ca role & compliance manager · 121 sageentitiescommonservice..... 121 sage user commonalities...

Sage DNA Data Management User Guide r4.1.2

CA Role & Compliance Manager

This documentation and any related computer software help programs (hereinafter referred to as the

“Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at

any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in

part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA

and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the documentation for

their own internal use, and may make one copy of the related software as reasonably required for back-up and

disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy.

Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for

the product are permitted to have access to such copies.

The right to print copies of the documentation and to make a copy of the related software is limited to the period

during which the applicable license for the Product remains in full force and effect. Should the license terminate for

any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the

Documentation have been returned to CA or destroyed.

EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY

APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING

WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE

OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY

LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT

LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY

ADVISED OF SUCH LOSS OR DAMAGE.

The use of any product referenced in the Documentation is governed by the end user’s applicable license

agreement.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the

restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section

252.227-7014(b)(3), as applicable, or their successors.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Copyright © 2009 CA. All rights reserved.

Contact CA

Contact Technical Support

For your convenience, CA provides one site where you can access the

information you need for your Home Office, Small Business, and Enterprise CA

products. At http://ca.com/support, you can access the following:

■ Online and telephone contact information for technical assistance and

customer services

■ Information about user communities and forums

■ Product and documentation downloads

■ CA Support policies and guidelines

■ Other helpful resources appropriate for your product

Provide Feedback

If you have comments or questions about CA product documentation, you can

send a message to [email protected].

If you would like to provide feedback about CA product documentation,

complete our short customer survey, which is also available on the CA support

website, found at http://ca.com/support.

http://www.ca.com/support

mailto:[email protected]

http://www.casurveys.com/wsb.dll/166/TIPO_2008_Survey.htm



CA Product References

This document references the following CA products:

■ CA Role & Compliance Manager

■ CA Identity Manager

Contents 5

Contents

Chapter 1: Introduction 9

About this Guide ................................................................................ 10

Audience ....................................................................................... 10

Role Based Access Control (RBAC) ............................................................... 11

Basic Concepts and Architecture ................................................................. 12

Sage's Technology .............................................................................. 14

Typical Processes ............................................................................... 15

Chapter 2: Sage DNA Data Management 17

Accessing Sage DNA Data Management .......................................................... 17

The Sage DNA Data Management Menu Bar ...................................................... 18

File Menu ................................................................................... 18

View Menu.................................................................................. 18

Import and Export Menus ................................................................... 19

Management Menu .......................................................................... 20

Batch Menu ................................................................................. 20

Help Menu .................................................................................. 20

Chapter 3: Import and Export Menus 21

Supported Import and Export Platforms.......................................................... 22

CSV Files Converter ............................................................................. 24

Import from CSV Files....................................................................... 24

Export to CSV Files ......................................................................... 30 CSV Mapper Utility .......................................................................... 32

Active Directory Converter ...................................................................... 33

Import from Active Directory ................................................................ 34

Export Active Directory ...................................................................... 41

RACF Converter................................................................................. 43

Import from RACF .......................................................................... 44

Export to RACF ............................................................................. 46

MS-SQL Converter .............................................................................. 48

Import from MS-SQL ........................................................................ 48 Export to MS SQL ........................................................................... 51

TIM2Sage Converter ............................................................................ 54

Prerequisites................................................................................ 54

Importing from ITIM ........................................................................ 55

6 Sage DNA Data Management User Guide

Exporting to ITIM ........................................................................... 60

Control SA Converter ........................................................................... 63

Importing from Control SA to Sage .......................................................... 63

Exporting from Sage to Control SA .......................................................... 70

SAP to Sage Converter .......................................................................... 71 Mapping SAP Data to Sage .................................................................. 72

Running the SAP to Sage Converter ......................................................... 75

Generic LDIF to Sage Converter ................................................................. 78

Import from TSS................................................................................ 82

Import from UNIX .............................................................................. 85

Import Windows Shared Folder .................................................................. 86

Mapping Windows Share Data to Sage ....................................................... 87

BMC Identity Manager Open Services ............................................................ 89

Importing from BMC Identity Management ................................................... 90 Exporting to BMC Identity Management ...................................................... 94

Oracle Identity Manager ........................................................................ 95

Updating Oracle Identity Manager Client JARs ................................................ 96

Importing from Oracle Identity Manager ..................................................... 99

Exporting from Sage to Oracle Identity Manager ............................................ 104

Chapter 4: Management Menu 107

Enrich Users Database ......................................................................... 108

Enrich Resource Database ...................................................................... 110

Preserving Columns During Enrichment ......................................................... 111

Sage Database Utility .......................................................................... 113

Chapter 5: Eurekify Web Services Interface 115

Sage Policy Functions .......................................................................... 115

SageLinkBPRService ........................................................................... 116

Add Link Checks ........................................................................... 116

Remove Link Checks ....................................................................... 116

SageBasicService .............................................................................. 117

Sage Documents Functions ................................................................. 117

Sage Entities Database Functions: .......................................................... 117

Sage Configuration Functions ............................................................... 117

Sage Policy Functions ...................................................................... 118 SageDataService .............................................................................. 119

Sage Documents Functions ................................................................. 119

Sage Databases Functions.................................................................. 119

Sage Configuration Functions ............................................................... 119

Other Sage Retrieval Functions ............................................................. 120

Contents 7

Remove Link Checks ....................................................................... 120

SageDiffService ................................................................................ 120

Sage Entities Differences ................................................................... 120

All Entities and Links Differences ........................................................... 121

SageEntitiesCommonService ................................................................... 121 Sage User commonalities................................................................... 121

Sage Roles Commonalities ................................................................. 121

Sage Resources Commonalities ............................................................. 122

SageEntitiesDiffService ........................................................................ 122

Sage Users Differences ..................................................................... 122

Sage Roles Differences ..................................................................... 122

Sage Resources Differences ................................................................ 123

SageEntitiesDataService ....................................................................... 123

Sage User Links............................................................................ 123 Sage Role Links ............................................................................ 123

Sage Resource Links ....................................................................... 124

Example Usage of Sage Web Services .......................................................... 124

Open a Sage Configuration (SageDataService) .............................................. 125

Save a Sage Configuration to the Database (SageBasicService) .............................. 126

Compare Two Sage Configurations (SageDiffService) ........................................ 126

View Entity Changes between Configurations (SageEntitiesDiffService) ....................... 127

Get Entity Commonalities (SageEntitiesCommonService) .................................... 127

View Link Information for Entities (SageEntitiesDataService)................................. 127


Chapter 1: Introduction

Most modern enterprise software systems are role-based such as ERP, CRM,

portals, security management. Even operating systems and network operating

systems, and they necessarily rely on accurate and effective specification of

roles.

Implementing role-based systems in an enterprise-level system is a significant

undertaking. Creating a role specification from scratch is complex. Porting

various legacy specifications from existing systems is difficult due to different

and incompatible environments and conventions. Dynamic corporate

environments replete with periodic restructuring, mergers, relocation and

flexible employee mobility all contribute to the problematic nature of

maintaining a coherent access specification.

This chapter introduces the CA Role & Compliance Manager Sage Discovery

and Audit solution to meet this challenge.

This section contains the following topics:

About this Guide (see page 10)

Audience (see page 10)

Role Based Access Control (RBAC) (see page 11)

Basic Concepts and Architecture (see page 12)

Sage's Technology (see page 14)

Typical Processes (see page 15)

About this Guide


About this Guide

This guide describes operations and options that are unique to the Sage DNA

Data Management module. It specifically treats the operations performed from

within the Import, Export and Management menus. In the Management menu

the unique options include Enrich Users DB and Enrich Resources DB. All other

operations that can be performed from within the Sage DNA Data Management

module, are common to the Sage DNA module and are described in the Sage

DNA manual.

Chapter 1 provides an overview of the Sage software including the RBAC

standard, basic concepts and architecture, Sage technology, and typical

processes.

Chapter 2 provides an overview of Sage DNA Data Management and the

menus and menu Options in the Sage DNA Data Management client.

Chapter 3 provides details of how you can import data into Sage from various

database platforms and how you can export modified data back to those

database platforms.

Chapter 4 provides details on how to enrich existing Users and Resource

databases.

Chapter 5 provides details on using the Eurekify Web Services Interface.

Audience

This guide is intended for Role Engineers who are responsible for the

installation of Sage software, downloading and uploading of users and

resources databases, role discovery and audit operations. Role Engineers are

typically well-trained professionals who are familiar with the target

organization. This guide assumes that the Role Engineer has had professional

training on a Sage system and is familiar with the Sage documentation that

accompanied the Sage installation package.

Familiarity with the Microsoft operating system and applications and relevant

peripheral and remote equipment is also assumed.

Role Based Access Control (RBAC)


Role Based Access Control (RBAC)

Role Based Access Control (RBAC) is a project of the National Institute of

Standards and Technology (NIST) and is intended to create a comprehensive

access security model for the structure and operation of enterprise-level

organizations in a high technology environment. RBAC has now reached

maturity and has been mandated or recommended for implementation by

industry regulations worldwide.

In RBAC, users have roles that provide them with permissions to perform

defined operations, such as read/write, and on objects, such as computer files.

RBAC incorporates the principles of separation of duties and organizational

hierarchy into its model. Separation of duties prohibits a user with a certain

job function to serve in another job function at the same time. Hierarchy

reflects the layered role structure of large organizations but also facilitates

administration and role creation by allowing rights to flow down from senior to

junior roles. The following diagram describes the RBAC model:

Basic Concepts and Architecture



Sage implements RBAC standards without affecting an organization's on-going

operation. Sage implements the concept of a sandbox to separate Sage's

operation from the organization's on-going security environment (production

server). The assumption is that when working with Sage, existing access

definitions must first be imported into a sandbox. A sandbox is an offline PC

computer on which Sage is installed where role discovery and audit activities

are performed without affecting current operations of the organization. All

work on discovering new or refining existing access definitions is performed in

the Sage environment.

Sage defines roles as a group of users that have a common set of privileges.

By users, Sage refers to people or functions: employees, customers, suppliers,

representatives, and so on. A resource is a specific right of access that may be

an operation or object in formal RBAC terms. Thus, a resource can be as

specific as a particular access right (Read/Write/Execute) to a specific file in a

specific file system on a specific machine, and it can also be used to provide a

model for access to a computer system (such as, a user group on that

machine). A privilege is a connection between a user and a resource,

indicating that this user possesses a specific access right. A role can include a

set of users and a set of resources, with the semantics being that all users in

the user set are allowed access to all resources in the resource set.

Most of Sage's work is performed within a proprietary Sage configuration that

is automatically created when access data is imported into Sage. By

configuration, Sage means a data structure that holds a snapshot of the

definition of users, resources and roles (if already defined) as well as the

relevant relationships (privileges) between them.



The following shows the Sage architecture and how it relates to existing

systems in your enterprise:

Sage's Technology


Sage's Technology

Sage is based on advanced pattern recognition technology. Sage provides a

comprehensive set of highly sophisticated solutions to the challenges that

organizations face when implementing and maintaining role-based

management.

Core Technology

An important innovation of Sage lies in the observation that role-based

management revolves around patterns of privileges and access. As such, even

in an organization where privileges are not currently managed by roles, the

actual assignment of privileges roughly follows role-based patterns. Similarly,

deviations and exceptions should be detectable when they do not follow same

patterns.

Sage's technology is designed to uncover the patterns that are hidden in

existing sets of privileges. This is not trivial, since the number of excessive

privileges may sometimes reach 50% of the total number of privileges. Many

users may also be under-privileged or wrongly-privileged. Furthermore, the

problem is extremely complex due to the sheer number of user accounts

typical of large enterprises. Sage combines a set of pattern recognition

techniques and other advanced algorithms and applies them to the special

challenges of roles management.

Other Technology Components

In addition to this core technology, CA has developed substantial additional

technology that is required to deploy a full solution:

■ Sage products use sophisticated algorithms that help the user make

intelligent decisions, while hiding most of the complexity of the problems

they address.

■ Sage products use sophisticated data structures and algorithms in order to

reduce the CPU and memory load to the point where a Sage project can be

fully implemented on a single PC.

■ Sage architecture is designed to allow easy mapping of privileges data

from virtually any ACL-based platform/application, including most

operating systems, databases, directories, applications, and of course,

identity management and provisioning systems.

