2 Oracle Identity Analytics Importing

This chapter contains the following sections:

2.1 Overview

Importing data in Oracle Identity Analytics is a three-step process:

  • Configuring the import process

  • Scheduling the import process Scheduling can be done either from the user interface or by editing configuration files on the application server.

  • Verifying the import process

2.2 Understanding the Import Process

Typically, it is the administrator's responsibility to create import jobs to populate the Oracle Identity Analytics Identity Warehouse. Data can be imported from a text file or you can directly import data from either Oracle Identity Manager or Oracle Waveset if OIA is integrated with either provisioning server. Oracle Identity Analytics inserts or updates data in the data warehouse, and archives all of the data feeds.

Note:

You can only import resource metadata and resources if Oracle Identity Analytics is integrated with either Oracle Identity Manager or Oracle Waveset (Sun Identity Manager). For more information about importing resource metadata and resources, see either of the following chapters in the System Integrator's Guide for Oracle Identity Analytics:

  • Integrating With Oracle Identity Manager, Preferred Method

  • Integrating With Oracle Waveset (Sun Identity Manager)

The following import jobs can be executed in Oracle Identity Analytics:

  • User import

  • Resource metadata import (Importing from a text file not supported)

  • Resources import (Importing from a text file not supported)

  • Account import

  • Roles import

  • Policies import

  • Glossary import

  • Business structure import

Note:

While running "Import Users, Accounts, User Role Memberships and Entitlements" combo job to import data from OIM, the OIA Administrator should always uncheck the "User Role Membership" box, which is checked by default, before running the job to ensure that role rules function as expected.

To import data using text files you need a schema file and an input file. The following sections describe how to create a schema file and an input file for each type of import job.

Note:

You can import Resource-Attribute Values when you import Glossary data, when you import Accounts, and when you import Policies.

When you import an Attribute Value as part of a Glossary import, and the Attribute Value does not have a specified Item-Risk level, OIA uses the default Entitlements Risk-Mapping level instead. If you later change the Entitlements Risk-Mapping setting, the Item-Risk level for the Attribute Value is not affected.

When you import an Attribute Value as part of either an Account import or a Policy import, you cannot specify an Item-Risk level. Furthermore, OIA does not assign an Item-Risk level to the Attribute Value (the Item-Risk level remains null). After import, until you directly assign an Item-Risk level to the Value, the Attribute Value inherits the default Risk-Mapping value for Entitlements. This means that if you change the Entitlements Risk-Mapping value, the Attribute Value will inherit the new risk value. To prevent an Attribute Value from continuing to inherit the default Risk-Mapping value, directly assign an Item-Risk level to the value.

For more information about Item-Risk and Risk-Mapping settings, see Section 1.4.1, "Understanding Item Risk and Risk-Factor Mappings."

2.2.1 Importing Users

Before you can import Users into Oracle Identity Analytics using text files, you need a schema file and an input file.

2.2.1.1 Understanding the Schema File for Users

The schema file for the global-user import is a standard .rbx file that needs to be located in the schema folder. The username field is mandatory, whereas the other fields are optional. A sample schema file for user import is shown here:

userName,firstName,lastName,middleName,street,city,state,zip,country

The naming convention for the schema file is users.rbx.

2.2.1.2 Understanding the Input File for Users

The input file for user import maps every attribute in it to the schema file. The mapping between the user's schema file and the import file needs to be one-to-one.

The naming convention for the user import files is as follows:

users<file number>

The contents of a sample mapped user import file are shown here:

"Cox01","Alan 01","Cox","M","Test","Test","Test","90007","USA"

2.2.1.3 Global-User Schema File Reference

The following table lists details about the required and optional fields that you can include in the global-user import schema file.

Table 2-1 Global-User Import Schema File Fields

Field Name Data Type Max Length Description Required?

userName

Text

100

  

Required

firstName

Text

100

  

Required

lastName

Text

100

  

Required

middleName

Text

100

  

Optional

street

Text

512

  

Optional

city

Text

100

  

Optional

stateOrProvince

Text

100

  

Optional

zipOrPostalCode

Text

40

  

Optional

countryOrRegion

Text

100

  

Optional

fax

Text

100

  

Optional

phone

Text

100

  

Optional

extension

Text

100

  

Optional

mobile

Text

100

  

Optional

pager

Text

100

  

Optional

title

Text

100

  

Optional

primaryEmail

Text

100

  

Optional

secondaryEmail

Text

100

  

Optional

officeName

Text

100

  

Optional

description

Text

512

  

Optional

statusKey

Number

  

Must be one of the following numbers:

1 - Active

2 - Inactive

Optional

comments

Text

512

  

Optional

suspendedDate

Date

  

yyyy-MM-dd'T'HH:mm:ss

Optional

userData

Text

512

  

Optional

employeeId

Text

100

  

Optional

customProperty1

through

customProperty20

Text

100

  

Optional

createUser

Text

100

  

Optional

updateUser

Text

100

  

Optional

createDate

Date

  

yyyy-MM-dd'T'HH:mm:ss

Optional

updateDate

Date

  

yyyy-MM-dd'T'HH:mm:ss

The date and time that the record was last updated by a system external to OIA, for example an integrated provisioning system or a system that exports updates to OIA using CSV files.

