Selectively Export Role Definitions

The Selective Export utility lets administrators use a command line to filter, or selectively export, role definitions from either their CA Identity Manager environment, or an offline role definitions file exported from an environment. This utility can help automate the process of migrating these  artifacts from one environment to another, such as from a development to a production environment.
cim143
The Selective Export utility lets administrators use a command line to filter, or selectively export, role definitions from either their CA Identity Manager environment, or an offline role definitions file exported from an environment. This utility can help automate the process of migrating these 
Identity Manager
 artifacts from one environment to another, such as from a development to a production environment.
The 
Identity Manager
 server connection, credentials, and options are utility parameters. Filters for selecting managed objects can be passed as either a string, or as a predefined file.
 Object definitions can be exported in either a single or two steps: Two steps allow a user to manually manage filtered managed object stubs before exporting role definitions.
Utility Command Options
The followings table lists the utility’s command options.
Option
Use
-url <url>
Required URL of export web services. URL format: http://<im_host>:<port>/iam/im/ws/<IME_alias>
-user <user>
Required user name
-pwd <pwd>
Required user password
-load <roledef_file>
Loads all objects from the offline file that contains the role definitions file.
-type
Returns a list of managed object types that you can select in the filter criteria.
Note
: Using this option skips ALL other options except for 
-load
.
-filter <string | file>
Filter for the managed objects: enter either a JSON string or the file that contains the filters to use. If the -load option is not provided, the filter applies to the current 
Identity Manager
 Environment.
-filterTo <file>
Intermediate file name to save filtered managed object stubs.
-managedFrom <file>
Name of managed intermediate file for export
-id <transaction ID>
The -managedFrom option requires the Transaction ID. The Transaction ID is optional for the -exportTo and -filterTo options. The ID is returned from -type or -filter options.
-exportTo <roleDef_file>
Export all filtered objects to an xml file.
Syntax for the Filter Managed Objects
The following syntax shows the template for the filter file. The filter is a JSON string with two root elements. Each element is optional. The operator in the same element is OR. The operator in 
performedOn
 and 
criteria
 is AND.
 
Notes
  • If the 
    performedOn
     element is not provided, the filter applies to all managed object types.
  • The 
    onType
     in 
    performedOn
     is any managed object type that a task or screen can process.
  • The 
    moType
     in criteria is any type of exportable managed objects. The command option -type returns all possible object types.
{
"performedOn": ["onType"],
"criteria": [{
"objectType": "moType",
"identifyAttributeName":"tag|name",
" criterion": [{"operator": "EQUALS"|"CONTAINS"|"STARTS_WITH"|"ENDS_WITH", "values":["value"]}]
}]
}
There is a special criteria syntax filter for filtering the CA Identity Manager IM SCREEN objectType by screen type:
{
"performedOn": ["objectTypes"],
"criteria": [{
"objectType": "IM SCREEN",
" criterion": [{"operator": "EQUALS", "values":["Profile"|"List"|"Search"]}]
}]
}
 
Follow these steps:
 
  1. Open your system’s command line interface.
  2. Run the SelectiveExportUtil.bat/sh script file found in the following location:
    <CA Products Folder>\IAM Suite\IdentityManager\tools\SelectiveExportUtility.
  3. Enter the commands and options a desired.
Samples
A. Retrieve Filterable Object Types from the 
Identity Manager
 Environment
This procedure retrieves the list of managed object types that you can filter (that is, that are filterable) from the current environment.
SelectiveExportUtil.bat -user myname -pwd mypwd -url "http://myhost.ca.com:8080/iam/im/ws/myime" -type
B. Retrieve Filterable Object Types from the Offline File orig_role_defs.xml
This procedure retrieves the list of managed object types that you can filter (“filterable”) from a file named orig_role_defs.xml,
SelectiveExportUtil.bat -user myname -pwd mypwd -url "http://myhost.ca.com:8080/iam/im/ws/myime" -type -load orig_role_defs.xml
C. Export All Managed Objects Performed on Users After Sample B.
This procedure exports all managed objects retrieved during sample procedure B. The -id command is used by the transaction ID generated by sample procedure B.
SelectiveExportUtil.bat -user myname -pwd mypwd -url "http://myhost.ca.com:8080/iam/im/ws/myime" -exportTo c:\tmp\user_roledef.xml -filter "{\"performedOn\": [\"USER\"]}" -id <Transaction ID from sample b>
D. Select and Export All User Profile Screens, and User Tasks with Tags Containing "Forgotten" or Ending with "User" with all referenced screens
This procedure selects and then exports all user profile screens, as well as all user tasks that have tags that contain either “forgotten” or end with “user”.
1. Save the following JSON strings to file filter.txt
{ "performedOn":["USER"], "criteria":[{ "objectType":"ADMINISTRATIVE TASK", "identifyAttributeName":"tag", "criterion":[ { "operator":"CONTAINS", "values":["Forgotten"] }, { "operator":"ENDS_WITH", "values":["User"] } ] }, { "objectType":"IM SCREEN", "criterion":[ { "operator":"EQUALS", "values":["Profile"] } ] } ] }
 
2. Run the following commands:
SelectiveExportUtil.bat -user myname -pwd mypwd -url "http://myhost.ca.com:8080/iam/im/ws/myime" -load orig_role_defs.xml -filter filter.txt -exportTo new_role_defs.xml
E. Export User Tasks with Tags Containing "Forgotten" from the Environment
This procedure selects and then exports all user tasks that have tags that contain “forgotten” from the current environment to a file called 
forgotten_roledef.xml
:
SelectiveExportUtil.bat -user myname -pwd mypwd -url "http://myhost.ca.com:8080/iam/im/ws/myime" -exportTo forgotten_roledef.xml -filter "{\"performedOn\": [\"USER\"],\"criteria\": [{\"objectType\": \"ADMINISTRATIVE TASK\",\"identifyAttributeName\":\"tag\",\"criterion\": [{\"operator\": \"CONTAINS\", \"values\":[\"Forgotten\"]}]}]}"
F. Fetch Screens for User from Role Definitions Returned from Sample E
This procedure returns all users from the role definitions found in the 
forgotten_roledef.xml
 file generated in sample procedure E.
1. Use the following commands to get and save filtered managed object stubs to a file named 
filterOutput.xml
:
SelectiveExportUtil.bat -user myname -pwd mypwd -url "http://myhost.ca.com:8080/iam/im/ws/myime" -load forgotten_roledef.xml -filterTo filterOutput.xml -filter "{\"performedOn\": [\"USER\"],\"criteria\": [{\"objectType\": \"IM SCREEN\"}]}"
2. Open
 filterOutput.xml
 in any editor, and then remove the stub for the "Change My Password Profile" screen.
3. Export the screens from the managed stubs file using the following commands:
SelectiveExportUtil.bat -user myname -pwd mypwd -url "http://myhost.ca.com:8080/iam/im/ws/myime" -managedFrom filterOutput.xml -exportTo updated_role.xml -id <id_value_returned_from_f1>