■ Sage's user-friendly interface facilitates importing privileges data from a

common or proprietary platform and exporting processed data and role

definitions to this or another target platform.

Typical Processes


Typical Processes

The following are the main processes when working with Sage (refer to

chapter 4 for a more detailed description):

Import

In a typical implementation, the Role Engineer first imports current access

data from the security administration server. Source documents would

include a users database file, resources database file, roles file (if existing)

and possibly one or more files describing the relationship between one or

more entities (users, resources, roles). Using a direct communications link

to the production server, Sage enables the importing of data from a

variety of formats including: CSV, SQL, and RACF. Sage creates its own

Sage “configuration” document, which contains the known user, role, and

resource information.

Role Discovery

The role discovery process enables the discovery of roles that were not

explicitly defined in the source data as well as the refining of existing

roles. Sage's role discovery tools include searching for and proposing:

basic roles, obvious roles, roles that are almost perfect matches of other

roles and identifying role hierarchy. These options contain sub-menus that

enable fine-tuning Sage's discovery algorithm to adapt it to the specific

configuration that is being analyzed. The results of running these Sage

options are Sage's proposals for role definitions. These roles must be

individually examined to determine their appropriateness and validity for

the organization.

Audit

Sage's basic auditing tools apply Sage's internal logic and built-in

algorithms to an existing configuration to analyze and identify many types

of non-conformities or suspicions related to users, roles, and resources.

The Role Engineer can apply individual tools to analyze a configuration or

can run a comprehensive audit. The output of an audit is the AuditCard,

which contains a list of all suspicious records and the type of suspicion

involved (currently about 50 different types). The AuditCard also contains

a built-in mechanism for tracking progress until resolution is achieved.

Sage Policy Compliance

The Sage Policy Compliance module is an additional audit tool that enables

formulating a unique set of Business Process Rules (BPR) that represent

various constraints on privileges. These rules are formulated independently

of a specific Sage configuration and can then be applied to different

configurations.

Typical Processes


Export

Prior to uploading a processed Sage configuration to the organization's

production server, the differences between the original source data and

processed Sage configuration are examined using an built-in Sage option.

After verifying the differences and making any necessary changes, the

configuration data is directly exported from the Sage interface to the

production computer's format. The export eliminates cross-platform

conversion problems.


Chapter 2: Sage DNA Data

Management


Accessing Sage DNA Data Management (see page 17)

The Sage DNA Data Management Menu Bar (see page 18)

Accessing Sage DNA Data Management

You can access the Sage DNA Data Management application from the Windows

Start menu or from within the Sage Portal client. The Sage DNA Data

Management application opens as follows:

To access Sage DNA Data Management from the Windows Start menu

Click Start, All Programs, Eurekify Sage ERM, Eurekify Sage Data Management

Vnumber. The Sage DNA Data Management window opens.

To access Sage DNA Data Management from the Sage Portal Client

1. Click Start, All Programs, Eurekify Sage ERM, Eurekify Sage Portal Client.

The Sage Portal Client opens to the home page.

2. Click the Data Management icon that appears on the home page.

The Sage DNA Data Management window opens.

The Sage DNA Data Management Menu Bar



The menu bar provides access to most Sage options. The menu bar is

organized by function and includes the following main items: File, View,

Import, Export, Management, Batch, and Help. To avoid navigating complex

menu systems, the most commonly-used Sage options are represented by

icons on the toolbar. However, not all options are included on the menu bar or

toolbar.

File Menu

The File menu contains the following options for file handling and connecting

to external systems and peripheral equipment:

■ Open Sage documents from a file

■ Open Sage documents from a database back-end

■ Configuration enrichment and merger operations

■ Operation of Sage batch functions

The operations in the Sage DNA Data Management File menu are identical to

those described for Sage DNA. Refer to documentation in Chapter 5 File Menu

in the CA Role & Compliance Manager Sage DNA User Guide.

View Menu

The View menu provides the following functions

■ Determine how data is displayed in the active document window

■ Review the log file generated by Sage, to look for possible errors that were

encountered during operation.

■ Review properties and statistics for the active document window

■ Switch view to a related document, such as, the udb of the current

configuration

■ Explore connections of a select set of entities

The operations in the Sage DNA Data Management View menu are identical to

those described for Sage DNA. Refer to documentation in Chapter 7 View Menu

in the CA Role & Compliance Manager Sage DNA User Guide.



Import and Export Menus

The Import and Export menus provide support for importing and exporting

User and User Privilege information to and from Sage DNA Data Management.

The Import menu provides support for importing from the following file types

and platforms:

■ CSV files

■ LDIF files

■ SQL Database

■ Active Directory

■ RACF

■ TSS

■ Unix

■ SAP

■ Windows Shared Folder

■ ITIM V4.5 and V4.6

■ Control SA

The Export menu provides support for exporting to the following file types and

platforms:


■ RACF

■ SQL Database

■ CSV files


■ Control SA

More information:

Import and Export Menus (see page 21)



Management Menu

The Management menu supports functionality for:

■ Enriching Users and Resource databases

■ Evaluate User databases

■ Merging Configurations, User databases, Resource databases, and Audit

Cards

■ Trimming and comparing Configurations

More information:

Management Menu (see page 107)

Batch Menu

The Batch menu supports functionality for:

■ Executing a Batch Command file

The operations in the Sage DNA Data Management Batch menu are identical to

those described for Executing a Batch File in Sage DNA. See Chapter 5 in the

CA Role & Compliance Manager Sage DNA User Guide.

Help Menu

Only version and license information is available under this menu.


Chapter 3: Import and Export Menus

Importing and exporting user and user privileges information to and from Sage

is performed by Sage DNA Data Management. The import process transfers

user information into Sage from the native security systems on which it

resides. The export process returns the information to the native security

systems after creating and modifying roles in Sage DNA.

Sage DNA Data Management provides a number of converters through which

user information is processed. These import and export facilities represent the

most common operating systems used on the native security systems.

The converters are located in the Import and Export menus of Sage DNA Data

Management. The following screen shows the Import and Export menus:


Supported Import and Export Platforms (see page 22)

CSV Files Converter (see page 24)

Active Directory Converter (see page 33)

RACF Converter (see page 43)

MS-SQL Converter (see page 48)

TIM2Sage Converter (see page 54)

Control SA Converter (see page 63)

SAP to Sage Converter (see page 71)

Generic LDIF to Sage Converter (see page 78)

Import from TSS (see page 82)

Import from UNIX (see page 85)

Import Windows Shared Folder (see page 86)

BMC Identity Manager Open Services (see page 89)

Oracle Identity Manager (see page 95)

Supported Import and Export Platforms



The Import and Export menus provide support for importing and exporting

user and user Privilege information to and from Sage DNA Data Management.

To access either the Sage Import or Export converters

1. From the Sage DNA Data Management menu bar, select either Import or

Export.

The menu opens and lists the Import/Export converters.



2. Select the converter that you want to use.

The selected converter opens.

The Import menu provides support for importing from the following file types

and platforms:

■ CSV files

■ LDIF files

■ SQL Database


■ RACF

■ TSS

■ Unix

■ SAP

■ Windows Shared Folder


■ Control SA

The Export menu provides support for exporting to the following file types and

platforms:


■ RACF

■ SQL Database

■ CSV files


■ Control SA

CSV Files Converter


CSV Files Converter

Import from CSV Files

It is often convenient to convert information about users and privileges from

native security systems into simple CSV files. The CSV (Comma Separated

Values) format is the most common import and export format for spreadsheets

and databases. CSV files can then be manipulated and extended using simple

tools such as Excel, if necessary. Sage has its own converter that takes

several CSV files as input and creates a Sage configuration.

Typically, the Sage CSV converter uses several CSV files as input, with each

individual file representing one entity type (such as users and resources

databases) or one relation between two entity types (roles). Some of the files

are optional and if not specified at the time of import will be assumed to be

empty. The converter produces one output file, which is the Sage configuration

file.

Note: The UsersDB and ResDB files are not created and are assumed to be

provided in the same CSV format as used in a Sage configuration.

Entity Files

Users database

The first row in the entity file must be a header row. Each subsequent row

represents a single user, where the row contains the following fields:

■ PersonID - the key, and must be unique

■ UserName

■ Organization

■ Organization Type

■ Field 1 to Field n (optional)

CSV Files Converter


Resources database

The first row in the entity file must be a header row. Each subsequent row

represents a single resource and contains the following fields, where a

combination of Res Name 1, 2, and 3 is the key and is assumed to be

unique

■ Resource Name 1

■ Resource Name 2

■ Resource Name 3

■ Field 1 to Field n (optional)

Roles

The Roles entity file does not require a header row. The is one row per role

definition, each with the following fields:

■ Role Name - must be unique

■ Role Description

■ Role Organization

■ Role Owner

CSV Files Converter


Relations Files

User-Resource Connections

The User-Resource Connections entity file does not require a header row.

The file requires one row per connection, each with the following fields:

■ PersonID

■ Resource Name 1

■ Resource Name 2

■ Resource Name 3

Role-Resource Connections

The Role-Resource Connections entity file does not require a header row.

The file requires one row per connection, each with the following fields:

– RoleID

– Resource Name 1

– Resource Name 2

– Resource Name 3

CSV Files Converter


User-Role Connections

The User-Role Connections entity file does not require a header row. The

file requires one row per connection, each with the following fields:

■ PersonID

■ Role Name

Role-Role Connections

The Role-Role Connections entity file does not require a header row. The

file requires one row per connection, each with the following fields:

■ Role Name (parent)

■ Role Name (child)

CSV Files Converter


Import a CSV File

To import a Sage Configuration from a CSV file

1. Click Import, CSV file from the list.

The Importing to Sage Configuration from CSV Files window opens. . See

the following example of a completed window:

The following table describes how to complete the fields:

Field Description

Sage Configuration File Fill in the name of a new configuration file or use the

Browse button to select the existing configuration file

to which to write the imported data.

Users Database Fill in the name and path of the source file that

contains the users database data. The file can be a

standard Sage users database (.udb) or a CSV (.txt)

file.

Resources Database Fill in the name and path of the source file that

contains the resources database data. The file can be

a standard Sage resources database (.rdb) or a CSV

(.txt) file.

Roles Fill in the name and path of the source file that

contains the role data, generally a CSV (.txt) file. A

Browse button is provided for convenience.

CSV Files Converter


Field Description

User-Resource

Connections

Fill in the name and path of the source file that

contains the user-resource connections data,

generally a CSV (.txt) file. A Browse button is

provided for convenience.

User-Role Connections Fill in the name and path of the source file that

contains the user-role connections data, generally a

CSV (.txt) file. A Browse button is provided for

convenience.

Role-Resource

Connections


contains the role-resource connections data,



Role Hierarchy

Connections


contains the role hierarchy connections data,



Separate by Commas

Separate by

Semicolons

Select the option that indicates which character is

used as separator in the CSV file.

2. Fill in the import window fields as indicated in the table.

Note: Some of the inputs may remain empty. For example, if you import

from a system that does not yet have roles, then you leave the roles file

and all the role connections files fields clear. The output is a Sage

configuration file that can then be opened to perform role discovery and

audit activities.

During the import process, Sage creates a log file in the Sage Logs folder.

This log file is separate from the Sage main log file, and is named

according to Sage's naming convention, which follows:

SageCSVConverter_<username>_<date>_<time>.log. This log file

contains all the errors and misconfigurations that Sage has encountered.

Sage will prompt you to view this log file when the import is finished.

At the end of the conversion process, a message is displayed that indicates

whether errors were detected.

CSV Files Converter


Important! In case of errors, review the log file to ensure that it does not

contain material warnings. The configuration file does not automatically open.

3. To open the configuration file from the File menu select Open from File,

and navigate to the target folder to open it.

Export to CSV Files

Sage can convert a configuration file to CSV files for uploading to an external

security system.

To export a configuration to CSV files

1. Click Export, Export to CSV Files.

The Exporting from Sage Configuration to CSV Files window opens. See

the following example of a completed window.


Field Description

Sage Configuration File Use the Browse button to select the configuration file

from which CSV files are to be created.

