Create a Snapshot Definition
Contents
cminder12801
As of
April 1, 2016
this section on CA Business Intelligence is not available to new customers, but still relevant for customers that purchased the product prior to April 1, 2016
.Contents
Reports are based on data snapshots that are collected from CA ControlMinder and UNAB endpoints and stored in the central database, on SAM data from CA ControlMinder Enterprise Management, and on data from the user store.
You create a snapshot definition and capture snapshot data before you can run and view CA ControlMinder reports. A snapshot definition specifies the report data that CA ControlMinder collects and the schedule for data collection.
The snapshot parameter XML file specifies the report data that CA ControlMinder collects. By default, this file specifies to include all CA ControlMinder and UNAB endpoints, SAM data, and data from the user store in the report snapshot. You can customize the snapshot parameter XML file to limit the scope of the report snapshot.
To help ensure that the reports contain the most up-to-date data, do not schedule the snapshot to run more often than the endpoint snapshots. For example, if you configure your endpoints to send a snapshot each week and configure CA ControlMinder Enterprise Management to capture a snapshot each day, report data is collected weekly from the endpoints but daily from SAM and the user store, and out-of-date endpoint data appears in the reports.
Do not enable more than one snapshot definition. CA ControlMinder Enterprise Management cannot successfully run all reports if more than one snapshot definition is enabled.
By default, you must have the System Manager role to create a snapshot definition.
Follow these steps:
- In CA ControlMinder Enterprise Management, do as follows:
- Click Reports.
- Click the Tasks subtab.
- Expand the Manage Snapshot Definition tree in the task menu on the left.The Create Snapshot Definition task appears in the list of available tasks.
- Click Create Snapshot Definition.The Create Snapshot Definition: Select Snapshot Definition page appears.
- Click OK.The Create Snapshot Definition page appears.
- Complete the following fields in the Profile tab:
- Snapshot Definition NameDefines the name of the snapshot definition.
- Snapshot Definition DescriptionSpecifies any additional information to describe the snapshot definition.
- EnabledSpecifies that CA ControlMinder Enterprise Management enables the snapshot definition.Note:If you do not select this checkbox, CA ControlMinder Enterprise Management does not capture snapshots and you cannot view reports. You can enable only one snapshot at a time.
- IdentifierSpecifies the snapshot parameter XML file that defines the scope of the report snapshot.Options:
- HOST_PROTECTION.XMLCollect reporting data from CA ControlMinder endpoints.
- HOST_PROTECTION_SAM_LDAP.XMLCollect reporting data from CA ControlMinder and SAM endpoints that use an LDAP user store.
- HOST_PROTECTION_SAM_RDB.XMLCollect reporting data from CA ControlMinder and SAM endpoints.
- HOST_PROTECTION_SAM_UNAB_LDAP.XMLCollect reporting data from CA ControlMinder, UNAB and SAM endpoints that use an LDAP user store.
- HOST_PROTECTION_UNAB_LDAP.XMLCollect reporting data from UNAB endpoints.
- SAM_LDAP.XMLCollect reporting data from SAM endpoints that use an LDAP user store.
- SAM_RDB.XMLCollect reporting data from SAM endpoints.
- Keep LastSpecifies the number of successful snapshots stored in the central database. CA ControlMinder deletes old snapshots when the number of snapshots in the database reaches the number that you specify.The number of snapshots should be greater than zero. If you do not specify a value for this field, CA ControlMinder stores unlimited snapshots. We recommend that you store a maximum of three successful snapshots.Keep Last is not applicable to the PPM_AUDIT_DWH table. In this table, the whole history is maintained and new rows are added with each snapshot. Data is never deleted from this table and the amount of data in this table is constantly growing.
- Click the Recurrence tab and select Schedule.The schedule options appear.
- Specify the snapshot execution time and recurrence pattern, and click Submit.We recommend that you schedule the snapshot to run less frequently than the snapshots from CA ControlMinder and UNAB endpoints.CA ControlMinder is configured to capture snapshots at the scheduled time and frequency.
After you create a snapshot definition, you can choose to capture snapshots on demand and capture snapshots at the scheduled time and frequency. For more information about capturing snapshot data, see the
Enterprise Administration Guide
.Limit the Scope of the Report Snapshot
When CA ControlMinder Enterprise Management captures a report snapshot, it collects data from snapshots of CA ControlMinder and UNAB endpoints, SAM data from CA ControlMinder Enterprise Management, and data from the user store. After CA ControlMinder Enterprise Management collects the report data, it stores the data in the central database.
The snapshot parameter XML file specifies the report data that CA ControlMinder Enterprise Management collects. You can limit the scope of the report snapshot by customizing the snapshot parameter XML file.
For example, if you use Active Directory as your user store, CA ControlMinder Enterprise Management collects data for every Active Directory user when it captures a report snapshot. This operation may take a long time to complete. To decrease the time it takes to capture a snapshot, you can limit the scope of the Active Directory snapshot by customizing the snapshot parameter XML file.
