Previous Topic: The Snapshot Parameter XML File

Next Topic: Manage Snapshots


Create a Custom Snapshot Parameter XML File

To customize the data that CA IdentityMinder exports, create a custom Snapshot Parameter XML file. In this file, list the objects to export and, optionally, supply additional export criteria. Only objects that meet the criteria are exported. For example, you can export information about users who have a certain attribute value.

The Snapshot Parameter XML file has the following format:

<IMRExport>
    <export object="user">
        <where attr="%USER_ID%" satisfy="ANY">
            <value op="EQUALS">abc*</value>
        </where>       
        <exportattr attr="%USER_ID%"/>
        <exportattr attr="title"/>
        <exportattr attr="|groups|" />
        <exportattr attr="|roles|" />
        <exportattr attr="|identitypolicystatus|" />
    </export>
</IMRExport>

The Snapshot Parameter XML file contains the following elements:

<export>

Indicates the object to export. For example, the <export> element can export user data.

The <export> element can include one or more <exportattr> and <where> elements, which enable you to export only data that meets certain criteria. If there are no <exportattr> or <where> elements specified, all of the data for the object is exported.

The <export> element has only the object parameter.

<where>

Filters the data that is exported based on specific criteria defined by the <value> element. A <where> element must include at least one <value> element. Also, you can specify multiple <where> elements to refine your filter (they act as OR elements).

For example, you can use <where> and <value> elements to export the tasks for enabled roles:

<export object="role">
  <where attr="enabled" satisfy="ALL">
    <value op="EQUALS">Yes</value>
  </where>
  <exportattr attr="|tasks|">
</export>

The following table describes the parameters for the <where> element:

Parameter

Description

attr

Indicates the attribute to use in the filter.

For example, if you specify the enabled attribute, CA IdentityMinder checks the value of the enabled attribute to determine whether to export the role.

satisfy

 

Indicates whether some or all of the value evaluations must be satisfied for the object or attributes to be exported.

  • ALL—An attribute or object must satisfy all of the value evaluations.
  • ANY—An attribute or object must satisfy at least one value evaluation.
<value>

Defines, in a <where> element, the condition that an attribute or an object must meet to be exported. The <value> element requires the operator (op) parameter. The operator can be EQUALS or CONTAINS.

<exportattr>

Indicates a specific attribute to export. Use the <exportattr> element to export a subset of attributes for the object you are exporting. For example, you can use the <exportattr> element to export only a user’s ID.

Also, when exporting an endpoint object, you can use the <exportattr> element to define the account attributes to be exported with a particular endpoint type, as follows:

   	<exportattr objecttype="endpoint_type">
        	<objattr name="description"/>
        	<objattr name="fullName"/>
        	<objattr name="lastLogin"/>
  	</exportattr>

The <exportattr> element has the attr or objecttype parameter.

Note: If there are sensitive attributes that you do not want to export, do not use exportattr = |all_attributes|. Instead, use exportattr attr = attribute for each attribute you want to export.

<objattr>

Specifies an endpoint attribute to export. Used within the <exportattr> element when objecttype is the parameter.

The following table shows attributes that can be used in a <where> element or an <exportattr> element, by object:

Object

Attributes you can use in a <where> element

Attributes you can use in an <exportattr> element

role

You can filter with the name attribute.

name—the roles with names that satisfy the filter

roletype—the type of roles that satisfy the filter, such as "access", "admin", or "provision" roles.

You can export any of the following attributes:

  • |all_attributes|—all role attributes
  • attr—a specific attribute
  • |tasks|—all tasks associated with the role
  • |rules|—all member, admin, owner, and scope rules that apply to the role
  • |users|—all members, administrators, and owners of the role
  • |rolemembers|—all role members
  • |roleadmins|—all role administrators
  • |roleowners|—all role owners

user

Any well-known or physical attribute and any of the following attributes:

  • |groups|—the members of a group
  • |roles|—the members of a role
  • |orgs|—users whose profiles exist in organizations that satisfy the filter

You can export any of the following attributes:

  • |all_attributes|—all available user attributes
  • |groups|—all groups where the user is a member or admin
  • |roles|—all roles where the user is a member, admin, or an owner.
  • |identitypolicystatus|—all identity policies that apply to a specific user or set of users
  • |allocations|—all policies to be applied to a user for the first time
  • |reallocations|—alll policies to be reapplied to a user
  • |deallocations|—all policies that no longer apply to a user because the user no longer matches the policy condition

group

Any well-known or physical attribute or the following attribute:

|groups|—the list of nested groups within a group that satisfies the filter

You can export any well-known or physical attribute or any of the following attributes:

  • |all_attributes|—all attributes defined for the Group object in the directory configuration file (directory.xml)
  • |groups|—all nested groups within the group
  • |users|—all members of the group
  • |groupadmins|—all users who are administrators of the specified group
  • |groupmembers|—all users who are members of the specified group
  • |users|—all group administrators and members

organization

Any well-known or physical attribute

You can export any well-known or physical attribute or any of the following attributes:

  • |all_attributes|—all attributes defined for the Organization object in the directory configuration file (directory.xml)
  • |orgs|—all nested organizations within the organization
  • |groups|—all groups in the organization
  • |users|—all users in the organization

useraccount

Any well-known or physical attribute or any of the following attributes:

  • name—the accounts that satisfy the filter
  • |groups|—the members of a group
  • |roles|—the members of a role
  • |orgs|—users whose profiles exist in organizations that satisfy the filter
  • |endpoints|—the endpoints that satisfy the filter
  • |endpoint_types|—the endpoint types that satisfy the filter

    Note: Only EQUALS is supported in the <where> element for endpoints and endpoint_types filters.

You can export any account-specific attribute by specifying the attribute names in the endpoint type mapping file (use imname) or by using any of the following attributes:

  • |all_attributes|—all available user attributes
  • |accountdata|—account name, endpoint, container, domain, and type
  • |statistics|—when the account was created and modified
  • |assignmentinfo|—who created and approved the account and why
  • |syncwithroles|—whether the account is redundant to user provisioning roles or not
  • |entitlementattributes|—all entitlement attributes that exists in the mapping file
  • |users|—users that meet the filter criteria
  • |groups|—friendly name of a group. This search returns group members
  • |roles|—friendly name of a role. This search returns role members
  • |orgs|—friendly name of an organization. This search returns organization members
  • |allocations|—This contains the names of policies to be allocated to the user for the first time
  • |reallocations|—This contains the names of policies to be reallocated to the user
  • |deallocations|—This contains the names of policies to be deallocated from the user
  • |identitypolicystatus|—This triggers the inclusion of allocations, reallocations, and deallocations in the user

endpoint

Any well-known or physical attribute or the following attributes:

  • name—the endpoints that satisfy the filter
  • |accounts|—explored accounts on the endpoint

    Note: User objects are exported tool.

  • |endpoint_types|—endpoint type information

You can export any of the following attributes:

  • |all_attributes|—all available endpoint attributes
  • |endpoint_groups|—groups on the endpoint, if applicable
  • |accounts|—all endpoint accounts
  • |accounttemplates|—account templates associated with the endpoint

identityPolicySet

You can filter with the name attribute.

name—the identity policy sets that satisfy the filter

You can export any of the following attributes:

  • |all_attributes|—all policy sets, policies, and actions
  • |identitypolicystatus|—all identity policies that apply to a specific user or set of users

PolicyXpress

You can filter with the name attribute.

name—the Policy Xpress policies that satisfy the filter

You cannot use the <exportattr> parameter with this object. A fixed set of attributes is exported.

 

ReverseNewAccountPolicy

You can filter with the name attribute.

name—the Reverse New policies that satisfy the filter

You cannot use the <exportattr> parameter with this object. A fixed set of attributes is exported.

ReverseModifyAccountPolicy

You can filter with the name attribute.

name—the Reverse Modify policies that satisfy the filter

You cannot use the <exportattr> parameter with this object. A fixed set of attributes is exported.

Email

You can filter with the name attribute.

name—the email notification policies that satisfy the filter

You cannot use the <exportattr> parameter with this object. A fixed set of attributes is exported.

BulkTaskDef

You can filter with the name attribute.

name—the bulk task definitions that satisfy the filter

You cannot use the <exportattr> parameter with this object. A fixed set of attributes is exported.