Roles Fill in the name and path of the target of the file that

will contain the role data. A Browse button is


CSV Files Converter


Field Description

User-Resource

Connections

Fill in the name and path of the target of the file that

will contain the user-resource connections. A


User-Role Connections Fill in the name and path of the target of the file that

will contain the user-role connections. A Browse

button is provided for convenience.

Role-Resource

Connections


will contain the role-resource connections. A


Role Hierarchy

Connections


will contain the role hierarchy connections. A


Role ID as Number This option is available for compatibility with

previous versions of Sage where a role was identified

by a Role ID (number). Otherwise, it should be

unchecked.

2. Complete the export window fields as indicated in the table

A maximum of five CSV files can be uploaded to the external security

system. These text files can be examined using Notepad or any text editor.

During the export process, Sage DNA Data Management creates a log file

in the Sage Logs folder. This log file is separate from the Sage main log

file, and is named according to Sage's naming convention

SageCSVConverter_<username>_<date>_<time>.log. This log file

contains all the errors and mis-configurations that Sage has encountered.

Sage prompts you to view this log file when the export is finished.

At the end of the conversion process, a message is displayed that indicates

whether errors were detected.

Important! that you review the log file to ensure that it does not contain

material warnings.

CSV Files Converter


CSV Mapper Utility

The CSV Mapper Utility allows you to extract user and resource data from any

CSV file and map that data to create Sage Configuration files, and User and

Resource data bases. The utility does not identify any role relationship that

may exist between the Users and Resources in CSV file.

To map a CSV file to Sage entities

1. Click Import, CSV Mapper Utility.

The Eurekify CSV Mapper window opens. See the following example of a

completed CSV Mapper window.

The following table describes how ot complete the fields:

Field Description

Source CSV Type or Browse for the Path and Name of the CSV

file that contains the source data.

Field Separator Type the character that is used as a field separator

in the Source CSV file.

Active Directory Converter


Field Description

Target CFG Fill in the name and path of the target CFG file. A


Target UDB Fill in the name and path of the target Users Data

base. A Browse button is provided for convenience.

Target RDB Fill in the name and path of the target Resource Data

base. A Browse button is provided for convenience.

User Name Select the Column that matches the position of the

User Name in the Source CSV file.

Resource Name I Select the Column that matches the position of the

1st Resource Name in the Source CSV file.

Resource Name II Select the Column that matches the position of the

2nd Resource Name in the Source CSV file.

Resource Name III Select the Column that matches the position of the

3rd Resource Name in the Source CSV file.

2. Complete the fields in the Eurekify CSV Mapper window as indicated in the

table.

3. Click Convert.

The CSV Mapper Utility creates each of the CFG, UDB, RDB files and

locates them as indicated in the CSV Mapper Utility.


Active Directory (AD) is a Microsoft directory service for storing information

about network-based entities, such as users, groups, applications, files, and

printers. It is the central authority that manages the identities and brokers the

relationships between these distributed resources, thereby enabling them to

work together. It is a mechanism for managing the identities and relationships

of the distributed resources that make up network environments. Since Active

Directory is the central authority for network security, enabling the operating

system to verify a user's identity and control access to network resources, it is

the natural point from which to download users, groups and resources

information into Sage.

After performing role discovery, analysis, definition and audit in Sage, you can

export the new roles, and other changes that were made in the configuration,

back into Active Directory.



Import from Active Directory

Sage allows importing from one or more AD servers. Importing from multiple

servers is useful when there are frequent cross-links between them. At the

moment, Sage can export to only a single AD server.

To import from an Active Directory

1. Click Import, Import from Active Directory.

The Active Directory Wizard opens.


Field Description

Credentials

Server Address

(IP/Domain Name)

Identify the server(s) from which the data is being

imported

Secure Authentication When selected Sage uses the Login Name and

Password used to login to Windows.

Login Name (NT

Domain/User)

Record the login name.

Password Record password.

Port Sage assumes the port is 389 by default. This is the

well-known port for ldap. Change it if necessary.



Field Description

Output Files

Configuration

The name of the Sage configuration to be created as

a result of the import process.

UsersDB The name of the Sage Users database file to be

created.

Resources DB The name of the Sage Resources database file to be

created.

Mapping File The name of an XML file that describes the mapping

of AD attributes to Sage entities. This file is usually

saved after the first time a new mapping is provided.



2. Fill in the fields in the Active Directory Wizard as indicated in the table.

3. For each AD server from which you wish to import, provide the IP/Domain

Name, as well as port and login credentials.

4. For each server, click Set to accept.

5. To remove, select the relevant entry in the table on the right, and click

Remove.

Passwords are not kept in the registry, so when returning to an AD import

page, most values will be kept, but not the password.

6. Select the relevant entry again in the table, enter the password on the left,

and press Set. Do the same for each AD server.

7. Click Next to continue.

A window similar to the following opens:



8. Navigate to the points in the directory from which information will be

imported (the bases), in this case the respective “DC”. Note that it is

possible to import specific containers from each of the imported AD

servers.

9. Decide what to import. Field descriptions follow:

Field Description

Groups as Roles

All Groups as Roles

Activate this radio button if all groups are to be

considered as Sage roles. In this case, Sage will

import role hierarchy connections for groups that are

members of other groups.

All Groups as

Resources

Activate this radio button if all groups are to be

considered as resources. In this case, group

membership will be "flattened" automatically by

Sage, i.e., users will show as members of a group

even if they are a member of a "parent" group of

that group.

Identify Roles by If you have activated this radio button, mark the

check boxes for importing.

Sage Roles

Nested Groups

Distribution Groups

Security Groups

Universal Groups

Global Groups

domain Local Groups

Local Groups

Mark the appropriate check boxes for your import.

Sage roles are roles marked as Sage as such during

a preceding export

Nested Groups. In this mode, primitive groups (i.e.,

that are not parent of other groups, will be imported

as resources, and parent groups will be imported as

Sage roles

All the other options denote types of AD groups that

the user may wish to import as Sage roles.

Note that it is possible to check more than one

option.

Only import groups

directly linked with

users

This option when checked will disable import of

groups that do not have any users as members.

Note that it will also not import groups that have

other groups as members.

Find cross domain

links and verify object

links

This option activates a third pass of Sage AD import,

in which Sage searches for missing links that are

likely associated with external objects and adds

stubs that represent the latter.



Field Description

Add extended debug

logging

When not selected the Sage log file only includes

Error messages.

When selected the Sage log file includes Error

messages and Warning messages. This can

significantly increase the size of the log file.


A mapping window for Users attributes appears. Similar windows, for Roles

and Resources appear in subsequent steps.



In these windows, fields of each entity type (users, roles and resources)

may be associated with their corresponding Active Directory attribute. The

result of each mapping operation is displayed in the mapping window.

11. To activate the mapping, select the line associated with the Sage attribute

in the mapping table on the right.

12. Use one of several mechanisms to specify the mapping as below, and

press Set to activate.

13. When mapping AD attributes to Sage entities, take special care to import

unique values into Sage keys, i.e., users' PersonID, roles' Role Name, and

resources' combination of ResName1, 2, and 3.

14. To enable proper mapping of imported attributes back into AD in an export

process,import the CN and DN. Use the Object Name attributes.

Note: Sage imports up to 127 characters for each field, and logs alerts for

objects that exceed such limitation.

Field descriptions follow:

Field Description

Data Mapping Attribute You choose which of the attributes in the User

schema shall be associated

Object Name You choose specific pre-designated schema

attributes ad/or combinations thereof.

CN and DN map to the respective schema attributes.

CNi maps to the i-th part of the object's DN, from

right to left (i.e. based on the hierarchy), and

beginning from the first container after the DC

values

DNi maps to the i-th part of the object's DCs.

Constant Field You can choose to map a constant field into a Sage

field. For example, it is often preferred to map the

string "Active Directory" to Res Name 3.

Empty Field This allows you to leave a Sage field empty. This is

also the initial default.

Configuration Entity

Field Name

You can choose to provide a title to a Sage field

Set Person ID to Upper

Case (Users only)

Mark check box to convert the identifiers brought

into the Sage users PersonID field. This is useful

when dealing with several systems where this key

identifier may appear in various case variants.

Ignore Disabled Users

check box (Users only)

Mark check box to ignore users that are marked as

disabled in AD.



Field Description

Output Files

Configuration

The name of the target Sage configuration file

(usually new configuration file). A Browse button is


Users DB The name of the target Sage users database (usually

new database). A Browse button is provided for

convenience.

Resources DB The name of the target Sage resources database

(usually new database). A Browse button is provided

for convenience.

15. After mapping the fields of all entities, Sage prompts you to save the

mapping into a reusable XML file.

A similar window displays to let you map roles.

When done, Sage starts the import, showing the progress of the import

process. There are three steps to the import process:

■ Import of objects – in this pass, Sage imports all users, roles, and

resources objects

■ Import of links – in this pass, Sage imports all links between objects

■ Verify links – in this pass, Sage complements the configuration with

external objects that are linked to configuration objects. Sage creates

a "stub" for each external object.

When the import process is completed, a message appears providing

statistics on the data that was imported to Sage.

16. Click OK.

During the import process, Sage creates a log file in the Sage Logs folder. This

log file is separate from the Sage main log file, and is named according to

Sage's naming convention

SageADConverter_<username>_<date>_<time>.log. This log file contains all

the errors and mis-configurations that Sage has encountered. Sage prompts

you to view this log file when the import is finished.

Important! Review the log file to ensure that it does not contain material

warnings.



Export Active Directory

The process for exporting your modified Sage configuration data to your Active

Directory server is very similar to that for importing Active Directory

information into Sage DNA. The process differs in the following ways:

■ Only the differences between the imported configuration and the modified

configuration are exported to the Active Directory server. This means that

you need to compare the two configurations and generate a Differences

Report file. You use the Differences Log file as input for the Export

process.

■ You can export to only a single Active Directory server at a time.

To export data from Sage DNA Data Management to an Active

Directory server

1. Click Management, Compare Configurations.

The Compare Configurations window opens.

2. Compare your original configuration file to your updated configuration file

and generate a Differences Log file.

3. From the Export menu select Export to Active Directory.

The Active Directory Wizard opens to Step 1.



4. Fill in the Credentials as described for the Import from Active Directory

process.

Note: The export process only supports exporting to a single Active

Directory server at a time.

5. In the Input Files group box, enter the path and file name of the

Differences Log File containing the data to export to the Active Directory

server.

6. Click the Next button to advance to the Set Conversion Options step.

7. From within the Options Group box select the Options that are relevant to

your configuration, and click Next.

The Search Active Directory Objects step in the wizard appears:

RACF Converter


8. On each of the Users, Roles and Resources tabs, map the Sage Entities to

the appropriate Active Directory Attributes.

9. On each of the Users, Roles, and Resources tabs select the location in the

Active Directory to house new Users, Roles and Resources.

10. When appropriate, select the correct DN and CN values for the target

Active Directory from the DN and CN drop down lists.

11. Click Finish to export the modified data to the Active Directory server.

More information:

Import from Active Directory (see page 34)

RACF Converter

The Resource Access Control Facility (RACF) is a security component for IBM

mainframe computers that works together with the existing operating system

to provide system security, resource access control, auditability, accountability

and administrative control. As such, it is the main repository for users, roles

and resources data on mainframe computers.

The main input to the Sage RACF import option requires downloading access

data from RACF using the IRRDBU00 unload utility. This generated text file

should then be segmented according to various line types, each representing a

different type of entity and/or connections. You can add enriched data about

users attributes (for example, from the human resources department

database).

The output is a Sage configuration, with RACF groups appearing as Sage roles

and with RACF profiles as Sage resources.

RACF Converter


Import from RACF

To import data from RACF into Sage

1. Click Import, Import from RACF.

The Importing to Sage Configuration from RACF Files window appears. A

completed example of this window follows:

Use the following instructions complete the fields:

Field Description

Sage Files

Configuration Files Directory

Enter the name and folder of the target Sage

configuration. A Browse button is provided

for convenience.

Users Database Enter the name and folder of the target Sage

users database. A Browse button is provided

for convenience.

Resources Database Enter the name and folder of the target Sage

resources database. A Browse button is


Options

RACF Platform Name

Record the RACF platform name.

Groups as Roles radio button Activate radio button if Sage is to convert

groups to Sage roles.

Do not activate radio button if Sage is to not

convert groups to Sage roles.

