A Working with the Command Line Tool

You can use the Oracle Privileged Account Manager command line tool to perform many of the same tasks you perform by using the Oracle Privileged Account Manager Console. This appendix describes how to launch and work with the Oracle Privileged Account Manager command line tool.

This appendix includes the following sections:

• Section A.1, "Using the Command Line Tool"

• Section A.2, "Working with the Server"

• Section A.3, "Working with Policies"

• Section A.4, "Working with Targets"

• Section A.5, "Working with Accounts"

• Section A.6, "Working with Grantees"

• Section A.7, "Working with Plug-Ins"

• Section A.8, "Exporting and Importing Data"

Note:

• You can also use the Oracle Privileged Account Manager RESTful interface to perform many of these tasks. For more information, refer to Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface."

• The information provided in this appendix is essentially the same whether you are using Oracle Privileged Account Manager on WebLogic or on IBM WebSphere; however, there are a few minor differences.

  Refer to "Differences When Using the Oracle Privileged Account Manager Command Line Tool and REST Interfaces on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for more information.

• Globalization support for the Oracle Privileged Account Manager command line tool is not available for this release. The command line tool messages and help are only provided in English.

A.1 Using the Command Line Tool

This section describes how to launch and use the command line tool, and it contains the following sections:

• Section A.1.1, "Launching the Command Line Tool"

• Section A.1.2, "Issuing Commands"

A.1.1 Launching the Command Line Tool

Oracle Privileged Account Manager provides two methods for launching the command line tool:

• Launching the Command Line Tool from IAM_HOME

• Launching the Command Line Tool from Oracle Privileged Account Manager Client Archive

In most situations, you can use the instructions in Section A.1.1.1, "Launching the Command Line Tool from IAM_HOME"to launch the command line tool.

However, if you want to use the Oracle Privileged Account Manager command line tool from machines other than the one where you set up Oracle Identity Management middleware, use the instructions in Section A.1.1.2, "Launching the Command Line Tool from Oracle Privileged Account Manager Client Archive."

Note:

For security purposes, the Oracle Privileged Account Manager server only responds to SSL traffic.

When you provide the Oracle Privileged Account Manager server target to the Oracle Privileged Account Manager command line tool (or to Oracle Privileged Account Manager's web-based Console), you must provide the SSL endpoint as https://hostname:sslport/opam.

By default, the WebLogic AdminServer (where the Oracle Privileged Account Manager Console runs) responds to SSL on port 7002 (In IBM WebSphere, the port is 8002). The default Oracle Privileged Account Manager server SSL port is 18102 for both WebLogic and IBM WebSphere. You can use the WebLogic console to check the port for your particular instance.

A.1.1.1 Launching the Command Line Tool from IAM_HOME

To launch the Oracle Privileged Account Manager command line tool:

1. Open a command window and set the ORACLE_HOME and the JAVA_HOME variables to the appropriate path.

   • Set ORACLE_HOME to IAM_HOME.

   • Set JAVA_HOME to the JRE location.

2. Change directory to ORACLE_HOME/opam/bin.

3. At the prompt, type one of the following commands:

   • On UNIX, type: opam.sh

   • On Windows, type: opam.bat

   Invoking the command line tool, automatically connects you to the Oracle Privileged Account Manager server.

   You can invoke the Oracle Privileged Account Manager command line tool from a remote client by providing the Oracle Privileged Account Manager server's URL (running on the same machine or on a different machine) in the -url option.

A.1.1.2 Launching the Command Line Tool from Oracle Privileged Account Manager Client Archive

The Oracle Privileged Account Manager client is also available as a standalone .zip file, located in the following directory of an Oracle Identity and Access Management suite installation:

IAM_HOME/opam/tools/opamclient.zip

Copy the archive and then follow these steps to launch the command line tool:

1. Unzip the archive on the machine where the Oracle Privileged Account Manager client is required.

   Unzipping the opamclient.zip file creates a top-level directory named opamclient.

2. Set the OPAMCLIENT_HOME variable to <UNZIP_DIR>/opamclient and set the JAVA_HOME variable to the JRE location.

3. At the prompt, type one of the following commands:

   • On UNIX, type: opam.sh

   • On Windows, type: opam.bat

   Invoking the command line tool, automatically connects you to the Oracle Privileged Account Manager server.

   You can invoke the Oracle Privileged Account Manager command line tool by providing the Oracle Privileged Account Manager server's URL in the -url option.

A.1.2 Issuing Commands

Use the following syntax to issue any of the Oracle Privileged Account Manager commands:

Note:

When entering commands

• On UNIX, type: opam.sh

• On Windows, type: opam.bat

[-url <url>] -u <username> [-p <password>] [-debug] -x <opam-command>

where:

Option	Description
-url <url>	Provide the URL address for the Oracle Privileged Account Manager server. Note: If you do not specify a URL for this option, it defaults to https://hostname:18102/opam.
-u <username>	Provide your log-in user name.
-p <password>	Provide your log-in password.
-debug	Enable the debugger log.
-x <opam-command>	Run the specified Oracle Privileged Account Manager command.

