Import and Export Devices

2
capam33
HID_ImportExportDevicesPanel
As a 
Privileged Access Manager
 Administrator, you can import a device list in CSV format as an alternative to adding the devices individually. You can also export Devices and Device Groups. You can import AWS and VMware Devices, and Azure VMs. 
 
 
2
 
 
Use a CSV to Import Devices and Device Groups
You can import a CSV file with a list of Devices. A sample file can be downloaded by selecting 
Devices
Manage Devices
Import/Export
, and 
Download Sample File
. The sample file lists all of the required fields. You can use the format to manipulate an existing device list from another source, such as an inventory control database. For detailed information about the columns in the CSV file, see Device Groups and Devices.
Do not import a CSV of Devices and Device Groups that are provisioned by LDAP, AWS, VMware, or Azure. These types are ignored on import and should be managed according to their specific procedures, found on this page.
Configure Internet Explorer
To use the Import/Export functions with Internet Explorer (IE), changes might need to be made to the security settings. To establish IE security settings:
  1. Open IE browser.
  2. Select 
    Tools
    Internet Options
    .
  3. In the Internet Options pop-up window, select the 
    Security
     tab.
  4. Select the slider zone
  5. Select 
    Custom level
    . Scroll to 
    Downloads
    . For 
    File download
    , select the 
    Enable
     option.
  6. Select 
    OK
     to save changes.
Import Devices from a CSV
To import the Devices, follow these steps:
  1. Go to 
    Devices
    Manage Devices
    .
  2. Select the 
    Import/Export
     button.
    The Import/Export Devices window appears
     
    .
     
     
  3. Select Download Sample File, and save the file.
  4. Create a CSV file from the downloaded template.
    CSV Format
    • Do not change the heading (first) row text.
    • New Device records:
      • Not all fields are required. Required fields include: 
        Type
        DeviceName
        Address
         
      • For any fields not used: Preserve all headings on the first row, but leave other row cells blank.
    • Updates to existing Device records:
      • Each Device Group is represented by a line record with Type="device group".
      • Device Group records should be at the top of the file, ahead of all Device records.
      • Device membership in a Device Group is indicated in the Group Membership column.
  5. In the 
    Import/Export Devices
     window, select 
    Choose File
     to select the file, and select 
    Import Devices
    .
    The content of the file is added to the existing Device database. The new content does not replace the current database.
  6. Navigate to 
    Devices
    Manage Devices
    , and confirm that the import was successful by inspecting the Device list.
Use a CSV to Export Devices and Device Groups
A CSV list of all configured devices can be downloaded by selecting 
Export Devices
. This exported file can be used to make a revised version, and then imported back into 
Privileged Access Manager
.
If you export a device file containing Special Type devices, the file does 
 
not
 
 contain the password. If you reimport that file into 
Privileged Access Manager
, the passwords are not present in the import.
Import from AWS
After you configure access to an AWS account and activate 
Enable Syncing
, the instances in that account with 
State
 green/"running" are imported as Devices. Instances that are tagged in AWS with the tag key 
xsuiteignore
 are not imported. The list is refreshed according to the 
Configuration
3rd Party
 parameter 
Enable Syncing
, or upon clicking the 
Refresh AWS Devices
 link at the top.
The Device records created cannot be deleted except upon disconnection from AWS.
The following Device attributes are populated from AWS instance attributes, and cannot be edited:
  • The AWS 
    Name
     and AWS 
    Instance
     ID are combined to create a Device 
    Name
     of "
    awsName
     