RACF Converter


Field Description

Groups as Resources radio

button

Activate radio button if Sage is to convert

groups to resources.

Do not activate radio button if Sage is to not

convert groups to resources.

Generate Sage Role for UACC

permission check box

Mark Generate Sage Role for UACC

permission check box to have Sage generate

a role for Universal Access (UACC)

permission.

Clear the check box to prevent Sage from

generating a role for Universal Access

(UACC) permission.

Add ACL Entities check box Mark the Add ACL Entities check box to

process Application Control Language (ACL)

scripts.

Clear the check box to prevent Sage from

processing Application Control Language

(ACL) scripts.

Ignore Revoked Users Mark the Ignore Revoked Users check box to

prevent Sage from processing users that are

flagged as Revoked by RACF.

Clear the check box to disregard the Revoked

Users flag on RACF and have sage process

such users.

Input HR file Record the name of the file containing

supplementary users' data, if any.

Input RACF Download File A text file that is generated by running the

IRRDBU00 Unload utility. The file contains

lines that refer to the Users, Groups, Data

Set Profiles and General Resource Profiles.

These lines will be converted into Sage users,

Sage Resources and Sage Roles.

RACF Converter


In the example, all input types are located in the same file name.

Alternatively, input can be divided into separate files depending on line

types. This is done mainly for performance purposes.

2. Click Convert to import.

The configuration is created in the target folder but is not automatically

opened by Sage.

3. To open the file, on the menu bar, select File, Open From File.

If any errors result from the import process, then a Sage message

appears. Check any errors in the SageRACFConverterXXX.log file located in

the Sage Logs folder.

Export to RACF

Exporting involves the reverse process of importing.

To export data from Sage into RACF

1. Click Export, Export to RACF.

The following window opens:

RACF Converter


The following table describes the fields in the Export to RACF window.

In some cases the Export to RACF process only creates partial commands.

This occurs primarily for commands that require the creation of new

accounts. The output cannot be used as is and you must then complete

the missing details in the exported file.

Field Description

Files

Sage Differences File

Enter the name and folder of the Sage

differences file. A Browse button is provided

for convenience.

RACF Command File Enter the name and folder of the RACF

command file. A Browse button is provided

for convenience.

RACF Restore File Enter the name and folder of the RACF

restore file. A Browse button is provided for

convenience.

Show Result file check box Mark check box to show results file.

Unmark check box not to show results file.

Options

Add User

Add Role

Add Resource

Add User-Resource

Connection

Add User-Role Connection

Add Role-Resource

Connection

Add Role-Role Connection

Remove User

Remove Role

Remove Resource

Remove User-Resource

Connection

Remove User-Role

Connection

Remove Role-Resource

Connection

Remove Role-Role

Connection

Mark check box to activate option in RACF

export file.

Unmark check box not to activate option in

RACF export file.

Note: Either the Add or Remove check box

must be marked but not both.

If a differences file is being used when exporting to RACF, then it will first

have to be generated.

2. Click Convert to export.

MS-SQL Converter


MS-SQL Converter

This section provides instructions for importing from an MS-SQL database and

exporting to an MS-SQL database. This option enables user, role and resource

data in an SQL database to be used as data for creating a Sage configuration

for role discovery and audit purposes. When a processed Sage configuration is

exported back to MS-SQL, the configuration is divided into its component parts

in a format that is compatible with MS-SQL. Later, the Role Engineer can make

minor changes directly on the SQL database using the Open from Database

and Save to Database options. See Chapter 5 in the CA Role & Compliance

Manager Sage DNA User Guide.

Import from MS-SQL

To import data from MS-SQL into Sage

1. Click Import, Import from SQL Database.


2. Fill in the required information, and click Next.


Field Description

Destination Database

Type

Only MS SQL is available at this time.

Server Identify the server from which the data is being

imported.

MS-SQL Converter


Field Description

Database Identify the name of the database that is being

imported.

Windows

Authentication

Select to use Windows Authentication privileges to

for the User Name and Password.

Overwrite Database

Files

This option is grayed out and is not available

when importing files.

User name Enter the User Name required to log onto the MS

SQL Database.

Password Enter the Password required to log onto the MS

SQL Database.


The following tables describes how to complete the fields:

Field Description

Configuration Files Directory Enter the configuration name and folder in

which the resulting Sage configuration

shall reside.

MS-SQL Converter


Field Description

Process Audit Cards This check box is only available if Sage

AuditCards are associated with the

configuration.

Mark Process Audit Cards check box. If

AuditCards already exist for the

configuration that will be receiving the

imported data, the existing AuditCards will

be processed to verify the status of the

previously suspected records.

Unmark Process Audit Cards check box.

Existing AuditCards will not be processed.

Configuration Mark the name of the database to which

data is being imported. A Browse button is


3. Specify values and click Next.

4. The import process begins, and a progress bar appears on-screen. When

done, the newly imported configuration can be opened from the target

folder.

MS-SQL Converter


Export to MS SQL

To export data from MS-SQL into Sage

1. Click Export, Export to SQL Database.


The following tables describes how to complete the fields:

Field Description

Configuration Files Directory

Enter the configuration name and folder of

the Sage configuration file to be exported.

A Browse button is provided for

convenience.

Process Audit Cards check

box

This check box is only available if

AuditCards are associated with the

configuration.

Mark Process Audit Cards check box if

Sage audit data exists for the configuration

and you want the data to reside on the

target computer too.

Unmark Process Audit Cards check box if it

is not necessary to copy the Sage audit

data to the target computer.

Configuration check boxes Mark the name of the database that is

being exported.

MS-SQL Converter



3. The Choose Destination Database window opens:

The following tables describes the fields:

Field Description

Destination Database

Type

Only MS SQL is available at this time.

Server Identify the server to which the data is being

exported.

Database Identify the name of the database to which the

data is being exported.

Windows

Authentication

Select to use Windows Authentication privileges to

for the User Name and Password.

Overwrite Database

Files

Mark the check box to overwrite any existing

database files.

Unmark the check box not to overwrite any

existing database files.

User name Enter the User Name required to log onto the

MS-SQL Database.

Password Enter the Password required to log onto the

MS-SQL Database..

MS-SQL Converter


Field Description

Use Bulk Insert Select Bulk Insert to load to the configuration

content in bulk.

Select Create Local Share for Temporary Files to

allow the system to copy the configuration data to

a temporary file.

Select User Remote Share Directory, to specify

the location to which configuration data is copied

prior to being loaded onto the database.

4. Click Next.

The export process begins, and a progress bar appears on-screen. Refer to

the following window.

TIM2Sage Converter


5. Click Finish to complete the export process.

The following is a typical set of Sage-compatible SQL files after a Sage

configuration has been exported to MS-SQL.

6. Verify that similar files are present on the target computer after exporting

a configuration.

TIM2Sage Converter

This converter is provided by Eurekify, and uses the TIM Java-based API to

convert TIM privileges data into Sage configurations. The converter maps TIM

users, roles, accounts, provisioning policies, services, and groups, into Sage. It

allows mapping different TIM fields to Sage fields. Once the initial mapping

setup is complete, re-running this interface requires only a few clicks.

Prerequisites

This converter supports the following:

■ IBM TIM versions 4.5 and 4.6

■ WebSphere application server version 5.1 and Java version 1.4.2

■ Run on Windows OS

TIM2Sage Converter


Importing from ITIM

Importing from ITIM to Sage requires the following steps:

1. Provide information about the TIM and WebSphere environments (kept in

TIM configuration format)

2. Map TIM fields into Sage fields (kept in XML configuration format)

3. Convert to Sage's standard CSV format and then to a Sage configuration

The process for importing from ITIM V4.5 and ITIM V4.6 is identical. However

you must use the import option that is suitable for each version. The following

description uses ITIM V4.5. You may also use ready connection and mapping

xml files, and run a conversion by clicking the “Convert” button.

To import from ITIM V4.5

1. Click Import, Import from ITIM V4.5.

The ITIM to Sage Converter window opens.

TIM2Sage Converter


Provide the TIM and WebSphere Connection Details

To provide connection details

1. In the Connection group box, click “Edit” to set the ITIM connection

details.

2. Provide TIM credentials

3. Provide the application server home directory (for example

“C:\IBM\WebSphere\AppServer”)

4. Provide the TIM home directory (for example “C:\IBM\itim”)

5. Provide the location of the file called “jaas_login_was.conf” which is

located under “%itim home%\extensions\examples\apps\bin”.

6. Provide the location of the java executable files (the jar and batch files

received with the converter).

7. Save these parameters in an XML file for reuse.

8. Click Done, then save changes to return to the converter window.

9. Click “Test Connection” to test the TIM connection

TIM2Sage Converter


To load previously stored ITIM Credentials file

1. Click Itim Connection file, Open.

2. Select the XML file that contains the previously stored ITIM credentials

information:

All Credentials information is reloaded.

3. Click Done, then Save to return to the converter window.

TIM2Sage Converter


Map TIM Fields into Sage Fields

To map TIM files to Sage fields

1. In the Mapping group box click Edit to set the mapping details.

2. Click Properties file, Open (lower part of the screen) and select the xml

properties file.

3. Map TIM attributes to Sage fields. Save these settings for reuse.

4. Provide the location of the Sage executable file and a directory for

temporary files.

5. Click Done to return the converter window, and then click Convert to

create Sage configuration.

To load previously saved information about the field mapping

1. Click Edit Mapping.

2. The Field Mapping window appears:

TIM2Sage Converter


3. Click Map file, Open (lower part of the screen) and select your previously

saved “xml” map file.

4. Finally, consider enriching the data with a separate HR extract. Use Sage's

Enrich UsersDB" for that purpose.

5. Click Done, then Save to return to the converter window.

TIM2Sage Converter


Exporting to ITIM

Sage DNA Data Management supports exporting to ITIM Versions 4.5 and 4.6.

Input for the export process is similar to that described for Importing from

ITIM. Exporting to V4.5 and V4.6 is identical other than choosing the

appropriate item from the Export to ITIM menu item. This section uses ITIM

V4.5 to illustrate the export process.

Exporting to ITIM requires the following:

■ Provide information about the TIM and WebSphere environments (kept in

TIM configuration format)

■ Map TIM fields into Sage fields (kept in XML configuration format)

■ Create a Sage Differences file by comparing configuration original to the

modified configuration.

To export to ITIM V4.5

1. Compare the original configuration created from the import ITIM to sage

process, to the modified configuration and created a Differences file. You

will need the Differences file lists the differences in a form that can be

accepted by ITIM.

2. Click Export, Export to ITIM V4.5.

The Sage to ITIM converter opens.

TIM2Sage Converter


A Connection Details File was created as part of the Import from ITIM

process. In the ITIM Connection section of the window, enter the Path and

Name of the Connection Details File if it exists.

3. If the Connection Details File is missing then click Edit.

The ITIM to Sage Converter window opens.

4. Enter the ITIM Login Details and Java Configuration details.

In the Field Mapping section, enter the Path and Name of the Mapping

Details file if it exists. If you do not have a current Mapping Details File,

click Edit.

The Attribute Mapping window opens.

TIM2Sage Converter


The Entities Mapping section contains several tabs; Person, Role, Service

and Policy. On each tab map the Sage User Fields to the appropriate TIM

Person Attribute by selecting entries from the TIM Person Attribute and

Sage User Field drop down lists.

5. Click Add to add the selections to the list.

6. On the Policy tab, do the following:

a. Set the Scope from the Scope drop down list

b. Set the Priority level in the Priority edit field.

c. Select the Policy Enabled check box to indicate that the Policy is

enabled.

7. From the Actions to Perform section select the check box for each action

you want to perform during the export process.

8. In the Addition Options section select the checkboxes for any of the

options you want to perform. These include:

■ Force service removal from policies

■ Force removal of linked entities

■ Map app-roles to provisioning policies.

9. In the Map XML File section provide a name for the mapping file and save

the file for future use.

10. Click Done.

You return to the Sage to ITIM converter.

11. In the Source Sage Difference Log section enter the Path and Name of the

Differences Log file created as a result of Compare Configurations process.

12. Click Convert.

A command line window opens and provides information on the converters

progress.