For example:

-url https://hostname:sslport/opam -u <username> [-p <password>] [-debug] 
-x checkout -targetname <targetname> -accountname <accountname>

Note:

• On a Windows system, you must use double quotes (") instead of single quotes (') for parameters that contain spaces. For example,

  opam.bat -u sec_admin -p passwd -x showtargetpassword 
  -targetname "oracle db"
  

• On a UNIX system, you can use single quotes (') for parameters that contain spaces. You can also use special symbols, such as a dollar sign ($).

A.2 Working with the Server

The following sections contain information about the commands that you use to manage the Oracle Privileged Account Manager server.

• Section A.2.1, "getconfig Command"

• Section A.2.2, "getserverstatus Command"

• Section A.2.3, "modifyconfig Command"

A.2.1 getconfig Command

Use the getconfig command to view the OPAM Global Config configuration entry, which enables you to access and manage various Oracle Privileged Account Manager server properties.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x getconfig 
  –configtype <config type> <options>

The following table describes the options you can use with this command:

Option	Description
-configtype <global/session>	Specify the configuration type.
[-help]	Optional. Displays usage options for this command.

See Also:

modifyconfig Command

A.2.2 getserverstatus Command

Use the getserverstatus command to get the status for an Oracle Privileged Account Manager instance.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x getserverstatus <options>

The following table describes the options you can use with this command:

Option	Description
[-help]	Optional. Displays usage options for this command.

A.2.3 modifyconfig Command

Use the modifyconfig command to manage Oracle Privileged Account Manager server properties in the OPAM Global Config configuration entry. You can use this command to perform two types of configuration, global and session.

Global Configuration Type

The following properties are available for global configuration:

• policyenforcerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks accounts and then automatically checks-in the accounts that have exceeded the expiration time defined in the Usage Policy. (Default is 3600 seconds)

• passwordcyclerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks and then resets the password for any accounts that have exceeded the maximum password age defined in the Password Policy. (Default is 3600 seconds)

• tdemode. Flag to request that Oracle Privileged Account Manager use Transparent Data Encryption (TDE) mode or non-TDE mode. For more information, refer to Section 15.2, "Securing Data On Disk."

Session Configuration Type

The following properties are available for the session configuration:

• updateinterval. Interval (in seconds) in which the Oracle Privileged Session Manager server checks all of the checked out sessions for expiration and updates their transcripts.

• opamserverurls. List of Oracle Privileged Account Manager server URLs to which the Session Manager can connect.

• maxrecordsize. Maximum recording size that is allowed per session (in KB). When this quota is reached, the session is automatically terminated.

The following properties are SSH-specific:

• opamListenPort. The port on which Session Manager listens for incoming SSH connections.

• sessioncheckoutinstructions. The checkout instructions that are presented to users for SSH sessions.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifyconfig 
–configtype <config type> <options>

The following table describes the options you can use with the modifyconfig command:

Option	Description
-configtype <global/session>	Specify the configuration type.
[-propertyname <property name>]	Specify the server property to be modified: policyenforcerinterval passwordcyclerinterval tdemode
[-propertyvalue <property value>]	Specify the property value to be modified.
[-help]	Optional. Displays usage options for this command.

For example,

-x modifyconfig –configtype global -propertyname policyenforcerinterval
  -propertyvalue 600

or

-x modifyconfig –configtype global -propertyname tdemode 
  -propertyvalue true

See Also:

getconfig Command

A.3 Working with Policies

The following sections contain information about the commands that you use when working with Oracle Privileged Account Manager Password Policies and Usage Policies.

• Section A.3.1, "addpasswordpolicy Command"

• Section A.3.2, "addusagepolicy Command"

• Section A.3.3, "modifypasswordpolicy Command"

• Section A.3.4, "modifyusagepolicy Command"

• Section A.3.5, "removepasswordpolicy Command"

• Section A.3.6, "removeusagepolicy Command"

• Section A.3.7, "retrievepasswordpolicy Command"

• Section A.3.8, "retrieveusagepolicy Command"

A.3.1 addpasswordpolicy Command

Use the addpasswordpolicy command to add a Password Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x addpasswordpolicy <options>

The following table describes the options you can use with this command:

Option	Description
-policyname <policy name>	Provide a name for the new Password Policy.
-policystatus <active/disabled>	Specify the Password Policy status.
[-description <policy description>]	Optional. Provide a description of the Password Policy.
[-passwordchangedurationunit <minutes/hours/days>]	Optional. Specify the password age unit.
[-passwordchangedurationvalue <password change duration value>]	Optional. Specify the password age value.
[-changeoncheckin <true/false>]	Optional. Specify whether to change the password when checking in the account using this Password Policy.
[-changeoncheckout <true/false>]	Optional. Specify whether to change the password when checking out the account using this Password Policy.
[-passwordcharsmin <password minimum chars number>]	Optional. Specify the minimum character length restriction for the Password Policy.
[-passwordcharsmax <password maximum chars number>]	Optional. Specify the maximum character length restriction for the Password Policy.
[-passwordalphabeticmin <password minimum alphabetic chars number>]	Optional. Specify the minimum number of alphabetic characters required for the Password Policy.
[-passwordnumericmin <password minimum numeric chars number>]	Optional. Specify the minimum number of numeric characters required for the Password Policy.
[-passwordalphanumericmin <password minimum alphanumeric chars number>]	Optional. Specify the minimum number of alphanumeric characters required for the Password Policy.
[-passworduniquemin <password minimum unique chars number>]	Optional. Specify the minimum number of unique characters required for the Password Policy.
[-passworduppercasemin <password minimum uppercase chars number>]	Optional. Specify the minimum number of uppercase characters required for the Password Policy.
[-passwordlowercasemin <password minimum lowercase chars number>]	Optional. Specify the minimum number of lowercase characters required for the Password Policy.
[-passwordspecialmin <password minimum special chars number>]	Optional. Specify the minimum number of special characters required for the Password Policy.
[-passwordspecialmax <password maximum special chars number>]	Optional. Specify the maximum number of special characters allowed for the Password Policy.
[-passwordrepeatedmin <password minimum repeated chars number>]	Optional. Specify the minimum number of repeated characters allowed for the Password Policy.
[-passwordrepeatedmax <password maximum repeated chars number>]	Optional. Specify the maximum number of repeated characters allowed for the Password Policy.
[-startingchar <true/false>]	Optional. Specify whether the first character of the generated password can be a numeric character. If you specify true, then the password cannot start with a number.
[-isaccountnameallowed <true/false>]	Optional. Specify whether the generated password can be identical to the account name.
[-requiredchars <required chars>]	Optional. Specify characters that are required in the generated password. Use the comma (,) symbol to separate the characters. For example, a,b,c.
[-allowedchars <allowed chars>]	Optional. Specify characters that are allowed in the generated password. Use the comma (,) symbol to separate the characters. For example, a,b,c.
[-disallowedchars <disallowed chars>]	Optional. Specify characters that are not allowed in the generated password. Use the comma (,) symbol to separate the characters. For example, a,b,c.
[-help]	Optional. Displays usage options for this command.

For example:

-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] 
-x addpasswordpolicy -policyname password_policy_hr -policystatus active
-changeoncheckin true

A.3.2 addusagepolicy Command

Use the addusagepolicy command to add a Usage Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x addusagepolicy <options>

The following table describes the options you can use with this command:

Option	Description
-policyname <policy name>	Provide a name for the new Usage Policy.
-policystatus <active/disabled>	Specify the Usage Policy status.
[-description <policy description>]	Optional. Provide a description of the Usage Policy.
-dateorduration <date/duration>	Set an expiration time based on date or duration.
[-expireddateminutesfromcheckout <minutes to expiration>]	Optional. Specify the number of minutes until expiration. When a checked-out account with this Usage Policy exceeds the specified duration, Oracle Privileged Account Manager automatically checks-in that account. Note: This field becomes a required field if you specify duration for the -dateorduration attribute.
[-expireddate <expiration date>]	Optional. Specify the expiration date. When an account with this Usage Policy meets this expiration date, Oracle Privileged Account Manager automatically checks-in that account. Note: This field becomes a required field if you specify date for the -dateorduration attribute.
Use the following three options to specify at what time the access expires on the expiration date: [-expireddatehour <expiration hour in expire time>] [-expireddateminutes <expiration minutes in expire time>] [-expireddateamorpm <am/pm>]	Note: These fields become required fields if you specify date for the -dateorduration attribute. Optional. Specify an hour. For example, specify 5 if the expiration time should be 5:00. Optional. Specify the minutes. For example, specify 30 if the expiration time should be 5:30. Optional. Specify whether the expiration time is a.m. or p.m.
-timezone <time zone>]	Specify a time zone for the Usage Policy, including the timezone region. For example, (GMT -6:00) America/Chicago.
-usagedates <dates information of usage policy>]	Specify the usage dates information for the policy by using the pipe (|) symbol to separate days and the colon (:) symbol to separate times. For example, monday:12:0:am:12:0:am|tuesday:1:15:am:2:35:pm
-enablerecording <true/false>	Set this flag to enable (true) or disable (false) session recording when applying the Usage Policy to a session checkout. (Default is true.)
[-help]	Optional. Displays usage options for this command.

For example:

-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] 
-x addusagepolicy -policyname usage_policy_fromPMtoAM -policystatus active
-dateorduration duration -expireddateminutesfromcheckout 120 
-timezone (GMT -6:00) America/Chicago
monday:12:0:am:12:0:am|tuesday:1:15:am:2:35:pm

A.3.3 modifypasswordpolicy Command

Use the modifypasswordpolicy command to modify a Password Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifypasswordpolicy <options>

The following table describes the options you can use with this command:

Option	Description
-policyname <policy name>	Specify the Password Policy to be modified.
-propertyname <property name>	Specify the property name that you want to modify.
-propertyvalue <property value>	Specify the property value that you want to modify.
[-help]	Optional. Displays usage options for this command.

