This chapter contains the following sections:
Importing data in Oracle Identity Analytics is a three-step process:
Configuring the import process
Scheduling the import process Scheduling can be done either from the user interface or by editing configuration files on the application server.
Verifying the import process
Typically, it is the administrator's responsibility to create import jobs to populate the Oracle Identity Analytics Identity Warehouse. Data can be imported from a text file or you can directly import data from either Oracle Identity Manager or Oracle Waveset if OIA is integrated with either provisioning server. Oracle Identity Analytics inserts or updates data in the data warehouse, and archives all of the data feeds.
Note:
You can only import resource metadata and resources if Oracle Identity Analytics is integrated with either Oracle Identity Manager or Oracle Waveset (Sun Identity Manager). For more information about importing resource metadata and resources, see either of the following chapters in the System Integrator's Guide for Oracle Identity Analytics:
Integrating With Oracle Identity Manager, Preferred Method
Integrating With Oracle Waveset (Sun Identity Manager)
The following import jobs can be executed in Oracle Identity Analytics:
User import
Resource metadata import (Importing from a text file not supported)
Resources import (Importing from a text file not supported)
Account import
Roles import
Policies import
Glossary import
Business structure import
Note:
While running "Import Users, Accounts, User Role Memberships and Entitlements" combo job to import data from OIM, the OIA Administrator should always uncheck the "User Role Membership" box, which is checked by default, before running the job to ensure that role rules function as expected.
To import data using text files you need a schema file and an input file. The following sections describe how to create a schema file and an input file for each type of import job.
Note:
You can import Resource-Attribute Values when you import Glossary data, when you import Accounts, and when you import Policies.
When you import an Attribute Value as part of a Glossary import, and the Attribute Value does not have a specified Item-Risk level, OIA uses the default Entitlements Risk-Mapping level instead. If you later change the Entitlements Risk-Mapping setting, the Item-Risk level for the Attribute Value is not affected.
When you import an Attribute Value as part of either an Account import or a Policy import, you cannot specify an Item-Risk level. Furthermore, OIA does not assign an Item-Risk level to the Attribute Value (the Item-Risk level remains null). After import, until you directly assign an Item-Risk level to the Value, the Attribute Value inherits the default Risk-Mapping value for Entitlements. This means that if you change the Entitlements Risk-Mapping value, the Attribute Value will inherit the new risk value. To prevent an Attribute Value from continuing to inherit the default Risk-Mapping value, directly assign an Item-Risk level to the value.
For more information about Item-Risk and Risk-Mapping settings, see Section 1.4.1, "Understanding Item Risk and Risk-Factor Mappings."
Before you can import Users into Oracle Identity Analytics using text files, you need a schema file and an input file.
The schema file for the global-user import is a standard .rbx
file that needs to be located in the schema folder. The username
field is mandatory, whereas the other fields are optional. A sample schema file for user import is shown here:
userName,firstName,lastName,middleName,street,city,state,zip,country
The naming convention for the schema file is users.rbx
.
The input file for user import maps every attribute in it to the schema file. The mapping between the user's schema file and the import file needs to be one-to-one.
The naming convention for the user import files is as follows:
users
<file number>
The contents of a sample mapped user import file are shown here:
"Cox01","Alan 01","Cox","M","Test","Test","Test","90007","USA"
The following table lists details about the required and optional fields that you can include in the global-user import schema file.
Table 2-1 Global-User Import Schema File Fields
Field Name | Data Type | Max Length | Description | Required? |
---|---|---|---|---|
|
Text |
100 |
Required |
|
|
Text |
100 |
Required |
|
|
Text |
100 |
Required |
|
|
Text |
100 |
Optional |
|
|
Text |
512 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
40 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
512 |
Optional |
|
|
Number |
Must be one of the following numbers: 1 - Active 2 - Inactive |
Optional |
|
|
Text |
512 |
Optional |
|
|
Date |
|
Optional |
|
|
Text |
512 |
Optional |
|
|
Text |
100 |
Optional |
|
through
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Date |
|
Optional |
|
|
Date |
The date and time that the record was last updated by a system external to OIA, for example an integrated provisioning system or a system that exports updates to OIA using CSV files. (A separate column, |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
200 |
Optional |
|
|
Date |
|
Optional |
|
|
Date |
|
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
512 |
Optional |
|
<extendedProperty> |
Text |
100 |
Optional |
Add the users01
file:
For Windows - C:\Oracle\OIA_11gR1\import\in
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in
Add the users.rbx
file:
For Windows - C:\Oracle\OIA_11gR1\import\schema
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema
Schedule the import.
See Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics" for more information.
To Verify the Import, see Section 2.4, "Verifying Imports."