(A separate column, SRM_UPDATEDATE, saves the date and time that a record was last updated internally.)

Optional

employeeType

Text

100

  

Optional

serviceDeskTicketNumber

Text

200

  

Optional

startDate

Date

  

yyyy-MM-dd'T'HH:mm:ss

Optional

endDate

Date

  

yyyy-MM-dd'T'HH:mm:ss

Optional

manager

Text

100

  

Optional

businessApprover

Text

100

  

Optional

technicalApprover

Text

100

  

Optional

delegate

Text

100

  

Optional

location

Text

100

  

Optional

jobCodes

Text

512

  

Optional

<extendedProperty>

Text

100

  

Optional

2.2.1.4 To Import Users

  1. Add the users01 file:

    • For Windows - C:\Oracle\OIA_11gR1\import\in

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in

  2. Add the users.rbx file:

    • For Windows - C:\Oracle\OIA_11gR1\import\schema

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema

  3. Schedule the import.

    See Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics" for more information.

  4. To Verify the Import, see Section 2.4, "Verifying Imports."

2.2.2 Importing Accounts

Before you can import Accounts into Oracle Identity Analytics using text files, you need a schema file and an input file.

2.2.2.1 Understanding the Schema File for Accounts

Oracle Identity Analytics imports accounts by resource type. Each resource type has a schema file that defines the resource type's entitlements, and the order that the entitlements need to be listed in the input file. The file extension of the schema file is .rbx.

Note:

For information about creating and modifying resource types in Oracle Identity Analytics, see Section 11.1.3, "Resource Types Configuration."

The following declaration is required to map accounts to a resource type:

# @iam:namespace name="<resource type's Name>" shortName="<resource type's Short Name>"

The userName field is used for correlation and the following fields are mandatory: name, endPoint, and domain. All other fields are optional.

The naming convention for the schema file is as follows:

<resource type's Short Name>_accounts.rbx

or

<resource type Name>_accounts.rbx

A sample schema file for the LDAP resource type is shown here:

# @iam:namespace name="LDAP" shortName="LDAP"
userName<CorrelationKey>,comments,endPoint,domain,suspended,locked,
AcidAll,AcidXAuth,FullName,GroupMemberOf,InstallationData,
ListDataResource,ListDataSource,M8All

The sample schema file illustrates the list of attributes or entitlements that are defined for the LDAP resource type. The username entry contains the name of the user account, and this is also the correlation or crossreference key between user accounts and global users. The correlation key should have <Correlation Key> defined next to it. Next, a list of entitlements that are common to the LDAP resource type are defined, and each entitlement is comma-separated from the other. In the sample schema file, the following fields are namespace attributes: AcidAll, AcidXAuth, FullName, GroubMemberOf, InstallationDate, ListDataResource, ListDataSource, and M8All.

To import a custom resource type entitlement, first define it in OIA (using the Administration > Configuration > Resource Types > Resource Type > Entitlements page), then add a matching entry in the schema file for each custom entitlement. The following screen capture shows custom entitlements for the AIX resource type in the OIA user interface.

Surrounding text describes importingaixentitlements.gif.

A sample AIX_accounts.rbx file with the same custom entitlements is shown here:

userName<CorrelationKey>,name,accountId,aix_pgrp,aix_groups,aix_login,
aix_home,domain,endPoint

2.2.2.2 Understanding the Input File for Accounts

An input file contains the list of user accounts and a list of user entitlements in the accounts. Each file can be differentiated from the different resource types by the naming convention used in each file.

The naming convention for the schema file is as follows:

<resource type's Short Name>_accounts.rbx

or

<resource type Name>_accounts.rbx

The following input file content matches the sample schema file for the LDAP resource:

"Cox01","CNBNT","VAAU","rbactest.com",5,"false",
"false","CN=DomainUsers","consultant","","",
"","DomainUsers","Consultant"

2.2.2.3 Accounts Schema File Reference

The following table lists details about the required and optional fields that you can include in the accounts import schema file.

