Capture Snapshot Data
The article describes the steps to capture snapshot data on demand, and in scheduled intervals from Enterprise Console:
cminder12901
As of
April 1, 2016
this section on CA Business Intelligence is not available to new customers, but still relevant for customers that purchased the product prior to April 1, 2016
.The article describes the steps to capture snapshot data on demand, and in scheduled intervals from
Privileged Identity Manager
Enterprise Console:Capture Snapshot Data on Demand
Typically, report data is captured in snapshots in scheduled intervals. You can also capture snapshot data on demand. By capturing snapshot data on demand, you export data immediately to the central database.
- When the reporting snapshot includes large amounts of data, create a snapshot definition to schedule your snapshots. Exporting snapshot data can take a long time when the amount of data is large.
- By default, you must be assigned the System Manager role to capture snapshot data.
Follow these steps:
- InPrivileged Identity ManagerEnterprise Console, clickReports, Tasks, Capture Snapshot Data.
- Select the name of the snapshot definition to capture, and clickSubmit.You export snapshot data to the central database.
- You can use theView Submitted Taskstask to monitor the progress of the task.
Capture Snapshot Data in Scheduled Intervals
You create a snapshot definition and capture snapshot data before you run and view reports. A snapshot definition specifies the report data and schedule for data collection. The snapshot parameter XML file specifies the report data for collection. The XML file captures data from the following sources in the report snapshot by default:
- Privileged Identity ManagerEndpoint
- UNAB Endpoint
- Shared Account Management
- User Store
To view the most up-to-date data, do not schedule to capture snapshot more often than the endpoint snapshots.
Example:
Let say you have configured an endpoint to send snapshot data each week. And, in the Enterprise Console, you have configured to capture a snapshot each day. With such configuration, report data is collected weekly from the endpoints but daily from SAM and the user store. As a result, the endpoint data in the reports is out-of-date.- By default, you must be assigned the System Manager role to create a snapshot definition.
- Do not enable more than one snapshot definition.Privileged Identity ManagerEnterprise Console cannot successfully run all reports when more than one snapshot definition is enabled.
Follow these steps:
- InPrivileged Identity ManagerEnterprise Console, clickReports,Tasks,Manage Snapshot Definition,Create Snapshot Definition.The Create Snapshot Definition: Select Snapshot Definition page appears.
- Select the option to either create a new object of the snapshot definition, or use a copy of an existing object to create a snapshot definition. Click OK.
- Complete the following fields in theProfiletab:
- Snapshot Definition NameDefines the name of the snapshot definition.
- Snapshot Definition DescriptionSpecifies a text that describes the snapshot definition.
- EnabledSpecifies whether to capture snapshot or not. When this option is enabled,Privileged Identity ManagerEnterprise Console captures the snapshot and you can view reports. You can enable only one snapshot at a time.
- IdentifierSpecifies the snapshot parameter XML file that defines the scope of the report snapshot.Values:
- HOST_PROTECTION.XML: Collect reporting data fromPrivileged Identity Managerendpoints.
- HOST_PROTECTION_SAM_LDAP.XML: Collect reporting data fromPrivileged Identity Managerand SAM endpoints that use an LDAP user store.
- HOST_PROTECTION_SAM_RDB.XML: Collect reporting data fromPrivileged Identity Managerand SAM endpoints.
- HOST_PROTECTION_SAM_UNAB_LDAP.XML: Collect reporting data fromPrivileged Identity Manager, UNAB and SAM endpoints that use an LDAP user store.
- HOST_PROTECTION_UNAB_LDAP.XML: Collect reporting data from UNAB endpoints.
- SAM_LDAP.XML: Collect reporting data from SAM endpoints that use an LDAP user store.
- SAM_RDB.XML: Collect reporting data from SAM endpoints.
- Keep LastSpecifies the number of successful snapshots that are stored in the central database. When the snapshot count reaches the configured value, the old snapshots are deleted. The number of snapshots must be greater than zero. Store a maximum of three successful snapshots. If you fail to specify a value, then unlimited snapshots are stored in the database.Keep Lastis not applicable to the PPM_AUDIT_DWH table. In this table, the whole history is maintained and new rows are added with each snapshot. Data is never deleted from this table and the data in this table constantly grows.
- Click thend selectRecurrencetab aSchedule.
- Snapshot Execution TimeSpecify the time to execute the snapshot on the endpoint.
- Recurrence PatternSpecify the recurring pattern to execute the snapshot on the endpoint.
- ClickSubmit.
You have created a snapshot definition and configured a schedule to capture snapshot data at the specified time and frequency.
Limit the Scope of the Report Snapshot
When
Privileged Identity Manager
Enterprise Console captures a report snapshot, it collects data from the following snapshots:- Privileged Identity Managerendpoint
- UNAB endpoint
- SAM data fromPrivileged Identity ManagerEnterprise Console
- Data from the user store
After the Enterprise Management Server collects the report data, it stores the data in the central database.
The snapshot parameter XML file specifies the report data that the Enterprise Management Server collects. You can limit the scope of the report snapshot by customizing the snapshot parameter XML file.