For example:

-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] 
-x modifypasswordpolicy -policyname password_policy_hr 
-propertyname changeoncheckin -propertyvalue true

A.3.4 modifyusagepolicy Command

Use the modifyusagepolicy command to modify a Usage Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifyusagepolicy <options>

The following table describes the options you can use with this command:

Option	Description
-policyname <policy name>	Specify the Usage Policy to be modified.
-propertyname <property name>	Specify the property name that you want to modify.
-propertyvalue <property value>	Specify the property value that you want to modify.
-enablerecording <true/false>	Set this flag to enable (true) or disable (false) session recording when applying the Usage Policy to a session checkout. (Default is true.)
[-help]	Optional. Displays usage options for this command.

For example:

-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] 
-x modifyusagepolicy -policyname usage_policy_fromPMtoAM 
-propertyname changeoncheckin -propertyvalue true

A.3.5 removepasswordpolicy Command

Use the removepasswordpolicy command to remove a Password Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removepasswordpolicy <options>

The following table describes the options you can use with this command:

Option	Description
-policyname <policy name>	Specify the Password Policy to remove.
[-help]	Optional. Displays usage options for this command.

For example:

-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] 
-x removepasswordpolicy -policyname password_policy_hr

A.3.6 removeusagepolicy Command

Use the removeusagepolicy command to remove a Usage Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removeusagepolicy <options>

The following table describes the options you can use with this command:

Option	Description
-policyname <policy name>	Specify the Usage Policy to remove.
[-help]	Optional. Displays usage options for this command.

For example:

-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] 
-x removeusagepolicy -policyname usage_policy_fromPMtoAM

A.3.7 retrievepasswordpolicy Command

Use the retrievepasswordpolicy command to retrieve a Password Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievepasswordpolicy <options>

The following table describes the options you can use with this command:

Option	Description
-policyname <policy name>	Specify the Password Policy to be retrieved.
[-help]	Optional. Displays usage options for this command.

For example:

-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] 
-x retrievepasswordpolicy -policyname password_policy_hr

A.3.8 retrieveusagepolicy Command

Use the retrievepolicy command to retrieve a Usage Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveusagepolicy <options>

The following table describes the options you can use with this command:

Option	Description
-policyname <policy name>	Specify the Usage Policy to be retrieved.
[-help]	Optional. Displays usage options for this command.

For example:

-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] 
-x retrieveusagepolicy -policyname usage_policy_hr

A.4 Working with Targets

The following sections contain information about the commands that you use when working with Oracle Privileged Account Manager targets.

• Section A.4.1, "addtarget Command"

• Section A.4.2, "displayalltargets Command"

• Section A.4.3, "modifytarget Command"

• Section A.4.4, "removetarget Command"

• Section A.4.5, "resettargetpassword Command"

• Section A.4.6, "retrievetarget Command"

• Section A.4.7, "searchtarget Command"

• Section A.4.8, "showtargetpassword Command"

• Section A.4.9, "showtargetpasswordhistory Command"

A.4.1 addtarget Command

Use the addtarget command to add a target.

Command Syntax:

[[-url <url>] -u <username> [-p <password>] [-debug] -x addtarget <options>

Oracle Privileged Account Manager supports multiple target types, and each target type has different required and optional parameters. You must specify the target type to see the target-specific options, as follows:

Option	Description
-targettype <ldap | unix | database> <type-specific attributes>	Specify the target type to see target-specific attributes.

Note:

These options should be discovered at run time, before you execute the addtarget command.

The following examples illustrate the commands you can execute to list

• Example A-1, "Supported Target Types"

• Example A-2, "Required and Optional Parameters for a Specific Target Type"

Example A-1 Supported Target Types

sh opam.sh –url <OPAM url> -u <security admin user> 
-p <security admin user password> -x addtarget –help

For example, if https://hostname:sslport/opam is the Oracle Privileged Account Manager server URL, execute the following command:

sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 
-x addtarget -help

Example A-2 Required and Optional Parameters for a Specific Target Type

sh opam.sh –url <OPAM url> -u <security admin user> 
-p <security admin user password> -x addtarget 
–targettype <any supported target type> –help

For example, if you are using the LDAP target type with https://hostname:sslport/opam as the Oracle Privileged Account Manager server URL, execute the following command:

sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 
-x addtarget -targettype ldap -help

Refer to the following sections for a description of the parameters used with the different target types:

• Section A.4.1.1, "ldap Target Type Parameters"

• Section A.4.1.2, "database Target Type Parameters"

• Section A.4.1.3, "unix Target Type Parameters"

• Section A.4.1.4, "lockbox Target Type Parameters"

A.4.1.1 ldap Target Type Parameters

The following table describes the ldap target type parameters that you can use with this command.