Before you can import Accounts into Oracle Identity Analytics using text files, you need a schema file and an input file.
Oracle Identity Analytics imports accounts by resource type. Each resource type has a schema file that defines the resource type's entitlements, and the order that the entitlements need to be listed in the input file. The file extension of the schema file is .rbx
.
Note:
For information about creating and modifying resource types in Oracle Identity Analytics, see Section 11.1.3, "Resource Types Configuration."
The following declaration is required to map accounts to a resource type:
# @iam:namespace name="<resource type's Name>" shortName="<resource type's Short Name>"
The userName
field is used for correlation and the following fields are mandatory: name
, endPoint
, and domain
. All other fields are optional.
The naming convention for the schema file is as follows:
<resource type's Short Name>
_accounts.rbx
or
<resource type Name>
_accounts.rbx
A sample schema file for the LDAP resource type is shown here:
# @iam:namespace name="LDAP" shortName="LDAP" userName<CorrelationKey>,comments,endPoint,domain,suspended,locked, AcidAll,AcidXAuth,FullName,GroupMemberOf,InstallationData, ListDataResource,ListDataSource,M8All
The sample schema file illustrates the list of attributes or entitlements that are defined for the LDAP resource type. The username
entry contains the name of the user account, and this is also the correlation or crossreference key between user accounts and global users. The correlation key should have <Correlation Key>
defined next to it. Next, a list of entitlements that are common to the LDAP resource type are defined, and each entitlement is comma-separated from the other. In the sample schema file, the following fields are namespace attributes: AcidAll
, AcidXAuth
, FullName
, GroubMemberOf
, InstallationDate
, ListDataResource
, ListDataSource
, and M8All
.
To import a custom resource type entitlement, first define it in OIA (using the Administration > Configuration > Resource Types > Resource Type > Entitlements page), then add a matching entry in the schema file for each custom entitlement. The following screen capture shows custom entitlements for the AIX resource type in the OIA user interface.
A sample AIX_accounts.rbx
file with the same custom entitlements is shown here:
userName<CorrelationKey>,name,accountId,aix_pgrp,aix_groups,aix_login, aix_home,domain,endPoint
An input file contains the list of user accounts and a list of user entitlements in the accounts. Each file can be differentiated from the different resource types by the naming convention used in each file.
The naming convention for the schema file is as follows:
<resource type's Short Name>
_accounts.rbx
or
<resource type Name>
_accounts.rbx
The following input file content matches the sample schema file for the LDAP resource:
"Cox01","CNBNT","VAAU","rbactest.com",5,"false", "false","CN=DomainUsers","consultant","","", "","DomainUsers","Consultant"
The following table lists details about the required and optional fields that you can include in the accounts import schema file.
In the following table, <namespaceAttributes> refers to the custom Resource Type attributes that you define in OIA (using the Administration > Configuration > Resource Types > Resource Type > Entitlements page) prior to importing accounts.
Table 2-2 Accounts Import Schema File Fields
Field Name | Data Type | Max Length | Description | Required? |
---|---|---|---|---|
|
Text |
300 |
Required |
|
|
Text |
256 |
Required Note: If a value for this field is not specified while creating or importing an account, then RBACx is used as the default endPoint. |
|
|
Text |
512 |
Optional |
|
|
Text |
512 |
Optional |
|
|
Text |
512 |
Optional |
|
|
Number |
Must be one of the following numbers: 1 - True 0 - False |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Number |
The value must be 1, 2, or 3, where: 1 = high risk 2 = medium risk 3 = low risk |
Optional |
|
<namespaceAttributes> |
Text |
2000 |
Optional |
Add the LDAP_01_accounts
file:
For Windows - C:\Oracle\OIA_11gR1\import\in
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in
Add the LDAP_accounts.rbx
file:
For Windows - C:\Oracle\OIA_11gR1\import\schema
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema
Schedule the import.
See Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics" for more information.
To Verify the Import, see Section 2.4, "Verifying Imports."
Before you can import Roles into Oracle Identity Analytics using text files, you need a schema file and an input file.
The schema file for the role import is a standard .rbx
file that needs to be specified under the schema folder. The rolename
field is mandatory, whereas the other fields are optional.
A sample schema file for role import is shown here:
roleName<use=mandatory>, roleDescription<use=required defaultValue="No Role Description">, itemRisk, customproperty2<use=required defaultValue="No Role Owner">
The naming convention for the schema file is roles.rbx
.
The input file for roles maps every attribute in it to the schema file. The mapping between the role's schema file and import file needs to be one-to-one. The naming convention for the role import input file needs to be as follows:
roles
<file number>
The contents of a sample mapped role import file are shown here:
"Auditor","EERS MODEL ID SG-RPAC","Auditor"
The following table lists details about the required and optional fields that you can include in the roles import schema file.