For example, if you use Active Directory as your user store, the Enterprise Management Server collects data for every Active Directory user when it captures a report snapshot. This operation can take a long time to complete. To decrease the time it takes to capture a snapshot, you can limit the scope of the Active Directory snapshot by customizing the snapshot parameter XML file.
Follow these steps:
- Navigate to the following directory, whereJBOSS_HOMEis the directory where JBoss is installed.JBOSS_HOME/server/default/deploy/IdentityMinder.ear/config/com/netegrity/ config/imrexport/sample
- Copy the sample xml file that is most suitable for your use case. Rename the new file, and save the file in the same directory. You have created a snapshot parameter XML file.
- Open the new snapshot parameter XML file.
- Edit the entries in the <!--IM COLLECTORS--> section to specify the scope of the data thatPrivileged Identity ManagerEnterprise Console collects from the user store.
- Comment out (!-- ) and ( --) the entries in the <!--PUPM COLLECTORS--> section that corresponds to the components that you do not want to include in the report snapshot.
- (Optional) Limit the scope of the Active Directory snapshot:
- Review the How the LDAP Queries Limit the Report Snapshot and the LDAP Syntax Considerations topics.The information in these topics helps you define the correct LDAP queries in the following steps.
- Locate the following element in the <!--PUPM COLLECTORS--> section:<export object="com.ca.ppm.export.ADUsersCollector"> </export>This element specifies the Active Directory user data that is included in the snapshot.
- Edit the element to appears as follows.ldap_queryspecifies an LDAP query that defines the users for which data is collected:<export object="com.ca.ppm.export.ADUsersCollector"> <where attr="%USER" satisfy="ANY"> <value op="EQUALS">(ldap_query)</value> </where> </export>
- Locate the following element in the <!--PUPM COLLECTORS--> section:<export object="com.ca.ppm.export.ADGroupsCollector"> </export>
- Edit the element to appears as follows.ldap_queryspecifies an LDAP query that defines the groups for which data is collected:<export object="com.ca.ppm.export.ADGroupsCollector"> <where attr="%USER" satisfy="ANY"> <value op="EQUALS">(ldap_query)</value> </where> </export>You have limited the scope of the Active Directory snapshot.
- Save and close the new snapshot parameter XML file.
- Modify the snapshot definition inPrivileged Identity ManagerEnterprise Console to use the new snapshot parameter XML file.When the capture snapshot task runs, it collects only the data that you specified in the snapshot parameter XML file.
Example: Limit the Scope of Report Snapshots to
Privileged Identity Manager
EndpointsIf you do not use SAM and UNAB, you can limit the scope of the report snapshot to collect data only from
Privileged Identity Manager
endpoints. To limit the scope of data collection to Privileged Identity Manager
endpoints, you comment (!-- ) and ( --) all the entries under the <-- PUPM COLLECTORS --> section except
for the ReportIdMarkerCollector entry.The following code is a snippet from a sample XML file after it was modified to comment all entries under the <-- PUPM COLLECTORS --> section, excluding the ReportIdMarkerCollector entry:
<!-- PUPM COLLECTORS --> <!-- export object="com.ca.ppm.export.AccountPasswordCollector"> </export --> <!-- export object="com.ca.ppm.export.PPMRolesCollector"> <exportattr attr="|rolemembers|" /> </export --> <!-- export object="com.ca.ppm.export. PrivilegedAccountExceptionCollector"> </export --> <!-- export object="com.ca.ppm.export.PPMPasswordPolicyCollector"> </export --> <!-- export object="com.ca.ppm.export.ADUsersCollector"> </export --> <export object="com.ca.ppm.export.PPMAccountUserAccessCollector"> </export --!> <!-- export object="com.ca.ppm.export.ADGroupsCollector"> <exportattr attr="|groupmembers|" /> </export --> <export object="com.ca.ppm.export.ReportIdMarkerCollector"> </export>
Snapshot Parameter XML File Syntax Limit Report Snapshot
The snapshot parameter XML file specifies the report data that
Privileged Identity Manager
Enterprise Console collects. You can limit the scope of the report snapshot by editing the snapshot parameter XML file.Privileged Identity Manager
Enterprise Console collects report data only for the objects that meet the criteria that you define in the snapshot parameter XML file. Each collector in the file defines a set of objects that Privileged Identity Manager
Enterprise Management collects.Each collector has the following structure:
<export object=" "> <where attr=" " satisfy=" "> <value> </value> </where> <exportattr attr=" " /> </export>
The <where>, <value>, and <exportattr> elements are optional.
Each collector contains the following elements:
<export>
Indicates the object data that the
Privileged Identity Manager
Enterprise Console collects. For example, the <export> element specifies that the Enterprise Management Server collects user data.The <export> element can include one or more <exportattr> and <where> elements, which let you collect only the data that meets certain criteria. If you do not specify any <exportattr> or <where> elements,
Privileged Identity Manager
Enterprise Console collects all the data for the object.The <export> element has only the object parameter.
<where>
Filters the collected data based on the criteria defined by the <value>element. A <where> element must include at least one <value> element. You can specify multiple <where> elements to refine your filter (they act as OR elements).
