Import or Export Policies

Instead of creating policies individually through the web interface, you can populate them into a comma-separated value (CSV) configuration file. The CSV file lets you load records for a batch of Users.
capam32
HID_ImportExportPolicies
Instead of creating policies individually through the web interface, you can populate them into a comma-separated value (CSV) configuration file. The CSV file lets you load records for a batch of Users.
Import a CSV Policy File
A sample file is provided for spreadsheet editing and population.
Download Sample CSV
  1. Go to 
    Policies
    Manage Policies.
     
  2. Select the
     Import/Export
     button on the 
    Policies
     page.
    The Import/Export Policies window appears.
  3. Click 
    Download Sample File
    .
  4. Copy and rename the sample file, and open the new copy in any spreadsheet to inspect the column headers and cell values.
    Each line below the header is a full policy association.
  5. Create and populate the new file. See CSV Fields and Syntax for details about each column.
  6. In the Import/Export Policies window, click 
    Choose File
     to locate your new file.
  7. Click 
    Import Policy
     to upload the CSV file.
    The imported policies are added to the Policies list.
CSV Fields and Syntax
Only the first three columns require a value. The order of the columns does not matter, but the spelling of their heading does, though they are not case-sensitive. Do not include empty columns (with no header).
  • Type: 
    Policy or SAML Service Policy
    SAML services are part of a policy, but they are imported in their own row:
    • A policy row deselects all SAML services for the specified policy. Therefore, if the policy row is not followed by SAML Service Policy (SSP) rows, all SAML services are deselected in the final policy.
    • SSP rows configure the specified SAML service only for the specified policy.
    • SSP rows that are not preceded by a policy row only update the SAML service configuration in the specified policy. It does not clear selected SAML services for the specified policy.
    • SSP rows depend on a preceding policy row or depend on the specified policy already existing. Attempting to import an SSP row without a policy results in an import error.
  • User: 
    User or User Group name of the User-Device pair.
  • Device:
     Device Name or Device Group Name of the User-Device pair.
  • Services:
     Specify built-in services (
    sftpft, 
     
    sftpftpemb
     
    , sftpsftp, 
     
    sftpsftpemb, 
     
    TSWEB
    ) or custom Services. Separate multiple Services using a pipe character.
    For SAML Service Policy type rows, specify the name of the SAML service that is being configured.
    Account information that is associated with these services can be specified by appending ',,,' and using the following template to describe the account:
  • ts
    =
    DeviceName
     
    tap
    =
    TargetApplicationName
     
    tac
    =
    AccountName
     
    awsPolicyName
    =
    AWSPolicyName
     
     
  • DeviceName
     specifies the device name of the target account. This field is optional if the value is the same as the Device column. Specify this field only for the case where the account belongs to a credential source.
  • TargetApplicationName
     specifies the name of the target application of the target account.
  • AccountName
     specifies the account name of the target account.
  • AWSPolicyName
     specifies the AWS policy that should be applied when this account is used. This field should only be specified for AWS accounts used with the special aws.amazon.com device.
  • Example:
    TestService,,,ts=TestCredentialSourceDevice tap=TestApplication tac=test_user,,,tap=TestAppBelongingToTestDevice tac=user1
     
  • Applets:
     Use the following template for each Access Method applet:
     
     name
    =
    Name
     
    custom_name
    =
    CustomName
     
     
    • Name
       options: 
      VNC
      Telnet
      SSH
      SSH2
      ,
      Telnet
      RDP
       
    • Name
       extra options if mainframe licensing is enabled: 
      TN3270
      TN3270SSL
      TN5250
      TN5250SSL
       
    • CustomName
       options: (empty); or any string
    • Separate any multiple applets (Access Methods) using a pipe character.
      Account information that is associated with these applets can be specified by appending ',,,' and using the following template to describe the account:
      ts
      =
      DeviceName
       
      tap
      =
      TargetApplicationName
       
      tac
      =
      AccountName
       
      awsPolicyName
      =
      AWSPolicyName
       
       
    • DeviceName
       specifies the device name of the target account. This field is optional if the value is the same as the Device column. Specify this field only for the case where the specified account belongs to a credential source.
    • TargetApplicationName
       specifies the name of the target application of the target account.
    • AccountName
       specifies the account name of the target account.
    • AWSPolicyName
       specifies the AWS policy that should be applied when this account is used. This field should only be specified for AWS accounts used with the special aws.amazon.com device.
    • Example:
       
      name=SSH custom_name=OpenSSH,,,ts=TestCredentialSourceDevice tap=Active Directory tac=Administrator,,,tap=TestAppBelongingToTestDevice tac=root
       
      Multiple accounts can be associated with an applet by appending ',,,' and more account descriptions as shown in the example.
  • Command Filter: 
    If this policy uses one or more Command Filter Lists, enter them by name; otherwise, leave blank. If used, define CFLs (import CFL CSV file) first. Ensure that filters are imported before policy.
  • Socket Filter: 
    If this policy uses one or more Socket Filter Lists, enter them by name; otherwise, leave blank. If used, define SFLs (import SFL CSV file) first. Ensure that filters are imported before policy.
  • Restrict login if agent is not running:
     Use "t" or "f" for true or
     
    false. Use this field only for applets that rely on this switch: RDP, VNC, and ICA.
  • Graphical Recording:
     Use "t" or "f" for true or
     
    false. When true, CA PAM performs graphical recording of every RDP or VNC session between this User-Device (or Group) pair.
  • Command Line Recording: 
    Use "t" or "f" for true or false. When true, CA PAM performs command line recording of every CLI-based session between this User-Device (or Group) pair.
  • Bidirectional Recording: 
    Use "t" or "f" for true or false. When true (and Command Line Recording is true), CA PAM records the User and Device input for every CLI-based session between this User-Device (or Group) pair. Otherwise, only User input is recorded.
     
     
  • Web Portal Recording: 
    Use "t" or "f" for true or
     
    false. When true, CA PAM performs graphical recording of every web portal session between this User(Group)-Device(Group) pair.
  • Targets: 
    [
    ts
    =
    deviceName
    tap
    =
    targetApplicationName
     
    tac
    =
    accountName
     
     
  • SAML Attributes: 
    | (pipe) delimited mapping of the attributes that are requested by the SAML service.
    name=(.*)\s+nameIdFormat=(.*)\s+provisionType=(.*)\s+xAttribute=(.*)\s+value=(.*)
    SAML attributes should be on a row after a policy to which they apply, with SSP in the Type column. See 
    Type
     for more information about the SAML Attribute column.
Export a CSV List of Policies
To export existing policies to a CSV file:
  1. Go to 
    Policies
    Manage Policies.
     
  2. Select the
     Import/Export
     button on the 
    Policies
     page.
    The Import/Export Policies window appears.
  3. Select the 
    Export Policy
     button.
    A CSV file is saved on your computer. The CSV file has the format of the sample file