Option	Description
-targetname <targetname>	Provide a name for the target.
-domain <domain>	Provide a domain name.
-host <host>	Provide the host name.
-port <port>	Provide the TCP/IP port number used to communicate with the LDAP server.
[-ssl <ssl>]	Optional. Specify to connect to the LDAP server using SSL.
-principal <principal>	Provide the distinguished name with which to authenticate to the LDAP server.
-credentials <credentials>	Provide the principal's password.
[-passwordpolicy] <password policy name>	Optional. Identify a Password Policy to apply to the target. (See Note following table.)
[-passwordpolicyid] <password policy ID>	Optional. Identify a Password Policy to apply to the target. (See Note following table.)
-baseContexts <baseContexts> [Multi-Valued]	Specify one or more starting points in the LDAP tree to use when searching the tree. Searches are performed when discovering users from the LDAP server or when looking for groups in which the user is a member.
-accountNameAttribute <accountNameAttribute>	Identify the attribute that holds the account's user name.
[-description <description>]	Optional. Provide a description of the target.
[-organization <organization>]	Optional. Provide the organization name.
[-uidAttribute <uidAttribute>]	Optional. Provide the name of the LDAP attribute that is mapped to the UID attribute. (Defaults to uid)
[-accountSearchFilter <accountSearchFilter>]	Optional. Provide an LDAP filter to control which accounts are returned from the LDAP resource. If you do not specify a filter, then only accounts that include all specified object classes will be returned. (Defaults to (uid=*))
[-passwordAttribute <passwordAttribute>]	Optional. Identify the LDAP attribute that holds the password. When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute. (Defaults to userpassword)
[-accountObjectClasses <accountObjectClasses>] [Multi-Valued]	Optional. Specify the objectclass or objectclasses to use when creating new user objects in the LDAP tree. When entering more than one objectclass, put each entry on its own line and do not use commas or semicolons to separate multiple object classes. Some objectclasses may require that you specify all objectclasses in the class hierarchy. (Defaults to "top|person|organizationalPerson|inetOrgPerson")
[-force <true/false>]	Optional. Enable or disable the requirement for connection validation. true: Skips connection validation. false (default): Enforces connection validation.
[-help]	Optional. Displays usage options for this command.

Note:

• You can use either –passwordpolicy <password policy name> or –passwordpolicyid <policy ID> to apply a Password Policy to the target.

• You must specify all multi-valued attributes in this format: value1|value2|...

A.4.1.2 database Target Type Parameters

The following table describes the database target type parameters that you can use with this command.

Option	Description
-targetname <targetname>	Provide a name for the target.
-domain <domain>	Provide a domain name.
-host <host>	Provide the host name.
-jdbcUrl <jdbcUrl>	Provide the JDBC URL that identifies the target system location. Following are some example URL formats: For Oracle: jdbc:oracle:thin:@<host>:<port>:<sid> For MSSQL: jdbc:sqlserver://<host>:<port>;database=<database> For MySQL: jdbc:mysql://<host>:<port>/<database> For DB2: jdbc:db2://<host>:<port>/<database> For Sybase: jdbc:sybase:Tds:<host>:<port>/<database>
-loginUser <loginUser>	Provide the Admin User name.
-loginPassword <loginPassword>	Provide the Admin User's password.
-dbType <dbType>	Specify the database type for which the connector is being used. The connector supports the Oracle, MSSQL, MySQL, DB2, and Sybase database types. Note: You can also configure the connector to work against custom database types.
[-description <description>]	Optional. Provide a description of the target.
[-organization <organization>]	Optional. Provide the organization name.
[-passwordpolicy] <password policy name>	Optional. Specify a Password Policy to apply to the target. (See Note following table.)
[-passwordpolicyid] <password policy ID>	Optional. Specify a Password Policy to apply to the target. (See Note following table.)
[-passwordrollover] <passwordrollover>	Optional. Specify whether you want the target's service account password to be rolled over according to the assigned Password Policy. true: Rollover the service account password, based on the assigned Password Policy. false (default): Do not rollover the service account password. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
[-connectionProperties] <connectionProperties>	Optional. Specify the connection properties you used when configuring the secured connection. You must use name-value pairs, in the following format: prop1=val1#prop2=val2..
[-force <true/false>]	Optional. Enable or disable the requirement for connection validation. true: Skips connection validation. false (default): Enforces connection validation.
[-help]	Optional. Displays usage options for this command.

Note:

• You can use either –passwordpolicy <password policy name> or –passwordpolicyid <policy ID> to apply a Password Policy to the target.

• You must specify all multi-valued attributes in this format: value1|value2|...

A.4.1.3 unix Target Type Parameters

The following table describes the unix target type parameters that you can use with this command.

