
            Resource Type Category: User-Object-Attributes
            Attributes of previous Category: user-memberOf and user-samAccountName (both of them are Managed, Importable, Multi Value, Auditable and Minable)

            Resource: AD production

            The system contains users, policies and roles and a business structure.

            As for the import of accounts I have the following rbx account definition:
            # @iam:namespace name="ActiveDirectory" shortName="MAD"
            name<CorrelationKey>,endpoint,domain,user-memberOf

            Example for the input I created a mad_accounts.csv:
            "myUserID","AD production","ActiveDirectory","example-ad-Groupname"

            The import failed though...
            Two things remain unclear:
            (1) What is the meaning of "domain" in an account rbx file?
            (2) How can I import multiple group memberships for one user? Each groupmembership is one line? or can I set the last column as "group1, group2, group3" or something alike?

            Thanks a lot in advance for your support.
            Regards
            Nicolas
            • 3. Re: Q: OIA 11g Import User and corresponding Group memberships
              Daniel Redfern
              (1) What is the meaning of "domain" in an account rbx file?
              AD is a good example for explaining 'Domain'

              Domain is a mandatory attribute. You can have multiple domains in an organisation of which can contain multiple endpoints.

              Imagine you're importing 5 endpoints...

              Domain 'APAC.Google.com' has endpoints ADServer1, ADServer2 & ADServer3

              Domain'AMEX.Google.com' has endpoints ADServer1 & ADServer2

              Even though the technology is the same 'Active Directory', 2 endpoints are named the same, though are on different domains. Using 'domain' will allows you to segregate endpoints, which might be the same name, from different domains
              (2) How can I import multiple group memberships for one user? Each groupmembership is one line? or can I set the last column as "group1, group2, group3" or something alike?
              Yeah you've answered your own question. Each attribute is encapsulated by double quotes, though multiple values are separated by comma's

              (You can ignore the double quotes and OIA will be able to determine each comma as a separate attribute, though it's best practice to use double quotes and commas at the same time)

              Regards,
              Daniel
              • 4. Re: Q: OIA 11g Import User and corresponding Group memberships
                894039
                Regarding the importing of user-role information, I am not aware of any methods to import data in:
                user1,role1,role2,role3
                user2,role2,role4,role5 format.

                But, you can import the associations in the converse format,i.e.:
                Role1,user1,user3,user6
                Role2,user1,user2,user5
                Role3,user4,user5,user6

                You can use the schema field "globalusers" and specify the userids of the users as a comma-seperated field.

                Hope it helps!

                Regards,
                Jeffie