To limit the scope of the report snapshot
- Navigate to the following directory, whereJBOSS_HOMEis the directory where you installed JBoss:JBOSS_HOME/server/default/deploy/IdentityMinder.ear/config/com/netegrity/ config/imrexport/sample
- Copy the sample xml file that is most suitable for your use case. Rename the new file, and save the file in the same directory.You have created a new snapshot parameter XML file.
- Open the new snapshot parameter XML file in an editable form.
- Edit the entries in the <!--IM COLLECTORS--> section to specify the scope of the data that CA ControlMinder Enterprise Management collects from the user store.
- Comment out (!-- ) and ( --) the entries in the <!--PUPM COLLECTORS--> section that correspond to the CA ControlMinder Enterprise Management components that you do not want to include in the report snapshot.
- (Optional) Limit the scope of the Active Directory snapshot:
- Review the How the LDAP Queries Limit the Report Snapshot and the LDAP Syntax Considerations topics.The information in these topics helps you define the correct LDAP queries in the following steps.
- Locate the following element in the <!--PUPM COLLECTORS--> section:<export object="com.ca.ppm.export.ADUsersCollector"> </export>This element specifies the Active Directory user data that is included in the snapshot.
- Edit the element so it appears as follows, whereldap_queryspecifies an LDAP query that defines the users for which data is collected:<export object="com.ca.ppm.export.ADUsersCollector"> <where attr="%USER" satisfy="ANY"> <value op="EQUALS">(ldap_query)</value> </where> </export>
- Locate the following element in the <!--PUPM COLLECTORS--> section:<export object="com.ca.ppm.export.ADGroupsCollector"> </export>
- Edit the element so it appears as follows, whereldap_queryspecifies an LDAP query that defines the groups for which data is collected:<export object="com.ca.ppm.export.ADGroupsCollector"> <where attr="%USER" satisfy="ANY"> <value op="EQUALS">(ldap_query)</value> </where> </export>You have limited the scope of the Active Directory snapshot.
- Save and close the new snapshot parameter XML file.
- Modify the snapshot definition in CA ControlMinder Enterprise Management to use the new snapshot parameter XML file.When the capture snapshot task runs, it collects only the data that you specified in the snapshot parameter XML file.
Example: Limit the Scope of Report Snapshots to CA ControlMinder Endpoints
If you do not use SAM and UNAB, you can limit the scope of the report snapshot to collect data only from CA ControlMinder endpoints. To limit the scope of data collection to CA ControlMinder endpoints, you comment (!-- ) and ( --) all the entries under the <-- PUPM COLLECTORS --> section
except
for the ReportIdMarkerCollector entry.The following is a snippet from a sample XML file after it was modified to comment all entries under the <-- PUPM COLLECTORS --> section, excluding the ReportIdMarkerCollector entry:
<!-- PUPM COLLECTORS --> <!-- export object="com.ca.ppm.export.AccountPasswordCollector"> </export --> <!-- export object="com.ca.ppm.export.PPMRolesCollector"> <exportattr attr="|rolemembers|" /> </export --> <!-- export object="com.ca.ppm.export. PrivilegedAccountExceptionCollector"> </export --> <!-- export object="com.ca.ppm.export.PPMPasswordPolicyCollector"> </export --> <!-- export object="com.ca.ppm.export.ADUsersCollector"> </export --> <export object="com.ca.ppm.export.PPMAccountUserAccessCollector"> </export --!> <!-- export object="com.ca.ppm.export.ADGroupsCollector"> <exportattr attr="|groupmembers|" /> </export --> <export object="com.ca.ppm.export.ReportIdMarkerCollector"> </export>
Snapshot Parameter XML File Syntax Limit Report Snapshot
The snapshot parameter XML file specifies that report data that CA ControlMinder Enterprise Management collects. You can limit the scope of the report snapshot by editing the snapshot parameter XML file.
CA ControlMinder Enterprise Management collects report data only for the objects that meet the criteria that you define in the snapshot parameter XML file. Each collector in the file defines a set of objects that CA ControlMinder Enterprise Management collects.
Each collector has the following structure:
<export object=" "> <where attr=" " satisfy=" "> <value> </value> </where> <exportattr attr=" " /> </export>
The <where>, <value>, and <exportattr> elements are optional.
Each collector contains the following elements:
- <export>Indicates the object data that CA ControlMinder Enterprise Management collects. For example, the <export> element may specify that CA ControlMinder Enterprise Management collects user data.The <export> element can include one or more <exportattr> and <where> elements, which let you collect only the data that meets certain criteria. If you do not specify any <exportattr> or <where> elements, CA ControlMinder Enterprise Management collects all of the data for the object.The <export> element has only the object parameter.
- <where>Filters the collected data based on the criteria defined by the <value>element. A <where> element must include at least one <value> element. You can specify multiple <where> elements to refine your filter (they act as OR elements).