Option	Description
-targetname <targetname>	Provide a name for the target.
-domain <domain>	Provide a domain name.
-host <host>	Provide the host name.
-loginUser <loginUser>	Provide a user name with which to log into the target. For example, root.
-loginUserpassword <loginUserpassword>	Provide a password for the Login user.
-loginShellPrompt <loginShellPrompt>	Provide the shell prompt to display when you log into the target. For example, $ or #.
[-description <description>]	Optional. Provide a description of the target.
[-organization <organization>]	Optional. Provide the organization name.
[-passwordpolicy] <password policy name>	Optional. Specify a Password Policy to apply to the target. (See Note following table.)
[-passwordpolicyid] <password policy ID>	Optional. Specify a Password Policy to apply to the target. (See Note following table.)
[-passwordrollover] <passwordrollover>	Optional. Specify whether you want the target's service account password to be rolled over according to the assigned Password Policy. true: Rollover the service account password, based on the assigned Password Policy. false (default): Do not rollover the service account password. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
[-sudoAuthorization] <sudoAuthorization>	Optional. Specify whether the user required sudo authorization. true: Do not require sudo authorization. false (default): Require sudo authorization for root user.
[-commandTimeout <commandTimeout>]	Optional. Specify the command timeout value in milliseconds. (Defaults to 120000)
[-passwordExpectExpressions <passwordExpectExpressions>]	Optional. Specify the expressions to be displayed on the target when setting the user's password. For example, if the expressions displayed on running the passwd command are, Enter password: and Re-enter password:, then you can enter the following value for this field: enter password,re-enter password Note: You can use a regular expression, and the two expressions must be separated by a comma. (Defaults to new[\s](unix[\s])?password:,new[\s](unix[\s])?password ([\s]again)?:)
[-prePasswdExpectExpression <prePasswdExpectExpression>]	Optional. Specify the prompt that can be displayed on some targets before the password prompts when running the passwd command. You must provide the prompt expression and the expected input value for that expression, separated by a comma. (Defaults to None)
[-sudopasswordExpectExpressions <sudoPasswdExpectExpressions>]	Optional. Specify the password prompt to be displayed when running a command in sudo mode. (Defaults to password:)
[-force <true/false>]	Optional. Enable or disable the requirement for connection validation. true: Skips connection validation. false (default): Enforces connection validation.
[-help]	Optional. Displays usage options for this command.

Note:

• You can use either –passwordpolicy <password policy name> or –passwordpolicyid <policy ID> to apply a Password Policy to the target.

• You must specify all multi-valued attributes in this format: value1|value2|...

A.4.1.4 lockbox Target Type Parameters

The following table describes the lockbox target type parameters that you can use with this command.

Option	Description
-targetname <targetname>	Provide a name for the target.
-domain <domain>	Provide a domain name.
-host <host>	Provide the host name.
[-description <description>]	Optional. Provide a description of the target.
[-organization <organization>]	Optional. Provide the organization name.
[-help]	Optional. Displays usage options for this command.

A.4.2 displayalltargets Command

Use the displayalltargets command to display a listing of all targets.

Note:

You must be an administrator with the User Manager Admin Role, the Security Administrator Admin Role, or the Security Auditor Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayalltargets <options>

The following table describes the options you can use with this command:

Option	Description
[-help]	Optional. Displays usage options for this command.

A.4.3 modifytarget Command

Use the modifytarget command to modify a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifytarget <options>

The following table describes the options you can use with this command:

Option	Description
[-targetid <targetid>]	Optional. Specify the target GUID value of the target to be modified. Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 6.2, "Adding Targets to Oracle Privileged Account Manager" for more information.
[-targetname <targetname>]	Optional. Specify the name of the target to be modified.
-propertyname <propertyname>	Specify the name of the property that you want to modify.
-propertyvalue <propertyvalue>	Specify the property value that you want to modify.
[-force <true/false>]	Optional. Enables or disables the requirement for connection validation. true: Skips connection validation. false (default): Enforces connection validation.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <targetid> or <targetname> to identify a target. Both values are unique.

A.4.4 removetarget Command

Use the removetarget command to remove a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removetarget <options>

The following table describes the options you can use with this command:

Option	Description
-targetid <target id>	Specify the target GUID value of the target to be removed. Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 6.2, "Adding Targets to Oracle Privileged Account Manager" for more information.
[-targetname <target name>]	Optional. Specify the name of the target to be removed
[-help]	Optional. Displays usage options for this command.

Note:

You use either <targetid> or <targetname> to identify the target. Both values are unique.

A.4.5 resettargetpassword Command

Use the resettargetpassword command to manually reset a target service account password. When you execute this command, Oracle Privileged Account Manager returns the target service account details and prompts you to enter a new password.

Note:

• You must be an administrator with the Security Administrator Admin Role to execute this command.

• This command is not applicable for the lockbox or ldap target types and will return an "Operation not supported" error message.

• Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x resettargetpassword  

The following table describes the options you can use with this command:

Option	Description
[-targetid <target id>]	Optional. Identify the target to be reset.
[-targetname <target name>])	Optional. Identify the target to be reset.
[-password <account password>]	Optional. Provide a new password for the target.
[-autogen <true/false>]	Optional. Use to automatically generate a password, according to account Password Policy. true: Enable the system to automatically generate passwords. false (default): Disable the system's ability to automatically generate passwords. Users must specify passwords.
[-help]	Optional. Displays usage options for this command.

Note:

• You use either <targetid> or <targetname> to identify the target.

• You use either <password> or <autogen> to create a new password for the target.

A.4.6 retrievetarget Command

Use the retrievetarget command to get information about a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievetarget <options>

The following table describes the options you can use with this command:

Option	Description
-targetid <target id>	Specify the target GUID value of the target to be retrieved. Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 6.2, "Adding Targets to Oracle Privileged Account Manager" for more information.
[-targetname <target name>]	Optional. Specify the name of the target to be retrieved.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <targetid> or <targetname> to identify the target. Both values are unique.

A.4.7 searchtarget Command

Use the searchtarget command to search for a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchtarget <options>

The following table describes the options you can use with this command:

Option	Description
[-targettype <ldap | solaris | oracledb>]	Optional. Identify the type of target to search for as LDAP, Solaris, or Oracle DB.
[-domain <domain>]	Optional. Provide a domain to search.
[-targetname <target name>]	Optional. Provide the target name to search for.
[-help]	Optional. Displays usage options for this command.