    (
     
    awsInstance
     
    )
    ".
  • The Device 
    Operating System
     is populated.
The following Device attributes are populated from AWS instance attributes, and 
can be
 edited in the Device record:
  • Access Methods are populated with:
  •  
    RDP
     using port 
    3389
     for Windows OS
  •  
    SSH
     using port 
    22
     for UNIX and Linux OS
The Device 
Address
 is populated with the AWS 
Public DNS
. To edit the Address, for example to use a private IP address, select the 
Override Address
 checkbox next to the Address field. The Override Address checkbox only appears for Devices that are imported from AWS, VMware, or Azure.
The device 
xceedium.aws.amazon.com
 is a Credentials Management placeholder Device. This device is created when AWS is configured to manage AWS access keys in 
Privileged Access Manager
. It cannot be edited, but is created/removed in synch with an AWS configuration 
Save
.
Import from VMware
After 
Privileged Access Manager
 is configured in 
Configuration
3rd Party
 to access a VMware account and 
Enable Syncing
 is activated, the instances in that account import as Devices. Instances that have been tagged in the VMware appliance 
Summary
Annotations
Notes
 field with the string: 
XsuiteIgnore
 (anywhere in the field) are not imported.
The list is cyclically refreshed according to the 
Configuration
3rd Party
 parameter 
Enable Syncing
, or upon clicking the 
Refresh VMware Devices
 link.
  • During import, each virtual machine (instance) in VMware results in the creation of a Device
    • The Name of the Device that is created is the combination: "
      VMwareInstanceName
       
      – vm-
       
      nn
      " where "
      nn
      " is a VMware assigned number.
    • When available, the internal Address of each Device is provided; otherwise it is marked as "
      Not-Active-
       
      VmwareDeviceName
       
      - vm
       
      nn
      ".
    • To edit the 
      Address
      , for example to use a private IP address, select the 
      Override Address
       checkbox next to the Address field. The Override Address checkbox only appears for Devices that are imported from VMware, AWS, or Azure.
  • During import, each folder in VMware results in the creation of a Device Group
    • The Name of the Device Group that is created is the combination: "
      VMwareFolderName
       
      - group-v
       
      nn
      " where "
      nn
      " is VMware assigned number. You can edit it.
    • The Group Type is "
      VMware
      ", and cannot be edited.
    • The Description is "
      VMware derived group
      ", and can be edited.
  • All VMware imported Devices are members of a VMware-determined Device Group. For VMware instances with no containing folder (in VMware), the Device Group named "VM" is used.
Import from Azure
After you configure an Azure connection and activate syncing, the instances in that account are imported as Devices. The list is refreshed according to the 
Refresh Interval 
on the 
Configuration
3rd Party
Azure
 page. You can immediately refresh them by selecting the 
Refresh Azure Devices
 link at the top of the 
Manage Devices
 page. 
To prevent specific devices from importing, you can "tag" them in Azure. Follow these steps:
  1. In Azure, select the Virtual Machine that you want to prevent importing. 
  2. Select 
    Tags
     from its menu. 
  3. Select the 
    Name
     drop-down list. If the 
    PAMIgnore 
    tag is not listed, enter 
    PAMIgnore
    , and set the 
    Value
     to 
    true
  4. Select 
    Save
    .
    The Tag is applied and available for every device in your Subscription.  
  5. Repeat for each VM that you want to ignore. 
  6. To see all tagged VMs, enter "Tags" into the 
    Search
     field.
    The Tags list appears. Select a Tag to see all the objects to which the Tag is applied.
The imported Device records cannot be deleted except upon disconnection from Azure. The following Device attributes are populated from Azure instance attributes, and cannot be edited:
  • The Azure Name is the Device Name
  • The Location is the Azure location of the instance
  • The Device Operating System is Linux
The following Device attributes are populated from Azure instance attributes, and 
can be
 edited in the Device record:
  • Description 
  • Access Methods are populated with:
    SSH
     using port 
    22
     for UNIX and Linux OS
The Device 
Address
 is populated with the Azure 
Public IP
, or if DNS is set for the device in Azure, the 
FQDN
. After you import a Device, you can edit its Address, for example, to use a private IP address. Follow these steps:
  1. Select 
    Devices
    Manage Devices
    .
  2. Select the Device and select 
    Update
    .
  3. On the 
    Basic Info
     tab, select the 
    Override Address
     checkbox.
  4. Edit the 
    Address
  5. Select 
    OK
     to save. 
The device 
ca.portal.azure.com
 is a Credentials Management placeholder Device, which is created when your instance is licensed. This Device manages Azure access keys in 
Privileged Access Manager
. All Azure target accounts should be associated with this device. 
Import from LDAP
To import a Device Group from LDAP, see Import LDAP Device Groups