Parameter | Description |
attr | Indicates the attribute to use in the filter. |
satisfy | Indicates whether some or all the value evaluations must be satisfied for the object or attributes to be collected.
|
<value>
Defines, in a <where> element, the condition that an attribute or an object must meet to be collected. The <value> element requires the operator (op) parameter. The operator can be EQUALS or CONTAINS.
In the <!--PUPM COLLECTORS--> section of the snapshot parameter XML file, you can use LDAP syntax in <value> elements. The LDAP syntax lets you specify the user and group data that
Privileged Identity Manager
Enterprise Console collects from Active Directory.<exportattr>
Indicates a specific attribute to collect. Use the <exportattr> element to collect a subset of attributes for the object you are collecting. For example, you can use the <exportattr> element to collect only a user ID. The <exportattr> element has the attr parameter.
Object | Attributes that you can use in a <where> element | Attributes that you can use in an <exportattr> element |
role | You can filter with the name attribute. name - the roles with names that satisfy the filter | You can collect any of the following attributes: |tasks| - all tasks that are associated with the role |rules| - all member, admin, owner, and scope rules that apply to the role |users| - all members, administrators, and owners of the role |rolemembers| - all role members |roleadmins| - all role administrators |roleowners| - all role owners |
user | Any well-known or physical attribute, and any of the following attributes: |groups| - the members of a group |roles| - the members of a role |orgs| - users whose profiles exist in organizations that satisfy the filter. | You can collect any of the following attributes: |all_attributes| - all available user attributes |groups| - all groups where the user is a member or admin. |roles| - all roles where the user is a member, admin, or an owner. |
group | Any well-known or physical attribute or the following attribute: |groups| - the list of nested groups within a group that satisfies the filter | You can collect any well-known or physical attribute or any of the following attributes: |all_attributes| - all attributes that are defined for the Group object in the directory configuration file (directory.xml) |groups| - all nested groups within the group |users| - all members of the group |groupadmins| - all users who are administrators of the specified group |groupmembers| - all users who are members of the specified group |users| - all group administrators and members |
organization | Any well-known or physical attribute | You can collect any well-known or physical attribute or any of the following attributes: |all_attributes|- all attributes that are defined for the Organization object in the directory configuration file (directory.xml) |orgs| - all nested organizations within the organization |groups| - all groups in the organization |users| - all users in the organization |
How LDAP Queries Limit the User and Group Data in the Report Snapshot
If you use Active Directory as your user store, you can specify the user and group data that is captured in the report snapshot.
You can use LDAP queries in the snapshot parameter XML file that filter the Active Directory data by user and by group. However, you cannot use LDAP queries that filter the Active Directory data by role membership. You can use LDAP queries only in the <!--PUPM COLLECTORS--> section of the snapshot parameter XML file
The following process describes how the LDAP queries in the snapshot parameter XML file limit the Active Directory data that the Enterprise Management Server collects. This information helps you write the correct LDAP query to limit the report snapshot.
When the Enterprise Management Server captures an Active Directory report snapshot, it does the following:
- Collects data for only the Active Directory users that are specified in the LDAP query within the following element:<export object="com.ca.ppm.export.ADUsersCollector">If the element does not contain an LDAP query, the Enterprise Management Server includes data for all Active Directory users in the snapshot.
- Collects data for only the Active Directory groups that are specified in the LDAP query within the following element:<export object="com.ca.ppm.export.ADGroupsCollector">If the element does not contain an LDAP query, then the Enterprise Management Server includes data for all Active Directory groups in the snapshot.
- The Enterprise Management Server does not collect data for any user that the query fails to return in step 1.
- If a user is a member of a group that the query returns in step 2, but the query in step 1 fails to return the same user then the Enterprise Management Server does not collect data for the user in the Active Directory snapshot.
LDAP Syntax Considerations
Consider the following points when you write LDAP queries to limit the scope of the Active Directory snapshot:
- You can use the following logical operators in the LDAP query:
- EQUAL TO ( = )
- OR ( | )
- AND ( & )Note:Some restrictions apply to the use of the ampersand ( & ) character.
- NOT ( ! )
- wildcard ( * )
- You can use the ampersand character ( & ) and left angle bracket character ( < ) only in the following contexts:
- As a markup delimiter
- Within a comment
- Within a processing instruction
- Within a CDATA section
&or the Unicode character reference to represent the ampersand character in any other context.Use the string<or the Unicode character reference to represent the left angle bracket character in any other context. - You can use the right angle bracket character ( > ) only at the end of a string marking the end of a CDATA section ( ]] > ).Use the string>or the Unicode character reference to represent the right angle bracket character in any other context.
Example: The Ampersand Character
The following snippet of a snapshot parameter XML file includes all Active Directory user data in the report snapshot. The LDAP query in the snippet uses the & string to represent an ampersand:
<export object ="com.ca.ppm.export.ADUsersCollector"> <where attr="%USER%" satisfy="ANY"> <value op="EQUALS">(&(objectClass=user))</value> </where> </export>