In the following table, <namespaceAttributes> refers to the custom Resource Type attributes that you define in OIA (using the Administration > Configuration > Resource Types > Resource Type > Entitlements page) prior to importing accounts.

Table 2-2 Accounts Import Schema File Fields

Field Name Data Type Max Length Description Required?

name

Text

300

  

Required

endPoint

Text

256

  

Required

Note: If a value for this field is not specified while creating or importing an account, then RBACx is used as the default endPoint.

domain

Text

512

  

Optional

description

Text

512

  

Optional

comments

Text

512

  

Optional

suspended

Number

  

Must be one of the following numbers:

1 - True

0 - False

Optional

createUser

Text

100

  

Optional

updateUser

Text

100

  

Optional

itemRisk

Number

  

The value must be 1, 2, or 3, where:

1 = high risk

2 = medium risk

3 = low risk

Optional

<namespaceAttributes>

Text

2000

  

Optional

2.2.2.4 To Import Accounts

  1. Add the LDAP_01_accounts file:

    • For Windows - C:\Oracle\OIA_11gR1\import\in

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in

  2. Add the LDAP_accounts.rbx file:

    • For Windows - C:\Oracle\OIA_11gR1\import\schema

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema

  3. Schedule the import.

  4. To Verify the Import, see Section 2.4, "Verifying Imports."

2.2.3 Importing Roles

Before you can import Roles into Oracle Identity Analytics using text files, you need a schema file and an input file.

2.2.3.1 Understanding the Schema File for Roles

The schema file for the role import is a standard .rbx file that needs to be specified under the schema folder. The rolename field is mandatory, whereas the other fields are optional.

A sample schema file for role import is shown here:

roleName<use=mandatory>,
roleDescription<use=required defaultValue="No Role Description">,
itemRisk, customproperty2<use=required defaultValue="No Role Owner">

The naming convention for the schema file is roles.rbx.

2.2.3.2 Understanding the Input File for Roles

The input file for roles maps every attribute in it to the schema file. The mapping between the role's schema file and import file needs to be one-to-one. The naming convention for the role import input file needs to be as follows:

roles<file number>

The contents of a sample mapped role import file are shown here:

"Auditor","EERS MODEL ID SG-RPAC","Auditor"

2.2.3.3 Roles Schema File Reference

The following table lists details about the required and optional fields that you can include in the roles import schema file.

Table 2-3 Roles Import Schema File Fields

Field Name Data Type Max Length Description Required?

roleName

Text

512

  

Required

parentRoleName

Text

512

  

Optional

roleDescription

Text

2048

  

Optional

roleComments

Text

2048

  

Optional

department

Text

100

  

Optional

customproperty1

through

customproperty 10

Text

100

  

Optional

statusKey

Number

100

  

Optional

itemRisk

Number

  

Assigns an Item-Risk setting to the Role.

The value must be 1, 2, or 3, where:

1 = high risk

2 = medium risk

3 = low risk

Optional

jobCode

Text

    

Optional

serviceDeskTicketNumber

Text

512

  

Optional

roleOwners

CSV text

100 each

Max length is 100 per role owner.

Optional

businessUnits

CSV text

512 each

Max length is 512 per business unit.

Optional

users

CSV text

100 each

globalusers is also accepted.

Max length is 100 per user.

Optional

policies

CSV text

512 each

Max length is 512 per policy.

Optional

2.2.3.4 To Import Roles

  1. Add the roles01 file:

    • For Windows - C:\Oracle\OIA_11gR1\import\in

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in

  2. Add the roles.rbx file:

    • For Windows - C:\Oracle\OIA_11gR1\import\schema

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema

  3. Schedule the import.

    See Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics" for more information.

2.2.4 Importing Policies

Before you can import Policies into Oracle Identity Analytics using text files, you need a schema file and an input file.

2.2.4.1 Understanding the Schema File for Policies

The schema file for the policy import is a standard .rbx file that needs to be located in the schema folder. The following declaration is required to map policies to a resource type:

# @iam:namespace name="<resource type's Name>" shortName="<resource type's Short Name>"

The endPoints and policyName fields are mandatory, whereas the other fields are optional.

The naming convention for the schema file is as follows:

<resource type's Short Name>_policies.rbx

A sample schema file for role import is shown here:

# @iam:namespace name="LDAP" shortName="LDAP" endPoints<use=mandatory>,policyName, policyComments,ldapGroups

2.2.4.2 Understanding the Input File for Policies

The mapping between the policy's schema file and the import file needs to be one-to-one. Each file can be differentiated from the different resource types by the naming convention used in each file.

