You can perform several bulk actions on Identity Manager accounts, which allow you to act on multiple accounts at the same time.
You can initiate the following Bulk actions:
Delete. Deletes, unassigns, and unlinks selected resource accounts. Select the “Target the Identity Manager Account” option to also delete each user’s Identity Manager account.
Delete and Unlink. Deletes any selected resource accounts and unlinks the accounts from the users.
Disable. Disables any selected resource accounts. Select the “Target the Identity Manager Account” option to also disable each user’s Identity Manager account.
Enable. Enables any selected resource accounts. Select the “Target the Identity Manager Account” option to enable each user’s Identity Manager account.
Unassign, Unlink. Unlinks any selected resource accounts and removes the Identity Manager user account’s assignments to those resources. Unassigning does not remove the account from the resource. You cannot unassign an account that has been indirectly assigned to the Identity Manager user through a role or resource group.
Unlink. Removes a resource account’s association (link) with the Identity Manager user account. Unlinking does not remove the account from the resource. If you unlink an account that has been indirectly assigned to the Identity Manager user through a role or resource group, the link may be restored when the user is updated.
Bulk actions work best if you have a list of users in a file or application, such as an email client or spreadsheet program. You can copy and paste the list into a field on this interface page, or you can load the list of users from a file.
Many of these actions can be performed on the results of a user search. Use the Find Users page (Accounts -> Find Users) to search for users.
You can save the results of a bulk account operation to a CSV file by clicking Download CSV when the task results appear upon completion of the task.
In the Administrator interface, click Accounts in the main menu.
Click Launch Bulk Actions in the secondary menu.
Complete the form and then click Launch.
Identity Manager launches a background task to perform the bulk actions.
To monitor the status of the bulk actions task, click Server Tasks in the main menu, and then click All Tasks.
You can specify a list of bulk actions using comma-separated values (CSV) format. This allows you to provide a mix of different action types in a single action list. In addition, you can specify more complicated creation and update actions.
The CSV format consists of two or more input lines. Each line consists of a list of values separated by commas. The first line contains field names. The remaining lines each correspond to an action to be performed on an Identity Manager user, the user’s resource accounts, or both. Each line should contain the same number of values. Empty values will leave the corresponding field value unchanged.
Two fields are required in any bulk action CSV input:
user. Contains the name of the Identity Manager user.
command. Contains the action taken on the Identity Manager user. Valid commands are:
Delete. Deletes, unassigns, and unlinks resource accounts, the Identity Manager account, or both.
DeleteAndUnlink. Deletes and unlinks resource accounts.
Disable. Disables resource accounts, the Identity Manager account, or both.
Enable. Enables resource accounts, the Identity Manager account, or both.
Unassign. Unassigns and unlinks resource accounts.
Unlink. Unlinks resource accounts.
Create. Creates the Identity Manager account. Optionally creates resource accounts.
Update. Updates the Identity Manager account. Optionally creates, updates, or deletes resource accounts.
CreateOrUpdate. Performs a create action if the Identity Manager account does not already exist. Otherwise, it performs an update action.
If you are performing Delete, DeleteAndUnlink, Disable, Enable, Unassign, or Unlink actions, the only additional field you need to specify is resources. Use the resources field to specify which accounts on which resources will be affected.
The resources field can have the following values:
all. Process all resource accounts including the Identity Manager account.
resonly. Process all of the resource accounts excluding the Identity Manager account.
resource_name [ | resource_name ... ]. Process the specified resource accounts. Specify Identity Manager to process the Identity Manager account.
The following is an example of the CSV format for several of these actions:
command,user,resources Delete,John Doe,all Disable,Jane Doe,resonly Enable,Henry Smith,Identity Manager Unlink,Jill Smith,Windows Active Directory|Solaris Server
If you are performing Create, Update, or CreateOrUpdate commands, you can specify fields from the User View in addition to the user and command fields. The field names used are the path expressions for the attributes in the views. See User View Attributes in Sun Identity Manager Deployment Reference for information about the attributes that are available in the User View. If you are using a customized User Form, then the field names in the form contain some of the path expressions that you can use.
Some of the more common path expressions used in bulk actions are:
waveset.roles. A list of one or more role names to assign to the Identity Manager account.
waveset.resources. A list of one or more resource names to assign to the Identity Manager account.
waveset.applications. A list of one or more role names to assign to the Identity Manager account.
waveset.organization. The organization name in which to place the Identity Manager account.
accounts[resource_name].attribute_name. A resource account attribute. The names of the attributes are listed in the schema for the resource.
The following example illustrates the CSV format for create and update actions:
command,user,waveset.resources,password.password, password.confirmPassword,accounts[Windows Active Directory].description, accounts[Corporate Directory].location Create,John Doe, Windows Active Directory|Solaris Server,changeit,changeit,John Doe - 888-555-5555, Create,Jane Smith,Corporate Directory,changeit,changeit,,New York CreateOrUpdate,Bill Jones,,,,,California
The CreateOrUpdate command allows you to specify a specific account-type on a resource that supports multiple account-types. So if a user has multiple accounts on a specific resource, with each account being a different account type, the following example shows how to update the admin account type for the userAye user:
command,user,accounts[Sim1|admin].emailAddress CreateOrUpdate,userAye,bbye8@example.com
Although the CreateOrUpdate command allows you to set account-specific attributes for a user's accounts, be aware that the following values in the global section of the User's View will be applied to all specified accounts:
accountId
password
disable
All extended attributes
Consequently, a BulkOps command of the following form might not do what you expect.
command,user,accounts[Sim1].email CreateOrUpdate,userAye,bbye8@example.com
If userAye already has a value for email, that value will be applied to the email attribute on the Sim1 resource. You have no way to override this behavior.