Table 2-3 Roles Import Schema File Fields
Field Name | Data Type | Max Length | Description | Required? |
---|---|---|---|---|
|
Text |
512 |
Required |
|
|
Text |
512 |
Optional |
|
|
Text |
2048 |
Optional |
|
|
Text |
2048 |
Optional |
|
|
Text |
100 |
Optional |
|
through
|
Text |
100 |
Optional |
|
|
Number |
100 |
Optional |
|
|
Number |
Assigns an Item-Risk setting to the Role. The value must be 1, 2, or 3, where: 1 = high risk 2 = medium risk 3 = low risk |
Optional |
|
|
Text |
Optional |
||
|
Text |
512 |
Optional |
|
|
CSV text |
100 each |
Max length is 100 per role owner. |
Optional |
|
CSV text |
512 each |
Max length is 512 per business unit. |
Optional |
|
CSV text |
100 each |
Max length is 100 per user. |
Optional |
|
CSV text |
512 each |
Max length is 512 per policy. |
Optional |
Add the roles01
file:
For Windows - C:\Oracle\OIA_11gR1\import\in
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in
Add the roles.rbx
file:
For Windows - C:\Oracle\OIA_11gR1\import\schema
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema
Schedule the import.
See Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics" for more information.
Before you can import Policies into Oracle Identity Analytics using text files, you need a schema file and an input file.
The schema file for the policy import is a standard .rbx
file that needs to be located in the schema folder. The following declaration is required to map policies to a resource type:
# @iam:namespace name="<resource type's Name>" shortName="<resource type's Short Name>"
The endPoints
and policyName
fields are mandatory, whereas the other fields are optional.
The naming convention for the schema file is as follows:
<resource type's Short Name>_policies.rbx
A sample schema file for role import is shown here:
# @iam:namespace name="LDAP" shortName="LDAP" endPoints<use=mandatory>,policyName, policyComments,ldapGroups
The mapping between the policy's schema file and the import file needs to be one-to-one. Each file can be differentiated from the different resource types by the naming convention used in each file.
The naming convention for the files is as follows:
<resource type's Short Name>_
<file number>_policies
The contents of a sample policy import file mapped are shown here:
"LDAP","Investment Management Attorney_LDAP","Manual Policy import","CN=DEPT_LEGL,ou=Groups,dc=identric,dc=com"
The following table lists details about the required and optional fields that you can include in the policies import schema file.
Table 2-4 Policies Import Schema File Fields
Field Name | Data Type | Max Length | Description | Required? |
---|---|---|---|---|
|
Text |
512 |
Required |
|
|
Text |
256 each |
Max length is 256 per end point. |
Required |
|
Text |
2048 |
Optional |
|
|
Text |
200 |
Optional |
|
|
Number |
The policy Risk-Level attribute is a deprecated attribute with no present usage. |
Deprecated |
|
|
Number |
The value must be 1, 2, or 5, where: 1 - Active 2 - Inactive 5 - Decommissioned |
Optional |
|
<namespaceAttributes> |
CSV text |
Optional |
Add the LDAP_01_policies
file:
For Windows - C:\Oracle\OIA_11gR1\import\in
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in
Add the LDAP_policies.rbx
file:
For Windows - C:\Oracle\OIA_11gR1\import\schema
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema
Schedule the import.
See Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics" for more information.
Before you can import Business Structures into Oracle Identity Analytics using text files, you need a schema file and an input file.
The schema file for the business structure import is a standard .rbx
file that needs to be located in the schema folder. The businessUnitName
field is mandatory, whereas the other fields are optional.
The naming convention for the schema file is businessstructure.rbx
.
A sample schema file for business structure import is shown here:
businessUnitName,parentBusinessUnitName,statusKey,division,mainPhone,otherPhone, fax,email,website,street1,street2,street3,city,stateOrProvince,zipOrPostalCode, countryOrRegion,businessUnitType,businessUnitOwner,businessUnitAdministrator, mailCode,businessUnitDescription,businessUnitCode,serviceDeskTicketNumber, businessUnitManagers
The mapping between the business structure's schema file and the import file needs to be one-to-one. The naming convention for the files is as follows:
businessstructure_
<file number>
The following table lists details about the required and optional fields that you can include in the Business Structures import schema file.