The naming convention for the files is as follows:

<resource type's Short Name>_<file number>_policies

The contents of a sample policy import file mapped are shown here:

"LDAP","Investment Management Attorney_LDAP","Manual Policy import","CN=DEPT_LEGL,ou=Groups,dc=identric,dc=com"

2.2.4.3 Policies Schema File Reference

The following table lists details about the required and optional fields that you can include in the policies import schema file.

Table 2-4 Policies Import Schema File Fields

Field Name Data Type Max Length Description Required?

policyName

Text

512

  

Required

endPoints

Text

256 each

Max length is 256 per end point.

Required

policyComments

Text

2048

  

Optional

serviceDeskTicketNumber

Text

200

  

Optional

riskLevel

Number

  

The policy Risk-Level attribute is a deprecated attribute with no present usage.

Deprecated

statusId

Number

  

The value must be 1, 2, or 5, where:

1 - Active

2 - Inactive

5 - Decommissioned

Optional

<namespaceAttributes>

CSV text

    

Optional

2.2.4.4 To Import Policies

  1. Add the LDAP_01_policies file:

    • For Windows - C:\Oracle\OIA_11gR1\import\in

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in

  2. Add the LDAP_policies.rbx file:

    • For Windows - C:\Oracle\OIA_11gR1\import\schema

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema

  3. Schedule the import.

    See Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics" for more information.

2.2.5 Importing Business Structures

Before you can import Business Structures into Oracle Identity Analytics using text files, you need a schema file and an input file.

2.2.5.1 Understanding the Schema File for Business Structures

The schema file for the business structure import is a standard .rbx file that needs to be located in the schema folder. The businessUnitName field is mandatory, whereas the other fields are optional.

The naming convention for the schema file is businessstructure.rbx.

A sample schema file for business structure import is shown here:

businessUnitName,parentBusinessUnitName,statusKey,division,mainPhone,otherPhone,
fax,email,website,street1,street2,street3,city,stateOrProvince,zipOrPostalCode,
countryOrRegion,businessUnitType,businessUnitOwner,businessUnitAdministrator,
mailCode,businessUnitDescription,businessUnitCode,serviceDeskTicketNumber,
businessUnitManagers

2.2.5.2 Understanding the Input File for Business Structures

The mapping between the business structure's schema file and the import file needs to be one-to-one. The naming convention for the files is as follows:

businessstructure_<file number>

2.2.5.3 Business Structures Schema File Reference

The following table lists details about the required and optional fields that you can include in the Business Structures import schema file.

Table 2-5 Business Structures Import Schema File Fields

Field Name Data Type Max Length Description Required?

businessUnitName

Text

512

  

Required

parentBusinessUnitName

Text

512

  

Optional

statusKey

Number

  

Must be 1 or 2 where:

1 - Active

2 - Inactive

If this field is not set, the default is 2 (Inactive).

Optional

mainPhone

Text

100

  

Optional

otherPhone

Text

100

  

Optional

fax

Text

100

  

Optional

email

Text

100

  

Optional

website

Text

100

  

Optional

street1

Text

100

  

Optional

street2

Text

100

  

Optional

street3

Text

100

  

Optional

city

Text

100

  

Optional

stateOrProvince

Text

100

  

Optional

zipOrPostalCode

Text

100

  

Optional

countryOrRegion

Text

100

  

Optional

division

Text

100

  

Optional

businessUnitType

Text

100

  

Optional

businessUnitOwner

Text

100

  

Optional

businessUnitAdministrator

Text

100

  

Optional

businessUnitCode

Text

100

  

Optional

businessUnitDescription

Text

2048

  

Optional

mailCode

Text

100

  

Optional

serviceDeskTicketNumber

Text

100

  

Optional

businessUnitManagers

Text

2048

  

Optional

2.2.5.4 To Import Business Structures

  1. Add the businessstructure_01 file:

    • For Windows - C:\Oracle\OIA_11gR1\import\in

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in

  2. Add the businessstructure.rbx file:

    • For Windows - C:\Oracle\OIA_11gR1\import\schema

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema

  3. Schedule the import.

    See Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics" for more information.

2.2.6 Importing Glossary Names

Before you can import glossary names into Oracle Identity Analytics using text files, you need a schema file and an input file.

2.2.6.1 Understanding the Schema File for Glossary Names

The schema file for the glossary import is a standard .rbx file that needs to be located in the schema folder.

The following declaration is required to map glossary to a resource type:

# @iam:namespace name="<resource type's Name>" shortName="<resource type's Short Name>"

The endPointName, attributeName, and attributeValueValue fields are mandatory, whereas the other fields are optional. The naming convention for the schema file is<resource type's Short Name>_glossary.rbx.