Some fields can have multiple values. These are known as multivalued fields. For example, the waveset.resources field can be used to assign multiple resources to a user. You can use the vertical bar (|) character (also known as the “pipe” character) to separate multiple values in a field. The syntax for multiple values can be specified as follows:
value0 | value1 [ | value2 ... ]
When updating multivalued fields on existing users, replacing the current field’s values with one or more new values may not be what you want. You may want to remove some values or add to the current values. You can use field directives to specify how to treat the existing field’s values. Field directives go in front of the field value and are surrounded by the vertical bar character, as follows:
|directive [ ; directive ] | field values
You can choose from the following directives:
Replace. Replace the current values with the specified values. This is the default if no directive (or just the List directive) is specified.
Merge. Add the specified values to the current values. Duplicate values are filtered.
Remove. Remove the specified values from the current values.
List. Force the field’s value to be handled as if it had multiple values, even if it only has a single value. This directive is not usually needed as most fields are handled appropriately regardless of the number of values. This is the only directive that can be specified with another directive.
Field values are case-sensitive. This is important when specifying the Merge and Remove directives. The values must match exactly to correctly remove values or avoid having multiple similar values when merging.
If you have a field value with a comma (,) or double quote (") character, or you want to preserve leading or trailing spaces, you must embed your field value within a pair of double quotes ("field_value"). You then need to replace double quotes in the field value with two double quote (") characters. For example, "John ""Johnny"" Smith" results in a field value of John "Johnny" Smith.
If you have a field value with a vertical bar (|) or backslash (\) character in it, you must precede it with a backslash (\| or \\).
When the Create, Update, or CreateOrUpdate actions are performed, there are additional attributes in the User View that are only used or available during bulk action processing. These attributes can be referenced in the User Form to allow behavior specific to bulk actions.
The attributes are as follows:
The waveset.bulk.fields.field_name attributes contain the values for the fields that were read in from the CSV input, where field_name is the name of the field. For example, the command and user fields are in the attributes with path expressions waveset.bulk.fields.command and waveset.bulk.fields.user, respectively.
The waveset.bulk.fieldDirectives.field_name attributes are only defined for those fields for which a directive was specified. The value is the directive string.
Set the waveset.bulk.abort Boolean attribute to true to abort the current action.
Set the waveset.bulk.abortMessage attribute to a message string to display when waveset.bulk.abort is set to true. If this attribute is not set, a generic abort message is displayed.
Use correlation and confirmation rules when you do not have the Identity Manager user name available to put in the user field of your actions. If you do not specify a value for the user field, then you must specify a correlation rule when launching the bulk action. If you do specify a value for the user field, then the correlation and confirmation rules will not be evaluated for that action.
A correlation rule looks for Identity Manager users that match the action fields. A confirmation rule tests an Identity Manager user against the action fields to determine whether the user is a match. This two-stage approach allows Identity Manager to optimize correlation by quickly finding possible users (based on name or attributes), and by performing expensive checks only on the possible users.
Create a correlation or confirmation rule by creating a rule object with a subtype of SUBTYPE_ACCOUNT_CORRELATION_RULE or SUBTYPE_ACCOUNT_CONFIRMATION_RULE, respectively.
For more information about correlation and confirmation rules, see Chapter 4, Data Loading and Synchronization, in Sun Identity Manager Deployment Guide.
Input for any correlation rule is a map of the action fields. Output must be one of the following:
String (containing user name or ID)
List of String elements (each a user name or ID)
List of WSAttribute elements
List of AttributeCondition elements
A typical correlation rule generates a list of user names based on values of the fields in the action. A correlation rule may also generate a list of attribute conditions (referring to queryable attributes of Type.USER) that will be used to select users.
A correlation rule should be relatively inexpensive but as selective as possible. If possible, defer expensive processing to a confirmation rule.
Attribute conditions must refer to queryable attributes of Type.USER. These are configured in the Identity Manager configuration object named IDM Schema Configuration.
Correlating on an extended attribute requires special configuration:
The extended attribute must be specified as queryable.
Open IDM Schema Configuration. You must have the IDM Schema Configuration capability to view or edit IDM Schema Configuration.
Locate the <IDMObjectClassConfiguration name=’User’> element.
Locate the <IDMObjectClassAttributeConfiguration name=’ xyz ’> element, where xyz is the name of the attribute that you want to set as queryable.
Set queryable=’true’
In Correlation Rules the email extended attribute is defined as queryable.
<IDMSchemaConfiguration> <IDMAttributeConfigurations> <IDMAttributeConfiguration name=’email’ syntax=’STRING’/> </IDMAttributeConfiguration> </IDMAttributeConfigurations> <IDMObjectClassConfigurations> <IDMObjectClassConfiguration name=’User’ extends=’Principal’ description=’User description’> <IDMObjectClassAttributeConfiguration name=’email’ queryable=’true’/> </IDMObjectClassConfiguration> </IDMObjectClassConfigurations> </IDMSchemaConfiguration>
You must restart the Identity Manager application (or the application server) for the IDM Schema Configuration change to take effect.
Inputs to any confirmation rule are as follows:
Use userview for a full view of an Identity Manager user.
Use account for a Map of action fields.
A confirmation rule returns a string-form Boolean value of true if the user matches the action fields; otherwise, it returns a value of false.
A typical confirmation rule compares internal values from the user view to the values of the action fields. As an optional second stage in correlation processing, the confirmation rule performs checks that cannot be expressed in a correlation rule (or that are too expensive to evaluate in a correlation rule).
In general, you need a confirmation rule only for the following situations:
The correlation rule may return more than one matching user.
User values that must be compared are not queryable.
A confirmation rule is run once for each matching user returned by the correlation rule.