Table 2-5 Business Structures Import Schema File Fields
Field Name | Data Type | Max Length | Description | Required? |
---|---|---|---|---|
|
Text |
512 |
Required |
|
|
Text |
512 |
Optional |
|
|
Number |
Must be 1 or 2 where: 1 - Active 2 - Inactive If this field is not set, the default is 2 (Inactive). |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
|
Text |
100 |
Optional |
|
businessUnitCode |
Text |
100 |
Optional |
|
businessUnitDescription |
Text |
2048 |
Optional |
|
|
Text |
100 |
Optional |
|
serviceDeskTicketNumber |
Text |
100 |
Optional |
|
|
Text |
2048 |
Optional |
Add the businessstructure_01
file:
For Windows - C:\Oracle\OIA_11gR1\import\in
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in
Add the businessstructure.rbx
file:
For Windows - C:\Oracle\OIA_11gR1\import\schema
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema
Schedule the import.
See Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics" for more information.
Before you can import glossary names into Oracle Identity Analytics using text files, you need a schema file and an input file.
The schema file for the glossary import is a standard .rbx
file that needs to be located in the schema folder.
The following declaration is required to map glossary to a resource type:
# @iam:namespace name="<resource type's Name>" shortName="<resource type's Short Name>"
The endPointName
, attributeName
, and attributeValueValue
fields are mandatory, whereas the other fields are optional. The naming convention for the schema file is<resource type's Short Name>_glossary.rbx
.
A sample schema file for glossary import is shown below:
# @iam:namespace name="LDAP" shortName="LDAP"endPointName,attributeName,attributeValueValue,owner,itemRisk,classification,definition,comments
The mapping between the glossary's schema file and the import file needs to be one-to-one. Each file can be differentiated from the different resource types by the naming convention used in each file.
The naming convention for the files is as follows:
<resource type's Short Name>_glossary
<file number>
The following table lists details about the required and optional fields that you can include in the glossary import schema file.
Table 2-6 Glossary Import Schema File Fields
Field Name | Data Type | Max Length | Description | Required? |
---|---|---|---|---|
|
Text |
256 |
Required |
|
|
Text |
512 |
Required |
|
|
Text |
2000 |
Required |
|
|
Text |
100 |
Optional |
|
|
Number |
Assigns an Item-Risk setting to the Attribute Value. The value must be 1, 2, or 3, where: 1 = high risk 2 = medium risk 3 = low risk If you do not include the |
Optional |
|
|
Text |
512 |
Optional |
|
|
Text |
4Gb |
Optional |
|
|
Text |
4Gb |
Optional |
Add the LDAP_glossary01
file:
For Windows - C:\Oracle\OIA_11gR1\import\in
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/in
Add the LDAP_glossary.rbx
file:
For Windows - C:\Oracle\OIA_11gR1\import\schema
For UNIX - /opt/Oracle/OIA_11gR1/rbacx/import/schema
Schedule the import.
See Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics" for more information.
For information about scheduling import and export jobs, see Section 10.1, "Scheduling Import and Export Jobs in Oracle Identity Analytics."
Oracle Identity Analytics can import multiple files at the same time and can insert or update its database using different batch sizes. File import properties are configured in $RBACX_HOME/conf/iam.properties
. These properties are set at their default value, and can be changed by the administrator depending on the needs of the organization.
Table 2-7 File Import Configuration Properties
Property Name | Variable | Description | Default Value |
---|---|---|---|
Maximum Concurrent Imports |
|
Specifies the number of files to import concurrently. |
|
Maximum Errors Limit |
|
Specifies the maximum number of errors per file before aborting the process. |
|
Batch Size |
|
Specifies the number of records to read and process in a batch during an import. Note - If this value is set too high, the import process will fail. A maximum value of 1000 or less is recommended. |
|
Correlation Parameters |
|
Specifies whether orphan accounts (accounts that are not correlated to a global user) are dropped (True) or saved (False) as orphan accounts during the import process. |
|
Correlation Options |
|
Allows further control over correlation of accounts to users during the import process. Options available are Always (all accounts are correlated on every import), Orphan (only orphan accounts are correlated; established user-account associations are not updated), and Never (accounts are not correlated). |
|
Drop Location |
|
Specifies the location where the feeds to be imported are placed. |
|
Complete Location |
|
Specifies the location where the input files are moved after processing. |
|
Schema Location |
|
Specifies the location where the schema files are placed. |
|
You can verify if imports have been successful in the following two ways:
Verifying from the front end
Verifying from the back end
Log in to Oracle Identity Analytics.
Choose Administration > Auditing and Events.
Select Import/Export Logs.
All import jobs are listed.
Check the Result column to see if the import was successful or if it failed.
Verify success or failure of the import:
If the import has been successful, then the input file placed in $RBACX_Home/import/in
is shifted to $RBACX_Home/import/complete/success
.
If the import has failed, then the input file placed in $RBACX_Home/import/in
is shifted to $RBACX_Home/import/complete/error
.
For information about how to view the import-export log, see Chapter 13, "Audit Event Log and Import-Export Log."