A sample schema file for glossary import is shown below:

# @iam:namespace name="LDAP" shortName="LDAP"endPointName,attributeName,attributeValueValue,owner,itemRisk,classification,definition,comments

2.2.6.2 Understanding the Input File for Glossary Names

The mapping between the glossary's schema file and the import file needs to be one-to-one. Each file can be differentiated from the different resource types by the naming convention used in each file.

The naming convention for the files is as follows:

<resource type's Short Name>_glossary<file number>

2.2.6.3 Glossary Schema File Reference

The following table lists details about the required and optional fields that you can include in the glossary import schema file.

Table 2-6 Glossary Import Schema File Fields

Field Name Data Type Max Length Description Required?

endPointName

Text

256

  

Required

attributeName

Text

512

  

Required

attributeValueValue

Text

2000

  

Required

owner

Text

100

  

Optional

itemRisk

Number

  

Assigns an Item-Risk setting to the Attribute Value.

The value must be 1, 2, or 3, where:

1 = high risk

2 = medium risk

3 = low risk

If you do not include the itemRisk field, the default OIA "Entitlements" Risk-Mapping level will be used instead.

Optional

classification

Text

512

  

Optional

definition

Text

4Gb

  

Optional

comments

Text

4Gb

  

Optional

2.2.6.4 To Import Glossary Definitions

  1. Add the LDAP_glossary01 file:

    • For Windows - C:\Oracle\OIA_11gR1\import\in

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in

  2. Add the LDAP_glossary.rbx file:

    • For Windows - C:\Oracle\OIA_11gR1\import\schema

    • For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema

  3. Schedule the import.

    See Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics" for more information.

2.2.7 Scheduling Import and Export Jobs

For information about scheduling import and export jobs, see Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics."

2.3 Configuring the Import Process

Oracle Identity Analytics can import multiple files at the same time and can insert or update its database using different batch sizes. File import properties are configured in $RBACX_HOME/conf/iam.properties. These properties are set at their default value, and can be changed by the administrator depending on the needs of the organization.

Table 2-7 File Import Configuration Properties

Property Name Variable Description Default Value

Maximum Concurrent Imports

com.vaau.rbacx.iam.file.import.maxConcurrentImports=2

Specifies the number of files to import concurrently.

2

Maximum Errors Limit

com.vaau.rbacx.iam.file.import.rowErrorsLimit=3

Specifies the maximum number of errors per file before aborting the process.

3

Batch Size

com.vaau.rbacx.iam.file.import.batchSize=100

Specifies the number of records to read and process in a batch during an import.

Note - If this value is set too high, the import process will fail. A maximum value of 1000 or less is recommended.

100

Correlation Parameters

com.vaau.rbacx.iam.correlation.dropOrphanAccounts=true

Specifies whether orphan accounts (accounts that are not correlated to a global user) are dropped (True) or saved (False) as orphan accounts during the import process.

true

Correlation Options

com.vaau.rbacx.iam.correlation.correlate=orphan

Allows further control over correlation of accounts to users during the import process. Options available are Always (all accounts are correlated on every import), Orphan (only orphan accounts are correlated; established user-account associations are not updated), and Never (accounts are not correlated).

orphan

Drop Location

com.vaau.rbacx.iam.file.import.dropLocation=$RBACX_HOME/import/in

Specifies the location where the feeds to be imported are placed.

$RBACX_HOME/import/in

Complete Location

com.vaau.rbacx.iam.file.import.completeLocation=$RBACX_HOME/import/complete

Specifies the location where the input files are moved after processing.

$RBACX_HOME/import/complete

Schema Location

com.vaau.rbacx.iam.file.import.schemaLocation=$RBACX_HOME/import/schema

Specifies the location where the schema files are placed.

$RBACX_HOME/import/schema

2.4 Verifying Imports

You can verify if imports have been successful in the following two ways:

  • Verifying from the front end

  • Verifying from the back end

2.4.1 To Verify Success of Imports From the Front-End

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Auditing and Events.

  3. Select Import/Export Logs.

    All import jobs are listed.

  4. Check the Result column to see if the import was successful or if it failed.

2.4.2 To Verify Success of Import From the Back-End

  1. Verify success or failure of the import:

  • If the import has been successful, then the input file placed in $RBACX_Home/import/in is shifted to $RBACX_Home/import/complete/success.

  • If the import has failed, then the input file placed in $RBACX_Home/import/in is shifted to $RBACX_Home/import/complete/error.

For information about how to view the import-export log, see Chapter 13, "Audit Event Log and Import-Export Log."