A.4.8 showtargetpassword Command

Use the showtargetpassword command to view the password for a target service account. When you execute this command, Oracle Privileged Account Manager returns the target service account details and the password.

Note:

• You must be an administrator with the Security Administrator Admin Role to execute this command.

• This command is not applicable for the lockbox target type and will return an "Operation not supported" error message.

• Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x showtargetpassword  

The following table describes the options you can use with this command:

Option	Description
[-targetid <target id>]	Optional. Identify the target for which the password is being reset.
[-targetname <target name>])	Optional. Identify the name of the target for which the password is being reset.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <targetid> or <targetname> to identify the target.

A.4.9 showtargetpasswordhistory Command

Use the showtargetpasswordhistory command to view the password history for a target where you have reset the password. When you execute this command, Oracle Privileged Account Manager returns the password history.

Note:

You must be an administrator with the Security Administrator Admin Role to execute this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x showtargetpasswordhistory -targetid <targetid> <options>  

The following table describes the options you can use with this command:

Option	Description
[-targetid <target id>]	Optional. Identify the target for which you are searching.
[-targetname <target name>])	Optional. Identify the name of the target for which you are searching.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <targetid> or <targetname> to identify the target.

A.5 Working with Accounts

The following sections contain information about the commands that you use when working with Oracle Privileged Account Manager privileged accounts.

• Section A.5.1, "addaccount Command"

• Section A.5.2, "displayallaccounts Command"

• Section A.5.3, "checkin Command"

• Section A.5.4, "checkout Command"

• Section A.5.5, "displaycheckedoutaccounts Command"

• Section A.5.6, "modifyaccount Command"

• Section A.5.7, "removeaccount Command"

• Section A.5.8, "resetpassword Command"

• Section A.5.9, "retrieveaccount Command"

• Section A.5.10, "searchaccount Command"

• Section A.5.11, "searchcheckouthistory Command"

• Section A.5.12, "showpassword Command"

• Section A.5.13, "showpasswordhistory Command"

A.5.1 addaccount Command

Use the addaccount command to add a privileged account.

Note:

You must never use the same account as the service account and as a privileged account to be managed by Oracle Privileged Account Manager. Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x addaccount <options>

The following table describes the options you can use with this command:

Option	Description
[-targetid <target id>]	Optional. Specify the target GUID value of a configured target. Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 6.2, "Adding Targets to Oracle Privileged Account Manager" for more information.
[-targetname <target name>]	Optional. Specify the target name of a configured target.
[-password <account password>]	Optional. Specify a default value for the account password. Note: This field becomes a required field if the target type is lockbox.
[-description <account description>]	Optional. Provide a description of the account.
-accountname <accountname>	Provide a name for the new account.
[-force <true/false>]	Optional. Enables or disables the requirement for connection validation. true: Skips connection validation. false (default): Enforces connection validation.
[-help]	Optional. Displays usage options for this command.

Note:

• You use either <targetid> or <targetname> to identify the target. Both values are unique.

• You can use -password to set up an account password.

A.5.2 displayallaccounts Command

Use the displayallaccounts command to display a listing of all accounts.

Note:

You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallaccounts <options>

The following table describes the options you can use with this command:

Option	Description
[-help]	Optional. Displays usage options for this command.

A.5.3 checkin Command

Use the checkin command to check in privileged accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x checkin <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account to be checked-in.
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify the account to be checked-in. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
[-checkoutid <checkout ID>]	Specify the checkout ID.
[-force <true/false>]	Optional. Enables or disables the ability to force check-in a privileged account. A force check-in enables administrators with the User Manager Admin Role to check-in privileged accounts that have been checked-out by other users. true: Enables force check-ins. false: Disables force check-ins.
[-userid <userid>]	Optional. Specifies which user is to be force checked-in. Oracle Privileged Account Manager allows multiple users to check out an account at the same time. By providing a userid, the force check-in only applies to the specified user.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <accountid> or the (<accountname> and <targetname>) combination to identify the account.

A.5.4 checkout Command

Use the checkout command to check out privileged accounts.

Note:

The checkout operation also provides a password for you to use.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x checkout <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account to be checked-out.
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify the account to be checked-out. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
[-checkouttype <password/session>]	Specify the type of checkout: password (default): Allow users to only check out passwords. session: Allow users to only check out sessions.
[-comment <comment>]	Optional. Provide a comment about the checkout.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.5.5 displaycheckedoutaccounts Command

Use the displaycheckedoutaccounts command to display a listing of a user's checked out accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displaycheckedoutaccounts <options>

The following table describes the options you can use with this command:

Option	Description
[-help]	Optional. Displays usage options for this command.