More information:

Map TIM Fields into Sage Fields (see page 58)

Control SA Converter



The Sage-Control-SA Converter provides you with the capability to integrate

Eurekify Sage ERM and Control-SA by automatically synchronizing the

role-based privileges data between the two systems. Using the Sage-Control

SA converter provides a means for you to either import data from Control SA

to Sage or export data from Sage to Control SA. Sage DNA Data Management

supports the import and export between the two systems by either:

■ Entering data in the Sage DNA Data Management GUI

■ Running command line Batch commands.

Sage DNA and Control SA use different but parallel terminology for

components and entities in each of their configurations and files. Use the

following table to familiarize yourself with the terminology used in each

environment for their respective components and entities.

Sage DNA Terminology Control SA Terminology

User Person

Role Job Code

Resource User Group

The converter produces an XML file that maps the ESS (Enterprise

SecurityStation) person, job code, profile, groups and accounts entities to

Sage users, role, resource and link entities. This Map xml file is only used as

part of the Import process.

Importing from Control SA to Sage

Importing data from Control SA to Sage is performed as a two step process:

1. Generate ESS data text files for all relevant tables.

2. Convert the text files into a Sage configuration.



Generating ESS Data Text Files

Generating ESS data text files is performed on the ESS system by running the

Batch.sh command on a series of *.inp files, where each inp file contains data

for a specific ESS entity type. Running the Batch.sh command produces a

*.orig file for each of the treated entities in the form of a semicolon separated

text file.

ESS export batch commands include:

■ ess batchrun -A -F2 -i Read_Person.inp -D Person_data -L ';'

■ ess batchrun -A -F2 -i Read_Profile.inp -D Profile_data -L ';'

■ ess batchrun -A -F2 -i Read_Group.inp -D Group_data -L ';'

■ ess batchrun -A -F2 -i Read_Profile_Profile.inp -D Profile_Profile_data -L ';'

■ ess batchrun -A -F2 -i Read_Group_Profile.inp -D Group_Profile_data -L ';'

■ ess batchrun -A -F2 -i Read_Person_Profile.inp -D Person_Profile_data -L

';'

■ ess batchrun -A -F2 -i Read_Person_Group.inp -D Person_Group_data -L

';'

Where each inp file contains the respective ESS command, such as:

■ read_all * from ent_user;

■ read_all * from job_code;

■ read_all * from user_group;

■ read_all * from jc_jc;

■ read_all * from ug_jc;

■ read_all * from user_jc;

■ read_all user_id ug_name rss_name rss_type from ru_ug;

To run the Batch.sh command

1. Make sure you are the ESS owner.

If you are not the ESS owner then edit the Batch.sh file by changing the -A

option as follows:

-U user -P password

2. Run the Batch.sh command.

This should result in producing a 7 text files, one for each entity:

■ Person_data;

■ Profile_data;

■ Group_data;



■ Profile_Profile_data;

■ Group_Profile_data;

■ Person_Profile_data;

■ Person_Group_data

Convert Text Files into Sage Configurations

You convert each of the created text files into Sage configuration files by

running the Import Control SA converter. This is conducted from within

Eurekify SageDNA Data Management.

To convert ESS data text files into Sage Configuration files

1. Make sure that the ESS data text files are transferred to the computer on

which you have installed Sage DNA Data Management.

2. Click Import, Import from Control SA.

The Control SA Convert window opens.



3. In the Input Files group box enter the path and file name for each of the

respective ESS text files.

4. Select the Get orphan accounts as Sage users check box where the

Person-UG Link File contains accounts without associated Users, called

Orphan Accounts, and you want those accounts to be associated to Sage

Users.

5. In the Map Fields group box, enter the Path and Name of the MapXML File

if it exists. If the file already exists then click the Browse button to locate

the file. The Map XML file contains the details that map the attribute

columns in the ESS table files to their respective field columns in the Sage

Configuration file. If you do not have a current Mapping Fields File, click

Edit.

The Field Mapping window opens.



6. The Entities Field group box contains several tabs; User, Role, and

Resource tabs. Each tab lists the entity field names as they appear for

each entity in the Sage configuration.

7. Use the edit field next to each field name to enter the ESS table file

column value that contains data to be matched to the listed Sage field.

8. If the ESS table files contain header lines, then click the, Person, job code

and group files have header lines check box, and enter the appropriate

name for each column in the adjacent edit field. If the ESS table files do

not contain header lines, then do not select the check box, and enter the

index value (1 based scale) for the ESS table column that contains the

matching data.

9. In the Map xml File group box enter the path and name of the Output map

file. You must include the xml extension as part of the file name.

10. Click Save to save the Map xml file.

11. Click Done to return to Control SA Convert window.

The Map xml file name now appears in the Map XML File field.

12. In the Output Sage Files group box enter the path and file name for each

of the Sage configuration files. One for each of the Configuration entities,

Users DB and Res DB.

13. In the Sage Executable group box enter the location of the Sage DNA Data

Management executable file.

14. Click Save to save the parameters as an XML file, and return to convert

the files at later point.

15. Click Convert to run the converter and produce the Sage configuration

files.

When the conversion process is complete a Done message appears to

confirm successful operation.

16. Click Open to browse and load an XML file containing saved parameters.



Executing a Batch Process

You can convert a cluster of ESS text files by running the converter executable

from the command line. The input for the each set of ESS text files must be

saved as a separate XML file. The content of the XML file would appear similar

to:

<?xml version="1.0 encoding="utf-8 ?>

<Parm>

<PersonFile>CT-SA converter\Persons.txt</PersonFile>

<JCFile>CT-SA convertor\Job_Codes.txt</JCFile>

<UGFile>CT-SA convertor\UserGroups_all.txt</UGFile>

<PersonJCFile>CT-SA convertor\Person_JC.txt</PersonJCFile>

<PersonUGFile>CT-SA convertor\Person_UserGroup.txt</PersonUGFile>

<JCUGFile>CT-SA convertor\JC_UserGroup.txt<\JCUGFile>

<JCJCFile>CT-SA convertor\JC_JC.txt<\JCJCFile>

<cfgFile>CT-SA convertor\bmc.cfg<\cfgFile>

<udbFile>CT-SA convertor\bmc.udb<\udbFile>

<rdbFile>CT-SA convertor\bmc.rdb<\rdbFile>

<exeFile>C:\Program Files\Eurekify\Eurekify Sage Client Tools

V3.0\SOftware\EurekifySageDM-V30.exe<\exeFile>

<\Parm>



Exporting from Sage to Control SA

Sage DNA Data Management supports exporting to CONTROL-SA via ESS

batch. Exporting to CONTROL-SA requires the following:

■ Generate a Sage diff log file by comparing two Sage configurations. The

diff log must contain all the operations which should be reflected in ESS.

■ Use the export application to generate ESS batch text files.

■ In ESS run the generated files and perform all operations.

To export to Control SA

1. Compare the original configuration created from the import CONTROL-SA

to sage process, to the modified configuration and create a Differences

file.

2. Click Export, Export to Control SA.

The Control SA Export window opens.

3. In the Sage Diff File group box provide the path and name of the Sage Diff

log file.

4. In the Output group box provide the location for creating the desired

target ESS batch file.

5. Optionally, mark the "Generate temp Job Codes" check box to reflect Sage

direct user-resource links as temporary job codes (profiles) in ESS. If this

check box is not marked direct user-resource links will not be loaded to

ESS.

6. Click Save to save these parameters as an XML file.

7. Click Open to browse for a saved XML file and populate the window with

the parameters saved in the selected XML file.

8. Click Convert to execute the conversion process and produce ESS

formatted command file.

A Done message appears to indicate the process was successfully

completed.

9. Execute the generated command file in ESS to reflect the operations.

SAP to Sage Converter


Generated Commands

The following list includes some examples of the ESS commands generated by

the converter.

Create a new role:

INSERT job_code WITH jc_name="Sage Role 1002";

Link a user to the role:

CONNECT ent_user TO job_code WITH jc_name="Sage Role 1002", user_id="335675";

Link a user group (resource) to the role:

CONNECT user_group TO job_code WITH jc_name="Sage Role 1002",

ug_name="CN=CLA,OU=SecurityGroups,OU=Groups,DC=com", rss_name="AD", rss_type="Win2000";

Executing Difflog Conversion to ESS Batch Run Commands

From a Windows command line, execute the program:

CSAExport.exe <XML parameters file>

The <XML parameters file> can be created by a text editor, or saved to a file

from the CSAExport.exe GUI. For example:

<?xml version="1.0" encoding="utf-8"?>

<Parm>

<DiffFile>C:\Eurekify\test\difflog-Ilan.txt</DiffFile>

<OutputFile>C:\Eurekify\test\ilan.txt</OutputFile>

<GenJC>True</GenJC>

</Parm>

To execute the export as a batch, run the following command line

Ess batchrun -A-i Sage.inp


The SAP to Sage converter extracts data that is housed in SAP tables and

deposits the data in the various Sage Databases according to the Mapping

scheme that you select in the SAP to Sage Converter.



Mapping SAP Data to Sage

The SAP tables and fields used by the SAP to Sage converter are listed:

SAP Table SAP Fields

USR02 mandt, bname

AGR_AGRS mandt, agr_name, agr_child

AGR_USERS mandt, agr_name, bname, to_dat, col_flag

AGR_1251 mandt, agr_name, object, auth, field, low, high,

deleted

AGR_1252 mandt, agr_name, varbl, low, high

Note: Low values in the AGR_1251 table can be represented by variables. In

such instances the variable references Low and High values that are contained

in the AGR_1252 table.

We recommend that you do not trim the tables to remove fields that are not

necessary, since additional fields may be needed in future versions.

The current converter supports several mapping schemes. These are:

■ Map roles to resources

■ Map field values to resources

■ Map authorization objects as resources

■ Map object as roles, field values as resources

Map Roles to Resources

The Map Roles to Resources mapping scheme takes SAP Roles and maps them

to SAGE ERM resources. The SAP role information is taken from the following

SAP tables:

■ USR02 - holds a list of system users

■ AGR_AGRS - links composite roles to their child simple roles

■ AGR_USERS - links users to roles (both composite and simple)

This table shows the relationship between Sage Database entities and their

respective source Table and Fields in a generic SAP database.

Sage Entities and Links SAP Table SAP Fields

Users USR02 bname




Resources AGR_AGRS agr_child

Roles AGR_AGRS agr_name

User-Role links AGR_USERS bname, agr_name

Role-Resource links AGR_AGRS agr_name, agr_child

User-Resource links AGR_USERS bname, agr_name (only

simple roles)

Map Field Values to Resources

The Map Field Values to Resources mapping scheme takes SAP Objects and

Fields and maps them to Sage ERM resources. The SAP role information is

taken from the following SAP tables.


Users USR02 bname

Resources AGR_1251 object, field, low, high



Role-Resource links AGR_1251 agr_name, object, field,

low, high

Role-Role links

(Hierarchy)

AGR_AGRS agr_name, agr_child

Map Authorizaton Objects as Resources

The Map Authorization Objects as Resources mapping scheme takes SAP

Authorization Objects and maps them to Sage ERM resources. The Mapping

scheme only imports to fields that are selected in the FieldsForm window in

the SAP to Sage converter.


Users USR02 bname

Resources AGR_1251 auth, object, field, low,

high






Role-Resource links AGR_1251 agr_name, auth, object,

field, low, high

Role-Role links

(Hierarchy)

AGR_AGRS agr_name, agr_child

AGR_1251 specifies role Authorization Objects with fields and values.

Map Object as Roles and Fields as Resources

The Map Object as Roles and Fields as Resources mapping scheme maps SAP

Objects to Sage Roles, and maps SAP fields as Sage Resources.


Users USR02 bname

Resources AGR_1251 Combinations of field,

low, high values

Roles AGR_1251 object

User-Role links AGR_USERS,

AGR_1251

bname, object

Role-Resource links AGR_1251 object, mixed field, low,

high

AGR_1251 specifies role Authorization Objects with fields and values.



Running the SAP to Sage Converter

To load SAP privileges data into a Sage configuration

1. Create a new database in your MS-SQL Server for the purpose of

importing SAP authorization information into Sage ERM.

2. Import the SAP tables into the new database.

The relevant tables are: USR02, AGR_AGRS, AGR_USERS, AGR_1251,

AGR_1252 and their names must be identical to those written here.