Parameter | Description |
attr | Indicates the attribute to use in the filter. |
satisfy | Indicates whether some or all of the value evaluations must be satisfied for the object or attributes to be collected. ALLAn attribute or object must satisfy all of the value evaluations. ANYAn attribute or object must satisfy at least one value evaluation. |
- <value>Defines, in a <where> element, the condition that an attribute or an object must meet to be collected. The <value> element requires the operator (op) parameter. The operator can be EQUALS or CONTAINS.In the <!--PUPM COLLECTORS--> section of the snapshot parameter XML file, you can use LDAP syntax in <value> elements. The LDAP syntax lets you specify the user and group data that CA ControlMinder Enterprise Management collects from Active Directory.
- <exportattr>Indicates a specific attribute to collect. Use the <exportattr> element to collect a subset of attributes for the object you are collecting. For example, you can use the <exportattr> element to collect only a users ID.The <exportattr> element has the attr parameter.
Object | Attributes you can use in a <where> element | Attributes you can use in an <exportattr> element |
role | You can filter with the name attribute. name - the roles with names that satisfy the filter | You can collect any of the following attributes: |tasks| - all tasks associated with the role |rules| - all member, admin, owner, and scope rules that apply to the role |users| - all members, administrators, and owners of the role |rolemembers| - all role members |roleadmins| - all role administrators |roleowners| - all role owners |
user | Any well-known or physical attribute and any of the following attributes: |groups| - the members of a group |roles| - the members of a role |orgs| - users whose profiles exist in organizations that satisfy the filter | You can collect any of the following attributes: |all_attributes| - all available user attributes |groups| - all groups where the user is a member or admin |roles| - all roles where the user is a member, admin, or an owner |
group | Any well-known or physical attribute or the following attribute: |groups| - the list of nested groups within a group that satisfies the filter | You can collect any well-known or physical attribute or any of the following attributes: |all_attributes| - all attributes defined for the Group object in the directory configuration file (directory.xml) |groups| - all nested groups within the group |users| - all members of the group |groupadmins| - all users who are administrators of the specified group |groupmembers| - all users who are members of the specified group |users| - all group administrators and members |
organization | Any well-known or physical attribute | You can collect any well-known or physical attribute or any of the following attributes: |all_attributes|- all attributes defined for the Organization object in the directory configuration file (directory.xml) |orgs| - all nested organizations within the organization |groups| - all groups in the organization |users| - all users in the organization |
How LDAP Queries Limit the User and Group Data in the Report Snapshot
If you use Active Directory as your user store, you can specify the user and group data that is captured in the report snapshot.
You can use LDAP queries in the snapshot parameter XML file that filter the Active Directory data by user and by group. However, you cannot use LDAP queries that filter the Active Directory data by role membership. You can use LDAP queries only in the <!--PUPM COLLECTORS--> section of the snapshot parameter XML file
The following process describes how the LDAP queries in the snapshot parameter XML file limit the Active Directory data that CA ControlMinder Enterprise Management collects. This information helps you write the correct LDAP query to limit the report snapshot.
When CA ControlMinder Enterprise Management captures an Active Directory report snapshot, it does the following:
- Collects data for only the Active Directory users that are specified in the LDAP query within the following element:<export object="com.ca.ppm.export.ADUsersCollector">If the element does not contain an LDAP query, CA ControlMinder Enterprise Management includes data for all Active Directory users in the snapshot.
- Collects data for only the Active Directory groups that are specified in the LDAP query within the following element:<export object="com.ca.ppm.export.ADGroupsCollector">If the element does not contain an LDAP query, CA ControlMinder Enterprise Management includes data for all Active Directory groups in the snapshot.CA ControlMinder Enterprise Management does not collect data for any user that is not returned by the query in Step 1. If a user is a member of a group that is returned by the query in Step 2, but the user is not returned by the query in Step 1, CA ControlMinder Enterprise Management does not include any data for the user in the Active Directory snapshot.
LDAP Syntax Considerations
Consider the following when you write LDAP queries to limit the scope of the Active Directory snapshot:
- You can use the following logical operators in the LDAP query:
- EQUAL TO ( = )
- OR ( | )
- AND ( & )Note:Some restrictions apply to the use of the ampersand ( & ) character.
- NOT ( ! )
- wildcard ( * )
- You can use the ampersand character ( & ) and left angle bracket character ( < ) only in the following contexts:
- As a markup delimiter
- Within a comment
- Within a processing instruction
- Within a CDATA section
Use the string
&
or the Unicode character reference to represent the ampersand character in any other context. Use the string <
or the Unicode character reference to represent the left angle bracket character in any other context.- You can use the right angle bracket character ( > ) only at the end of a string marking the end of a CDATA section ( ]] > ).Use the string>or the Unicode character reference to represent the right angle bracket character in any other context.
Example: The Ampersand Character
The following snippet of a snapshot parameter XML file specifies to include all Active Directory user data in the report snapshot. The LDAP query in the snippet uses the & string to represent an ampersand:
<export object ="com.ca.ppm.export.ADUsersCollector"> <where attr="%USER%" satisfy="ANY"> <value op="EQUALS">(&(objectClass=user))</value> </where> </export>
Preparing Your Endpoint Implementation
Consider the following when you prepare your endpoint implementation.