Import or Export Policies

Instead of creating policies individually through the web interface, you can populate them into a comma-separated value (CSV) configuration file. The CSV file lets you load records for a batch of Users.
capam32
HID_ImportExportPolicies
Instead of creating policies individually through the web interface, you can populate them into a comma-separated value (CSV) configuration file. The CSV file lets you load records for a batch of Users.

Import a CSV Policy File

A sample file is provided for spreadsheet editing and population.
Download Sample CSV
  1. Go to
    Policies
    ,
    Manage Policies.
  2. Select the
    Import/Export
    button on the
    Policies
    page.
    The Import/Export Policies window appears.
  3. Click
    Download Sample File
    .
  4. Copy and rename the sample file, and open the new copy in any spreadsheet to inspect the column headers and cell values.
    Each line below the header is a full policy association.
  5. Create and populate the new file. See CSV Fields and Syntax for details about each column.
  6. In the Import/Export Policies window, click
    Choose File
    to locate your new file.
  7. Click
    Import Policy
    to upload the CSV file.
    The imported policies are added to the Policies list.
CSV Fields and Syntax
Only the first three columns require a value. The order of the columns does not matter, but the spelling of their heading does, though they are not case-sensitive. Do not include empty columns (with no header).
  • Type:
    Policy or SAML Service Policy
    SAML services are part of a policy, but they are imported in their own row:
    • A policy row deselects all SAML services for the specified policy. Therefore, if the policy row is not followed by SAML Service Policy (SSP) rows, all SAML services are deselected in the final policy.
    • SSP rows configure the specified SAML service only for the specified policy.
    • SSP rows that are not preceded by a policy row only update the SAML service configuration in the specified policy. It does not clear selected SAML services for the specified policy.
    • SSP rows depend on a preceding policy row or depend on the specified policy already existing. Attempting to import an SSP row without a policy results in an import error.
  • User:
    User or User Group name of the User-Device pair.
  • Device:
    Device Name or Device Group Name of the User-Device pair.
  • Services:
    Specify built-in services (
    sftpft,
    sftpftpemb
    , sftpsftp,
    sftpsftpemb,
    TSWEB
    ) or custom Services. Separate multiple Services using a pipe character.
    For SAML Service Policy type rows, specify the name of the SAML service that is being configured.
    Account information that is associated with these services can be specified by appending ',,,' and using the following template to describe the account:
  • ts
    =
    DeviceName
    tap
    =
    TargetApplicationName
    tac
    =
    AccountName
    awsPolicyName
    =
    AWSPolicyName
  • DeviceName
    specifies the device name of the target account. This field is optional if the value is the same as the Device column. Specify this field only for the case where the account belongs to a credential source.
  • TargetApplicationName
    specifies the name of the target application of the target account.
  • AccountName
    specifies the account name of the target account.
  • AWSPolicyName
    specifies the AWS policy that should be applied when this account is used. This field should only be specified for AWS accounts used with the special aws.amazon.com device.
  • Example:
    TestService,,,ts=TestCredentialSourceDevice tap=TestApplication tac=test_user,,,tap=TestAppBelongingToTestDevice tac=user1
  • Applets:
    Use the following template for each Access Method applet:
    name
    =
    Name
    custom_name
    =
    CustomName
    • Name
      options:
      VNC
      ,
      Telnet
      ,
      SSH
      ,
      SSH2
      ,
      Telnet
      ,
      RDP
    • Name
      extra options if mainframe licensing is enabled:
      TN3270
      ,
      TN3270SSL
      ,
      TN5250
      ,
      TN5250SSL
    • CustomName
      options: (empty); or any string
    • Separate any multiple applets (Access Methods) using a pipe character.
      Account information that is associated with these applets can be specified by appending ',,,' and using the following template to describe the account:
      ts
      =
      DeviceName
      tap
      =
      TargetApplicationName
      tac
      =
      AccountName
      awsPolicyName
      =
      AWSPolicyName
    • DeviceName
      specifies the device name of the target account. This field is optional if the value is the same as the Device column. Specify this field only for the case where the specified account belongs to a credential source.
    • TargetApplicationName
      specifies the name of the target application of the target account.
    • AccountName
      specifies the account name of the target account.
    • AWSPolicyName
      specifies the AWS policy that should be applied when this account is used. This field should only be specified for AWS accounts used with the special aws.amazon.com device.
    • Example:
      name=SSH custom_name=OpenSSH,,,ts=TestCredentialSourceDevice tap=Active Directory tac=Administrator,,,tap=TestAppBelongingToTestDevice tac=root
      Multiple accounts can be associated with an applet by appending ',,,' and more account descriptions as shown in the example.
  • Command Filter:
    If this policy uses one or more Command Filter Lists, enter them by name; otherwise, leave blank. If used, define CFLs (import CFL CSV file) first. Ensure that filters are imported before policy.
  • Socket Filter:
    If this policy uses one or more Socket Filter Lists, enter them by name; otherwise, leave blank. If used, define SFLs (import SFL CSV file) first. Ensure that filters are imported before policy.
  • Restrict login if agent is not running:
    Use "t" or "f" for true or
    false. Use this field only for applets that rely on this switch: RDP, VNC, and ICA.
  • Graphical Recording:
    Use "t" or "f" for true or
    false. When true, CA PAM performs graphical recording of every RDP or VNC session between this User-Device (or Group) pair.
  • Command Line Recording:
    Use "t" or "f" for true or false. When true, CA PAM performs command line recording of every CLI-based session between this User-Device (or Group) pair.
  • Bidirectional Recording:
    Use "t" or "f" for true or false. When true (and Command Line Recording is true), CA PAM records the User and Device input for every CLI-based session between this User-Device (or Group) pair. Otherwise, only User input is recorded.
  • Web Portal Recording:
    Use "t" or "f" for true or
    false. When true, CA PAM performs graphical recording of every web portal session between this User(Group)-Device(Group) pair.
  • Targets:
    [
    ts
    =
    deviceName
    ]
    tap
    =
    targetApplicationName
    tac
    =
    accountName
  • SAML Attributes:
    | (pipe) delimited mapping of the attributes that are requested by the SAML service.
    name=(.*)\s+nameIdFormat=(.*)\s+provisionType=(.*)\s+xAttribute=(.*)\s+value=(.*)
    SAML attributes should be on a row after a policy to which they apply, with SSP in the Type column. See
    Type
    for more information about the SAML Attribute column.

Export a CSV List of Policies

To export existing policies to a CSV file:
  1. Go to
    Policies
    ,
    Manage Policies.
  2. Select the
    Import/Export
    button on the
    Policies
    page.
    The Import/Export Policies window appears.
  3. Select the
    Export Policy
    button.
    A CSV file is saved on your computer. The CSV file has the format of the sample file