3. Click Import, Import from SAP.

The following window appears:



4. In the Server Name Text field Insert the name of the MS-SQL server you

are using.

5. In the DataBase Name text field, insert the name of the database you are

using for the SAP data.

6. Click Test Connection to verify that the connection details are valid.

7. In the MANDT Value text field, enter the MANDT identifier value for the

SAP environment that you wish to convert. If you do not know the value

contact your SAP administrator.

8. Choose the type of Mapping to use from the available mapping scheme

options.

9. If you select Map authorization objects as resources click Choose Fields.

The FieldsForm window opens.



10. Select which fields should be used to generate Sage resources.

11. If you have separate tables in the database that contain the lists of simple

and/or composite roles then enter their names in the respective Simple

Role Table and Composite Role Table text fields. The table must only

contain the role name as its data.

12. Select the respective check box if you have roles linked to either Users or

Authorization Objects (AO) that do not appear in the role hierarchy.

In these cases, the converter will not be able to tell whether they are

simple or composite. You may choose how to treat them. The default is to

treat them as simple roles.

13. In the Target Configuration field enter the Path and Filename to be used

for the Target Sage configuration file. Click Browse locate the Path.

14. In the Target Users DB field enter the Path and Filename to be used for

the Target Sage Users Database file. Click Browse to locate the Path.

15. In the Target Resource DB field enter the Path and Filename to be used for

the Target Sage Resource Database file. Click Browse to locate the Path.

16. Click “Convert” and wait for the completion message (it may take a while).

Generic LDIF to Sage Converter



This converter is provided by Eurekify, and retrieves data from a given LDIF

file. The converter allows mapping different attributes of LDIF objects to Sage

fields. Once a map was designed it can be easily rerun on the same file or on

other LDIF files to produce Sage configurations.

To start an LDIF conversion

1. Click File, Import From External Sources, Import from LDIF File.

The following window appears.



2. Specify the LDIF file to convert and the target Sage configuration files to

be created.

If you have a ready LDIF-Sage map xml file you may supply it as well.

3. Click Start to execute the conversion. Otherwise click Edit Mapping and get

the following screen:



The mapping allows 3 views of LDIF objects.

Map an LDIF object to a Sage entity

The object may either be a user, a role or a resource. In order to

perform the mapping, choose both object and entity and click “Add”.

After choosing a Sage entity for a specific object an attribute mapping

is required. Select attributes for the relevant Sage fields and click

“Set” to add them to the mapping list. You may also map Sage fields

to an OU of the object or to a constant text.

Link Sage entities based on LDIF object attributes

When an LDIF object has an attribute pointing to another object this

link may be reflected in the Sage configuration. Select the source and

destination objects and choose the attributes of the objects that should

match. Click “Add / Set” to add the selected mapping to the list.

Link Sage entities based on attributes of an LDIF object

When an LDIF object represents a link between two other objects this

link may be reflected in the Sage configuration. Choose the object

representing the link and select the source and destination attributes

from the object attributes. For both source and destination attributes

select which field of which entity they should match. Click “Add / Set”

to add the selected mapping to the list.

4. In any stage of the mapping click Show Example to view an example of

the attributes of the selected object. This is designed to assist you when

choosing attribute mappings.



A complete mapping should resemble the following:

5. After you finish mapping all relevant data click Save to save the mapping

to an xml file and return to the conversion window. This mapping may be

edited in the future.

6. When you are pleased with the mapping click Start to perform the actual

data conversion and open the generated Sage configuration.

Import from TSS


Import from TSS

CA Top Secret (TSS) is a security component for IBM mainframe computers

that works together with the existing operating system to provide system

security, resource access control, auditability, accountability and

administrative control. As such, it is the main repository for users, roles and

resources data on mainframe computers.

The main input to the Sage TSS import option requires downloading access

data from TSS using the by generating a TSS List File, and transferring the

generated text file to a location on the Windows system to which Sage has

access. There is also a possibility to add enriched data about users attributes

(for example, from the human resources department database).

The output is a Sage configuration, with TSS profiles appearing as Sage roles

and with TSS groups appearing as Sage resources.

To import data from TSS into Sage

1. Create a TSS List File on the mainframe and transfer the file to a location

that can be accessed by your Windows system.

2. Click Import, Import from TSS.

The following window shows the TSS import window already completed:

The following are instructions for filling in the fields:

Field Description

Sage Files

Sage Configuration File

Enter the name and folder of the target

Sage configuration. A Browse button is


Import from TSS


Field Description

Users Database Enter the name and folder of the target

Sage users database. A Browse button is


Resources Database Enter the name and folder of the target

Sage resources database. A Browse button

is provided for convenience.

Options

TSS List File

Enter the name and folder of the file

Generated using the TSS LIST(ALL)

command. The file is generated on the TSS

computer and then transferred to the

computer on which Sage DNA Data

Management is installed.

Profiles as Roles Activate radio button if Sage is to convert

TSS Profiles to Sage roles.

Do not activate radio button if Sage is to

not convert TSS Profiles to Sage roles.

Groups as Resources Activate radio button if Sage is to convert

groups to resources.

Do not activate radio button if Sage is to

not convert groups to resources.

TSS List File Enter the path to the TSS list file copied to

your Windows system.

Add ACL Entities Mark Process Audit Cards check box to

process Application Control Language

(ACL) scripts.

Unmark Process Audit Cards check box not

to process Application Control Language

(ACL) scripts.

Supplementary HR file Record the name of the file containing

supplementary users data, if any.

Import from TSS


3. Fill in the fields in the Importing window.

4. Click Convert to import.

If any errors result from the import process, then a Sage message

appears.

5. Check any errors in the SageTSSConverterXXX.log file located in the Sage

Logs folder.


opened by Sage.

Import from UNIX


Import from UNIX

The UNIX to Sage converter accepts UNIX IDM files and converts them into

Sage formatted CSV files which can then be transformed into or incorporated

in a Sage configuration. The UNIX Group and Password files serve as input for

the conversion process. You must transfer these source files to a location on

your Windows system that can be accessed by Sage.

To import data from UNIX into Sage

1. Transfer the UNIX Group and Password files to a location on the Windows

system.

2. Click Import, Import from UNIX.

The Unix to Sage Converter window opens.

3. In the Source Unix Files section, enter the location of the UNIX password

and group files.

4. In the Target Sage Files section click Browse to select the target Sage files

to be generated. You must generate a Configuration file, Users file and

Resources file.

5. To treat the UNIX groups as Sage resources select the Groups as

Resources check box.

6. Click Convert to initiate the conversion process and create the Sage

configuration files.


opened by Sage.

Import Windows Shared Folder



Eurekify's customers are often interested in mapping privileges at a finer level

of granularity than that provided by most IdM tools. That is below the level of

groups and or profiles. This converter provides this granularity for Windows

environments by scanning Windows servers for shared folders, and mapping

access rights for those shares to the relevant domain groups and users.

The converter relies on Eurekify's Active Directory (AD) converter to bring in

AD groups, possibly from multiple AD servers and domains, and users. The

converter uses agent-less Windows WMI technology to scan a range of

Windows computers and import their shares as resources. It then links them

to the above AD users and AD groups (imported as Sage roles).



Mapping Windows Share Data to Sage

The scanner connects with each of the machines defined by the user and

queries it for shares. All the acquired shares are translated to Sage resources,

detailing computer name, share name, and access level. For each share, all

permissions are obtained and are translated to Sage user and role links with

resources (the resources being shares). Different access levels of different

users are reflected as separate resources.

To import data from Windows Shared Directories into Sage

1. Click Import, Import from Active Directory.

The Connect Active Directory window opens.

2. Set the Credentials and Output Files fields.

3. Click Next to advance to the next step in the wizard.

4. In the Search Active Directory Objects step, select the All Groups as Roles

option from the Groups as Roles section.



5. Complete the Wizard and generate an Active Directory configuration. This

will serve as Sage Configuration input in the Windows to Sage converter.

6. From the Import menu select Import Windows Shared Directory.

The Windows to Sage Converter opens.

7. In the Original Sage AD Configuration section enter the Path and File name

for the Active Directory configuration that you created.

8. From the Windows Share Scan section, click Scan Shares.

The Scan Windows Shares window opens.

BMC Identity Manager Open Services


9. In the Credentials section enter domain administrator User Name and

Password. You can enter the credentials for any other user that have

permissions to use WMI on the target systems.

10. In the Machines to Scan section, enter the IP ranges to be scanned, by

entering the IP address range and clicking Add. Alternatively you can add

pattern based computer names by selecting the Computer Name by AD

filter checkbox and entering a filter and an AD Server in the respective

text boxes.

11. In the Target Share Files section, enter file names for the Shares Resource

File and Shares Links File text boxes.

12. Click Scan to perform the scan.

A progress bar appears, wait for it to reach finish.

13. Click Close and return to the Windows to Sage Converter window.

14. In the Target Save Configuration section, enter the Path and File name for

the Target Configuration file.

15. Click Merge and wait until the Done message appears.

The new Sage configuration is then ready for use.

More information:

Export Active Directory (see page 41)


This converter maps ESS Persons, Profiles (job codes), Groups and Accounts,

into Sage Users, Roles, Resources and Links.



Importing from BMC Identity Management

To import from BMC Identity Management to Sage

1. Click Import, Import from BMC Identity Manager(OpenServices).

2. Fill in the BMC Identity Management convert (Import) Window.

■ If the files: defaultConnection.xml, defaultMapping.xml exist in the

Sage home directory, Form values will automatically be loaded from

the xml file.

■ XML files must be saved before the import process can be performed.



3. In the Input Details group provide the JBoss Input Detail connection

parameters.

4. Click Test Connection to test the connection parameters.

5. Pre saved parameters can be loaded from an XML file. If file

defaultConnection.xml exists in the Sage home directory, connection

values will automatically be loaded from the xml file.

6. In the Map Fields group enter the map xml file path and directory if it

exists, in the Map XML File text field.

Pre-saved parameters can be loaded from an XML file. If file

defaultMapping.xml exists in the Sage home directory, mapping values will

automatically be loaded from the xml file.

7. If the file does not exist click Edit in the Map Fields group.

The Field Mapping window opens.



8. Fill in the Field Mapping window as indicated.

If the Input details were inserted correctly then the drop down list values

is available.

9. Save your changes and click Done.

The window closes and you return to the BMC Identity Manager window.

10. In the Output Sage Files group enter the target address for the Sage

output configuration files. These include the configuration, Users Database

and Resources Database (cfg, udb and rdb).

11. In the Sage Executable group enter the directory and path to the Sage

Data Management executable file.

12. Click Start Import to initiate the import process.



Exporting to BMC Identity Management

Sage DNA Data Management supports exporting to BMC Identity Management.

Exporting to BMC Identity Management requires the following:

■ Generate a Sage diff log file by comparing two Sage configurations. This

diff log should contain all the operations which will be reflected in ESS.

■ Use the BMC Identity Manager convert (Export) application to perform the

changes.

To export to BMC Identity Management

1. Compare the original configuration created from the import BMC Identity

Management to sage process, to the modified configuration and create a

Differences file.

2. Click Export, Export to BMC Identity Manager (OpenServices).

The BMC Identity Management Convert (Export) window opens:

Oracle Identity Manager


3. In the Input Details group enter the connection details. We recommend

that you use the connection XML file that was used during the import

process.

4. In the Map Fields group enter the mapping field details. If you use the Map

XML File that was used for the import process the details will be extracted

from the file and the relevant fields in the Map Fields window will be

automatically populated. Otherwise click Edit button and enter the details

manually.

5. In the Sage Diff Log group enter the directory and path to the Sage Diff

log file that you created.

6. Click Start Export to start the export process.

A Done message appears to report the completion of the convert process.


The Oracle Identity Manager Converter provides you with the capability to

integrate Eurekify Sage ERM and Oracle Identity Manager by automatically

synchronizing the role-based privileges data between the two systems.

Using the Sage-Oracle Identity Manager Converter you map Oracle Identity

Manager Users, User Groups/Access Policies and Resources Objects to Sage

users, roles, resources and links.



Updating Oracle Identity Manager Client JARs

The first time you run the Oracle Identity Manager (OIM) converter you must

update the converter with OIM client jars.

To update the Oracle Client JARs

1. Click Import, Import from Oracle Identity Manager.

The Oracle Identity Management window opens.



