Import and Export Devices
Privileged Access ManagerAdministrator, you can import a device list in CSV format as an alternative to adding the devices individually. You can also export Devices and Device Groups. You can import AWS and VMware Devices, and Azure VMs.
Use a CSV to Import Devices and Device Groups
You can import a CSV file with a list of Devices. A sample file can be downloaded by selecting
Download Sample File. The sample file lists all of the required fields. You can use the format to manipulate an existing device list from another source, such as an inventory control database. For detailed information about the columns in the CSV file, see Device Groups and Devices.
Do not import a CSV of Devices and Device Groups provisioned by LDAP, AWS, VMware, or Azure. These types are ignored on import and should be managed according to their specific procedures, found on this page.
Configure Internet Explorer
To use the Import/Export functions with Internet Explorer (IE), changes might need to be made to the security settings. To establish IE security settings:
- Open IE browser.
- SelectTools,Internet Options.
- In the Internet Options pop-up window, select theSecuritytab.
- Select the slider zone
- ClickCustom level. Scroll toDownloads. ForFile download, select theEnableoption.
- ClickOKto save changes.
Import Devices from a CSV
To import the Devices, follow these steps:
- Go toDevices,Manage Devices.
- Click theImport/Exportbutton.The Import/Export Devices window appears.
- Click Download Sample File, and save the file.
- Create a CSV file from the downloaded template.CSV Format
- Do not change the heading (first) row text.
- New Device records:
- Not all fields are required. Required fields include:Type,DeviceName,Address
- For any fields not used: Preserve all headings on the first row, but leave other row cells blank.
- Updates to existing Device records:
- Each Device Group is represented by a line record with Type="device group".
- Device Group records should be at the top of the file, ahead of all Device records.
- Device membership in a Device Group is indicated in the Group Membership column.
- In theImport/Export Deviceswindow, clickChoose Fileto select the file, and clickImport Devices.The content of the file is added to the existing Device database. The new content does not replace the current database.
- Navigate toDevices,Manage Devices, and confirm that the import was successful by inspecting the Device list.
Use a CSV to Export Devices and Device Groups
A CSV list of all configured devices can be downloaded by choosing
Export Devices. This exported file can be used to make a revised version, and then imported back into
Privileged Access Manager.
If you export a device file containing Special Type devices, the file doescontain the password. If you reimport that file into
Privileged Access Manager, the passwords are not present in the import.
Import from AWS
After you configure access to an AWS account and activate
Enable Syncing, the instances in that account with
Stategreen/"running" are imported as Devices. Instances that are tagged in AWS with the tag key
xsuiteignoreare not imported. The list is refreshed according to the
Enable Syncing, or upon clicking the
Refresh AWS Deviceslink at the top.
The Device records created cannot be deleted except upon disconnection from AWS.
The following Device attributes are populated from AWS instance attributes, and cannot be edited:
- The AWSNameand AWSInstanceID are combined to create a DeviceNameof "awsName(awsInstance)".
- The DeviceOperating Systemis populated.
The following Device attributes are populated from AWS instance attributes, and
can beedited in the Device record:
- Access Methods are populated with:
- RDPusing port3389for Windows OS
- SSHusing port22for UNIX and Linux OS
Addressis populated with the AWS
Public DNS. To edit the Address, for example to use a private IP address, select the
Override Addresscheckbox next to the Address field. The Override Address checkbox only appears for Devices that are imported from AWS, VMware, or Azure.
xceedium.aws.amazon.comis a Credentials Management placeholder Device. This device is created when AWS is configured to manage AWS access keys in
Privileged Access Manager. It cannot be edited, but is created/removed in synch with an AWS configuration
Import from VMware
Privileged Access Manageris configured in
3rd Partyto access a VMware account and
Enable Syncingis activated, the instances in that account import as Devices. Instances that have been tagged in the VMware appliance
Notesfield with the string:
XsuiteIgnore(anywhere in the field) are not imported.
The list is cyclically refreshed according to the
Enable Syncing, or upon clicking the
Refresh VMware Deviceslink.
- During import, each virtual machine (instance) in VMware results in the creation of a Device
- The Name of the Device that is created is the combination: "VMwareInstanceName– vm-nn" where "nn" is a VMware assigned number.
- When available, the internal Address of each Device is provided; otherwise it is marked as "Not-Active-VmwareDeviceName- vmnn".
- To edit theAddress, for example to use a private IP address, select theOverride Addresscheckbox next to the Address field. The Override Address checkbox only appears for Devices that are imported from VMware, AWS, or Azure.
- During import, each folder in VMware results in the creation of a Device Group
- The Name of the Device Group that is created is the combination: "VMwareFolderName- group-vnn" where "nn" is VMware assigned number. You can edit it.
- The Group Type is "VMware", and cannot be edited.
- The Description is "VMware derived group", and can be edited.
- All VMware imported Devices are members of a VMware-determined Device Group. For VMware instances with no containing folder (in VMware), the Device Group named "VM" is used.
Import from Azure
After you configure an Azure connection and activate syncing, the instances in that account are imported as Devices. The list is refreshed according to the
Refresh Intervalon the
Azurepage. You can immediately refresh them by selecting the
Refresh Azure Deviceslink at the top of the
To prevent specific devices from importing, you can "tag" them in Azure. Follow these steps:
- In Azure, select the Virtual Machine that you want to prevent importing.
- SelectTagsfrom its menu.
- Select theNamedrop-down list. If thePAMIgnoretag is not listed, enterPAMIgnore, and set theValuetotrue.
- SelectSave.The Tag is applied and available for every device in your Subscription.
- Repeat for each VM that you want to ignore.
- To see all tagged VMs, enter "Tags" into theSearchfield.The Tags list appears. Select a Tag to see all the objects to which the Tag is applied.
The imported Device records cannot be deleted except upon disconnection from Azure. The following Device attributes are populated from Azure instance attributes, and cannot be edited:
- The Azure Name is the Device Name
- The Location is the Azure location of the instance
- The Device Operating System is Linux
The following Device attributes are populated from Azure instance attributes, and
can beedited in the Device record:
- Access Methods are populated with:SSHusing port22for UNIX and Linux OS
Addressis populated with the Azure
Public IP, or if DNS is set for the device in Azure, the
FQDN. After you import a Device, you can edit its Address, for example, to use a private IP address. Follow these steps:
- SelectDevices,Manage Devices.
- Select the Device and selectUpdate.
- On theBasic Infotab, select theOverride Addresscheckbox.
- Edit theAddress.
- SelectOKto save.
ca.portal.azure.comis a Credentials Management placeholder Device, which is created when your instance is licensed. This Device manages Azure access keys in
Privileged Access Manager. All Azure target accounts should be associated with this device.
Import from LDAP
To import a Device Group from LDAP, see Import LDAP Device Groups.