2. Click Update Oracle Client Jars.

The Update OIM Client Jars window opens. The window displays a list of

Jar files for Lib directory, Ext directory and Config directory. Use the

Browse for Directory buttons to locate the associated Oracle Client

directories. These are usually located in the following path <oracle client

install dir>\xlclient.



3. Click Browse for lib directory.

A Browse for Folder window opens.

4. Navigate to, and select the lib folder. Click OK.

5. Repeat the browse and select process for each of the ext and config

directories.

6. Once the location is provided for each folder the Update Jars button

becomes available.

7. Click the Update Jars button to start the update.

When the update is complete the message in the Status box reads Found

all needed files and the updated files for each directory appear with a

Check mark in the adjacent check box.

8. Click Done.



The Update OIM Client Jars window closes and the converter is now ready

to import files.

Importing from Oracle Identity Manager

Importing from the Oracle Identity Manager is performed using the

Sage-to-Oracle Identity Management converter. The process includes:

■ Providing Connection details.

■ Mapping Oracle Identity Manager Users, User Groups/Access Policies and

Resources Objects to their respective Sage entities - users, role, resources

and links.

■ Providing the location for the Sage Output files

■ Providing the location for the Sage Executable file.

Sage DNA and Oracle Identity Manager use different but parallel terminology

for components and entities in each of their configurations and files. Use the

following table to familiarize yourself with the terminology used in each

environment for their respective components and entities.

Sage DNA Terminology Oracle Identity Manager Terminology

User User

Role User Groups/Access Policies

Resource Resource Objects



The converter produces an XML file that maps the Oracle Identity Manager

User, User Groups/Access Policies and Resource Objects to Sage users, role,

resource and link entities. This Map xml file is used as part of the Import

process and can later be used as part of the Export process.

To import from the Oracle Identity Manager

1. Click Import, Import from Oracle Identity Manager.

The Oracle Identity Management window opens.



2. In the Connection Details area enter the values for each field to match

those used on the Oracle Identity Management server.

3. In the Connection Details XML File text box enter the file path and name

for the Connection Details XML file and click Save to save the location of

the Connection Details XML file. If an XML file containing the connection

details already exists then click Open and browse for the file location.

By default, Sage searches for a Connection Details XML file called

defaultSettings.xml located in the <Sage home directory>\OIMConvert. If

the file exists then Sage automatically loads the connection values into the

Connection Details fields.

Once all the connection details are entered the Test Connection button is

enabled.

4. Click Test Connections to validate the values.

If the test is successful a Test Connection Succeeded message is displayed

and the Edit button in the Map Fields group box and the Start Import

button are both enabled.



5. In the Map Fields area click Edit to open the Field Mapping window. For

each of the Sage User, Role and Resource entities listed in the Field

Mapping window provide the value for their respective entities on the

Oracle Identity Manager server.



6. In the Map xml File group box enter the path and name of the Output map

file. You must include the xml extension as part of the file name.

7. Click Save to save the Map xml file.

8. Click Done to return to Oracle Identity Management converter window.

The Map xml file name now appears in the Map XML File field.

By default sage searches for a Map XML file called defaultMapping.xml in

<Sage home directory>\OIMConvert. If the file exists Sage automatically

loads the mapping values contained in that file.

9. In the Output Sage Files area enter the path and file name for each of the

Sage configuration files. One for each of the Configuration, Users DB and

Resource DB files.

10. In the Sage Executable group box enter the location of the Sage DNA Data

Management executable file.

11. Click Start Import to run the converter and produce the Sage configuration

files.

Once the conversion process is complete a Done message appears to

confirm successful operation.



Exporting from Sage to Oracle Identity Manager

Sage DNA Data Management supports exporting to Oracle Identity Manager

via the Oracle identity Management Convert (Export) application.

Exporting to the Oracle Identity Manager requires that you:

■ Generate a Sage diff log file by comparing two Sage configurations. The

diff log must contain all the operations which should be reflected in Oracle

Identity Manager.

■ Use the Oracle identity Management Convert (Export) application to

perform the changes.

To export to Oracle Identity Manager

1. Compare the original configuration generated from the Import from Oracle

Identity Manager to Sage process, to the modified configuration and create

a Differences log file.

2. Click Export, Export from Oracle Identity Manager.

The Oracle Identity Management Convert (Export) window opens:



3. In the Connection Details area enter the values for each field to match

those used on the Oracle Identity Management server. We recommend

that you use the Connection Details XML file to automatically load the

values that were used during the import process. Click Open to navigate to

the previously saved Connection Details XML file.

4. If the NIST style roles to user groups and access policies check box is

checked then roles that are not marked as Access policies [AP] and

connected to resources will be connected to the resources via an access

policy. For example, if the role Role1 is asked to be connected to Res1, a

new Access Policy Role1 will be created. This policy will have Role1 as a

member and will entitle access to Res1.

5. In the Map Fields area click Browse to navigate and select the Map XML file

that was used during the import process.

6. In the Sage Diff Log area provide the Path and Name of the Sage Diff Log

that you generated for the two configuration files.

7. Click Start Export to run the export converter.

If the export process identifies unsupported Oracle Identity Manager

requests, a window appears listing the identified errors.

8. Click No to cancel the export process, or click Yes to continue the export

process while disregarding the errors.


Chapter 4: Management Menu

Changes to users data occur in an ongoing manner on the HR system and to

maintain the Users, Roles and Resources relationship you can enrich the Sage

User and Resource databases by incorporating the latest HR Users and

Resource data.The HR data is used as input for the Sage Pattern Based Audit,

Sage role engineering, Sage compliance.


Enrich Users Database (see page 108)

Enrich Resource Database (see page 110)

Preserving Columns During Enrichment (see page 111)

Sage Database Utility (see page 113)

Enrich Users Database



The Sage DNA Data Management application expects to receive the

supplementary HR data to be merged with the existing users database as a

CSV formatted file. The first column of the Supplementary HR data file must

contain the unique Person ID. This type of Person ID used in the HR file must

match the type of Person ID used in the Sage users.UDB file. For example if

the value for the Person ID in the UDB file is taken from the Users Login

Account then the HR file should also take the Person ID from the Users Login

Account.

■ For every Person ID in the Sage UDB file that has a matching Person ID in

the HR file, Sage replaces the record in the UDB file with the record taken

from the HR file.

■ The resulting Ouput Users Database contains the same number of records,

arranged in the same order, as that for the original sage UDB file.

To enrich a users database

1. Click Management, Enrich Users DB.

The Sage HR Data Merge Converter window opens.



2. In the Users Database text field, enter the path and name of the Sage

Users database that is to receive the supplementary HR data.

3. In the Supplementary HR File text field, enter the path and name of the

file containing the supplementary HR data.

4. In the Output Users Database text field , enter the path and name of the

resulting database file that contains the merged output.

5. From the Options group box, select any of the options that are relevant.

The following table describes the options:

Option Description

Person ID Is Case

Sensitive

Select to take Case into consideration.

Clear Fields that are

empty in the HR file

Select to overwrite fields in the UDB with empty

data if such a field exists in the HR file.

Clear the option to disregard empty fields in the

HR file and keep the existing content in the

UDB.

Clear Fields of the UDB

users that were not

found in the HR file

Select to delete content from UDB user fields, if

a user by the same name does not exist in the

HR file.

Clear the option keep user information in the

UDB even if the User does not exist in the HR

file.

6. Click Enrich.

A new Sage users database is generated and saved in the specified

location.

Enrich Resource Database


Enrich Resource Database

For each set of resources, R1, R2, R3 in the Sage RDB file that has a matching

set of resources in the supplementary resource database file, Sage replaces

the record in the RDB file with the record taken from the supplementary

resource database file.

To enrich a resource database

1. Click Management, Enrich Resource DB.

The Sage HR Data Merge Converter window opens.

2. In the Resource Database text field, enter the path and name of the Sage

Users database that is to receive the supplementary HR data.

3. In the Supplementary Resource DB File text field, enter the path and name

of the file containing the supplementary HR data.

4. In the Output Resource Database text field , enter the path and name of

the resulting database file that contains the merged output.

5. Click Enrich.

A new Sage Resource database is generated and saved in the specified

location.

Preserving Columns During Enrichment



During the enrichment process the original records in the both Sage Users

databases and Resource databases are overwritten with the data from the

Supplementary HR files. The order in which data is arranged in the Sage

databases will be lost if the order of data arrangement in the supplementary

HR files differs from those in Sage database.

If need be, you can preserve the arrangement and content of any column in

the source file by modifying the supplementary HR file before performing the

enrichment process. To prevent any column from being overwritten you must

place an empty column in the parallel position in the supplementary HR file.

The following illustration represents the arrangement and content of a Sage

Users Database:

The following illustration represents the arrangement and content of the

Supplementary HR File.



Notice the following:

■ The column order in the in the Sage User Database is Person ID,

UserName, and Title.

■ The column order in the supplementary file is Person ID, UserName,

OrgName, OrgType, …

In this scenario when the two files are merged, the Title entry for each record

in the Sage User Database would be overwritten by the OrgName entry from

each record in the Supplementary HR File. The Title column is the 3rd column

in the Sage Users Database.

To prevent the Title column from being overwritten, a empty column must be

placed in the 3rd position in the Supplementary HR file. This is done by placing

an additional comma as a place holder in each record of the supplementary file

at the position you want to preserve in the Sage Users Database.

The following illustrates how the Supplementary HR File in the above scenario

is modified to prevent the entries in 3rd column of the Sage Users Database

from being overwritten.

In the figure two commas signifying and empty column now appear in each

record between the original 2nd and 3rd columns, UserName and OrgName

respectively.

Sage Database Utility



The Sage Database Utility let you create a new database when you do not

want to conduct a complete installation of Sage. You should be aware that the

database created using the database utility is based on the most recently

installed version of Sage Client Tools.

If you have upgraded either the Sage Reports tool or Sage Portal since

installing the Client Tool, then creating a database using the Database Utility

causes a downgrade in the database version to the version that was installed

with the Sage Client Tool.

Important! We strongly recommend that you only use the Sage Database

Utility after first consulting with CA Technical Support.

To Use the Sage Database Utility

1. Close all database entities if any are open.

2. Click Management, Sage Database Utility menu item.

The Sage Database Utility window opens.



3. In the Database Name field enter the name of the database on which you

want perform an action.

4. In the SQL Server Name field enter the Server Name on which the

database is located.

5. Click Install to create a new database.

6. Click Remove to delete the database.

7. Click Upgrade to upgrade an existing database.


Chapter 5: Eurekify Web Services

Interface

The primary purpose of the web services interface is to make Eurekify data

and services available to third party applications. The services provide an

assortment of Sage functions and allows for interaction with Sage data stored

on a database.

The Eurekify Web Services Interface is intended to be used by Software

Engineers to extract, modify or manipulate data housed in Sage Databases

and to integrate such data in Web Clients that integrates.


Sage Policy Functions (see page 115)

SageLinkBPRService (see page 116)

SageBasicService (see page 117)

SageDataService (see page 119)

SageDiffService (see page 120)

SageEntitiesCommonService (see page 121)

SageEntitiesDiffService (see page 122)

SageEntitiesDataService (see page 123)

Example Usage of Sage Web Services (see page 124)

Sage Policy Functions

Function Description

bpr_new_bpr_file Adds a new business policy file

bpr_new_rule Adds a new business policy rule

bpr_new_rule_entity Adds a new business policy rule entity

SageLinkBPRService


SageLinkBPRService

SageLinkBPRService provides a mechanism for checking requested links

between two Sage entities against Sage Business Process Roles. For each link

type the service reports a prediction of BPR violations that the link causes.

The functions exposed by the SageLinkBPRService have a common Parameter:

Parameter Description

getAllAlerts The parameter defines the extent to which the check

finds and retrieves BPR alert violations.

Type: Boolean

True: The check finds and retrieves all possible alert

violations.

False: The check stops after retrieving the first alert

violation that it finds.

The SageLinkBPRService exposes the functions listed in the topics that follow.

Add Link Checks


add_user_role_check_bpr Check for BPR violations for a user-role link

add_user_resource_check_bpr Check for BPR violations for a user-resource link.

add_role_role_check_bpr Check for BPR violations for a role-role link.

add_role_resource_check_bpr Check for BPR violations for a role-resource link

Remove Link Checks


remove_user_role_check_bpr Check for BPR violations for a user-role link.

remove_user_resource_check_bpr Check for BPR violations for a user-resource link.

remove_role_role_check_bpr Check for BPR violations for a role-role link.

remove_role_resource_check_bpr Check for BPR violations for a role-resource link.

SageBasicService


SageBasicService

SageBasicService.asmx provides write access of identity/role management

data for Sage usage on a database.

All functions of this service return an integer value where:

■ 0 signifies success

■ 1 signifies failure.

The following topics list the functions that the Sage Basic Service exposes.

Sage Documents Functions


new_udb Creates a new Sage Users Database UDB.

new_rdb Creates a new Sage Resources Database RDB.

new_cfg Creates a new Sage configuration.

Sage Entities Database Functions:


udb_new_user Adds a new user to an existing UDB.

udb_new_user_field Adds a user field value to an existing user.

rdb_new_resource Adds a new resource to an existing RDB.

rdb_new_resource_field Adds a new resource field value to an existing

resource.

new_field_name Adds a new field to an existing Sage entities DB

(UDB/RDB).

Sage Configuration Functions


cfg_new_configuration_user Adds a user from a UDB to an existing

configuration.

cfg_new_configuration_role Adds a new role to an existing configuration.

SageBasicService



cfg_new_configuration_resource Adds a new resource from an RDB to an existing

configuration.

cfg_remove_configuration_user Removes a user from a configuration without

removing the user from the UDB.

cfg_remove_configuration_role Removes a role from a configuration.

cfg_remove_configuration_resource Removes a resource from a configuration without

removing the resource from the RDB.

cfg_new_user_role_link Adds a user-role link.

cfg_new_user_resource_link Adds a user-resource link.

cfg_new_role_role_link Adds a role-role link (role hierarchy).

cfg_new_resource_role_link Adds a resource-role link.

cfg_remove_user_resource_link Removes a user-resource link.

cfg_remove_user_role_link Removes a user-role link.

cfg_remove_resource_role_link Removes a resource-role link.

cfg_remove_role_role_link Removes role-role link (role hierarchy).

cfg_change_user_field Change a user field (Non mandatory fields should

be named "FieldValue#").

cfg_change_resource_field Change a resource field.

cfg_change_role_field Change a role field (Non mandatory fields should

be named "FieldValue#").

Sage Policy Functions


bpr_new_bpr_file Adds a new business policy file.

bpr_new_rule Adds a new business policy rule.

bpr_new_rule_entity Adds a new business policy rule entity.

SageDataService


SageDataService

SageDataService.asmx provides read access of fundamental Sage data from a

database. The links retrieved by this service are direct links.

The Sage Data Service exposes the functions listed in the following sections.

Sage Documents Functions


data_source_get_configurations Gets all Sage configurations stored on a

database.

data_source_get_auditcards Gets all Sage auditcards stored on a database.

data_source_get_bprs Gets all Sage BPR files stored on a database.

Sage Databases Functions


udb_get_users Gets all users from a UDB.

rdb_get_resources Gets all resources from a RDB.

database_get_fields Gets all field names of a Sage entities DB

(UDB/RDB).

Sage Configuration Functions


cfg_get_databases Gets the Sage configuration UDB and RDB.

cfg_get_properties Gets the configuration properties.

cfg_get_roles Gets all the configuration roles.

cfg_get_configuration_users Gets the configuration users.

cfg_get_configuration_resources Gets the configuration resources.

cfg_get_user_role_links Gets all the configuration user-role links.

cfg_get_user_resource_links Gets all the configuration user-resource links.

SageDiffService



cfg_get_role_role_links Gets all the configuration role-role links (role

hierarchy).

cfg_get_role_resource_links Gets all the configuration role-resource links.

Other Sage Retrieval Functions


auditcard_get_alerts Gets all the auditcard alerts.

bpr_get_rules Gets all the BPR file rules.

Remove Link Checks


remove_user_role_check_bpr Check for BPR violations for a user-role link.

remove_user_resource_check_bpr Check for BPR violations for a user-resource link.

remove_role_role_check_bpr Check for BPR violations for a role-role link.

remove_role_resource_check_bpr Check for BPR violations for a role-resource link.

SageDiffService

SageDiffService.asmx provides fundamental reports on differences between

two Sage configurations. The following sections list the functions that the Sage

Diff Service exposes.

Sage Entities Differences


users_get_added Gets the users that appear in the updated configuration but

do not appear in the original configuration.

roles_get_added Gets the roles that appear in the updated configuration but

do not appear in the original configuration.

SageEntitiesCommonService



resources_get_added Gets the resources that appear in the updated configuration

but do not appear in the original configuration.

users_get_removed Gets the users that do not appear in the updated

configuration but do appear in the original configuration.

roles_get_removed Gets the roles that do not appear in the updated


resources_get_removed Gets the resources that do not appear in the updated


All Entities and Links Differences

getAllDiff - all the above differences in one function.

SageEntitiesCommonService

SageEntitiesCommonService.asmx provides fundamental reports on

commonalities between two Sage entities of the same type inside a

configuration. This service deals with direct links. The following sections list

the functions that the Sage Entities Common Service exposes.

Sage User commonalities


users_get_common_roles Gets all roles common to both users.

users_get_common_resources Gets all resources common to both users.

Sage Roles Commonalities


roles_get_common_users Gets all users common to both roles.

roles_get_common_resources Gets all resources common to both roles.

SageEntitiesDiffService


Sage Resources Commonalities


resources_get_common_users Gets all users common to both resources.

resources_get_common_roles Gets all roles common to both resources.

SageEntitiesDiffService

SageEntitiesDiffService.asmx provides reports on differences in a single entity

between two Sage configurations. The following sections list the functions that

the SageEntitiesDiffService exposes.

Sage Users Differences


user_get_added_roles Gets roles linked to the first user and not the

second.

user_get_added_resources Gets resources linked to the first user and not the

second.

user_get_removed_roles Gets roles linked to the second user and not the

first.

user_get_removed_resources Gets resources linked to the second user and not

the first.

Sage Roles Differences


role_get_added_users Gets users linked to the first role and not the

second.

role_get_added_resources Gets resources linked to the first role and not the

second.

role_get_removed_users Gets users linked to the second role and not the

first.

role_get_removed_resources Gets the resources linked to the second role and

not the first.

SageEntitiesDataService


Sage Resources Differences


resource_get_added_users Gets users linked to the first resource and not the second.

resource_get_added_roles Gets roles linked to the first resource and not the second.

resource_get_removed_users Gets the users linked to the second resource and not the first.

resource_get_removed_roles Gets the roles linked to the second resource and not the first.

SageEntitiesDataService

SageEntitiesDataServicea.smx provides more extensive and detailed reports

on Sage entities links. The following sections list the functions that the

SageEntitiesDataService exposes.

Sage User Links


user_get_direct_roles Gets the roles directly linked to the user.

user_get_dual_roles Gets the role dually linked to the user.

user_get_indirect_roles Gets the roles indirectly linked to the user.

user_get_direct_resources Gets the resources directly linked to the user.

user_get_dual_resources Gets the resources dually linked to the user.

user_get_indirect_resources Gets the resources indirectly linked to the user.

Sage Role Links


role_get_direct_users Gets the users directly linked to the role.

role_get_dual_users Gets the users dually linked to the role.

role_get_indirect_users Gets the users indirectly linked to the role.

role_get_parent_roles Gets the roles' parent roles.

role_get_child_roles Gets the roles' child roles.

Example Usage of Sage Web Services



role_get_direct_resources Gets the roles’ directly linked resources.

role_get_dual_resources Gets the roles’ dually linked resources.

role_get_indirect_resources Gets the roles’ indirectly resources.

Sage Resource Links


resource_get_direct_users Gets the users directly linked to the

resource.

resource_get_dual_users Gets the users dually linked to the

resource.

resource_get_indirect_users Gets the users indirectly linked to

the resource.

resource_get_direct_roles Gets the roles directly linked to the

resource.

resource_get_dual_roles Gets the roles dually linked to the

resource.

resource_get_indirect_roles Gets the roles indirectly linked to the

resource.


This section provides a number of examples of how you can use the Sage Web

Services interface.



Open a Sage Configuration (SageDataService)

Open a Sage configuration in accordance with the Sage structure.

In preparation retrieve all the configurations stored on the database

(SageDataService. data_source_get_configurations).

To open a Sage configuration

1. After securing the configuration name retrieve both the UDB and RDB used

by the configuration (SageDataService. cfg_get_databases). Optionally,

also get the configuration properties (SageDataService.

cfg_get_properties).

2. Using the UDB name get the users and their fields

(SageDataService.udb_get_users and

SageDataService.database_get_fields to get the field names).

3. Do the same for the RDB (SageDataService.rdb_get_resources and

SageDataService.database_get_fields to get the field names).

4. Now that you have both the UDB and RDB you can open the configuration

itself. First, obtain all the configuration roles

(SageDataService.cfg_get_roles). After the roles are present get all the

configuration users and resources.

■ SageDataService.cfg_get_configuration_users.

■ SageDataService.cfg_get_configuration_users.

5. Once all the configuration entities are present, retrieve the configuration

links i.e. user-role, user-resource, role-role, role-resource links

(SageDataService.cfg_get_user_role_links, SageDataService.

cfg_get_user_resource_links, SageDataService.cfg_get_role_role_links

and SageDataService. cfg_get_role_resource_links)



Save a Sage Configuration to the Database (SageBasicService)

Save some identity/role management data as a Sage configuration in the

database.

If you do not wish to use existing Sage user and resource databases (UDB and

RDB), create new UDB and RDB (SageBasicService.new_udb and

SageBasicService.new_rdb). After creating the Sage DBs, populate them with

users and resources (SageBasicService.udb_new_user and

SageBasicService.rdb_new_resource). Sage users and resources may also

have fields (SageBasicService.udb_new_user_field and

SageBasicService.rdb_new_resource_field) and these fields may be named

(SageBasicService.new_field_name).

To save a Sage configuration to the database

1. Create a new Sage configuration and relate it to a UDB and a RDB

(SageBasicService.new_cfg)

2. Populate the configuration with roles

(SageBasicService.cfg_new_configuration_role)

3. Next, relate the relevant users and resources from the UDB/RDB to the

configuration

■ SageBasicService.cfg_new_configuration_user

■ SageBasicService.cfg_new_configuration_resource.

4. Update the configuration links: user-role, user-resource, role-role and

role-resource (SageBasicService.cfg_new_user_role_link,

SageBasicService.cfg_new_user_resource_link,

SageBasicService.cfg_new_role_role_link,

SageBasicService.cfg_new_role_resource_link).

Compare Two Sage Configurations (SageDiffService)

Get reports at varying granularity on differences between two sage

configurations.

A complete and comprehensive report on all differences between two Sage

configurations can be obtained. This report details the addition and removal of

Sage entities (users, resources and roles) and and of links (user-role,

user-resource, role-role and role-resource). The function providing this report

is SageDiffService.diff_get_all.

Otherwise, any combination of add/remove with user/resource/role as well as

user-role/user-resource/role-role/role-resource can be received. These

combinations allow for a specific report on a single aspect of the differences

between the two configurations.



View Entity Changes between Configurations (SageEntitiesDiffService)

This service allows you to view the changes made to a specific entity between

two configurations. For each entity (user, resource, role) get added/removed

direct links with any other type of entity. For example, for a specific user get

the role links that were added between the configurations. Otherwise, for a

specific resource get the user links that were removed between the

configurations.

The hidden assumption in this usage is that one configuration is a base

configuration and the other is an updated version of the base configuration.

Get Entity Commonalities (SageEntitiesCommonService)

For two specific entities of the same type (user, resource, role) get the links,

that are common to both, with any other type of entity. For example for two

users in a configuration, get all resources that the users have in common, and

that are directly linked to both users. For two roles, get all users which are

directly linked to both roles.

View Link Information for Entities (SageEntitiesDataService)

For a specific Sage entity (user, role, resource), get any type of link (direct,

dual, indirect) with any of the other types of entities in the configuration.

For example, for a specific user get all indirectly linked resources. Similarly, for

a specific role, get all dually linked resources (resources which are both

directly linked to the role and are linked to some child-role of the role).