A.5.6 modifyaccount Command

Use the modifyaccount command to modify a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifyaccount <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account to be modified.
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify the account to be modified. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
-propertyname <propertyname>	Specify the name of the property that you want to modify. Note: To modify an account's Credential Store, you must specify -propertyname keymap. Where you must provide the keymap property value in the following format: -propertyname keymap [map][key][host:port][user][password] For example, [map][key][t3:\/\/localhost:7001][weblogic][abc123]
-propertyvalue <propertyvalue>	Specify the property value that you want to modify.
[-help]	Optional. Displays usage options for this command.

Note:

• To identify an account, you can use either <accountid>
  or (<accountname> and <targetname>).

• To modify an account's Password Policy, you can use either
  –propertyname passwordpolicy -propertyvalue <policy name>
  or –propertyname passwordpolicyid -propertyvalue <policy ID>.

A.5.7 removeaccount Command

Use the removeaccount command to remove a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removeaccount <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account to be removed.
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify the account to be removed. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.5.8 resetpassword Command

Use the resetpassword command to manually reset the password for an account you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and prompts you to enter a new password.

Note:

For most users, if the account has already been checked back in, you will get an error.

If you are an administrator with the Security Administrator Admin Role, you can use this command to reset a password for both checked out and checked-in accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x resetpassword 
  [-wallet <wallet files directory>] [-wallet password <wallet password>] 

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account to be reset.
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify the account to be reset. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
[-password <account password>]	Optional. Provide a new password for the account.
[-autogen <true/false>]	Optional. Use to automatically generate a password, according to the account Password Policy. true: Enable the system to automatically generate passwords. false (default): Disable the system's ability to automatically generate passwords. Users must specify passwords.
[-help]	Optional. Displays usage options for this command.

Note:

• You use either <accountid> or (<accountname> and <targetname>) to identify the account.

• If you use <accountid> or (<accountname> and <targetname>), you must use -password or -autogen.

A.5.9 retrieveaccount Command

Use the retrieveaccount command to get information about a privileged account, such as which target the account is on. This information does not include passwords.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveaccount <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account to be retrieved.
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify the account to be retrieved. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
[-targetname <target name>]	Optional. Identify the account to be retrieved.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.5.10 searchaccount Command

Use the searchaccount command to search for an account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchaccount <options>

The following table describes the options you can use with this command:

Option	Description
[-targettype <ldap | unix | oracledb>]	Optional. Identify the account to search for.
[-domain <account domain>]	Optional. Identify the account to search for.
[-targetname <target name>]	Optional. Identify the account to search for.
[-help]	Optional. Displays usage options for this command.

Note:

You can use any combination of -targettype, -domain, or -targetname to identify the account. If you do not provide any of these options, the search returns all accounts.

For example, the following search will return all targets:

https://<host name>:<port>/opam/target/search?

Whereas, the following search will return all targets whose type contains ldap and org:

https://<host name>:<port>/opam/target/search?type=ldap&org=us

A.5.11 searchcheckouthistory Command

Use the searchcheckouthistory command to search the checkouts for an account that you have checked out previously. When you execute this command, Oracle Privileged Account Manager returns the checkout history.

Note:

You must be an administrator with the Security Administrator Admin Role or the User Manager Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchcheckouthistory
  -accountid <accountid> -fromtime <fromTime> -totime <toTime> <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account to search for.
[-accountname <account name>]	Optional. Identify the account to search for.
[-targetname <target name>]	Optional. Provide the name of the target.
-fromtime <from time>	Specify the time to start searching for checkouts by using one of the following formats: month-day-year-hour-minute-second-timezone UTC in seconds
-totime <to time>	Specify the time to stop searching for checkouts by using one of the following formats: month-day-year-hour-minute-second-timezone UTC in seconds
[-uid <user id>]	Identify the user to be searched.
[-event <event>]	Specify the command executed or a term in the log.
[-size <size>]	Specify the number of results to be returned.
[-help]	Optional. Displays usage options for this command.

A.5.12 showpassword Command

Use the showpassword command to view the password for an account that you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and the password.

Note:

If the account has already been checked back in, you will get an error.

You must be an administrator with the Security Administrator Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x showpassword -accountid <accountid>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account for which the password is being retrieved.
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify the account for which the password is being retrieved. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.5.13 showpasswordhistory Command

Use the showpasswordhistory command to view the password history for an account that you have checked out, checked in, or reset the password. When you execute this command, Oracle Privileged Account Manager returns the password history.

Note:

You must be an administrator with the Security Administrator Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x showpasswordhistory -accountid <accountid> <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account to search for.
[-accountname <account name>]	Optional. Provide the name of the account to search.
[-targetname <target name>]	Optional. Provide the name of the target to search.
[-help]	Optional. Displays usage options for this command.

A.6 Working with Grantees

The following sections contain information about the commands that you use when working with Oracle Privileged Account Manager grantees.

• Section A.6.1, "displayallgroups Command"

• Section A.6.2, "displayallusers Command"

• Section A.6.3, "grantgroupaccess Command"

• Section A.6.4, "grantuseraccess Command"

• Section A.6.5, "removegroupaccess Command"

• Section A.6.6, "removeuseraccess Command"

• Section A.6.7, "retrievegrantees Command"

• Section A.6.8, "retrievegroup Command"

• Section A.6.9, "retrieveuser Command"

• Section A.6.10, "searchgroup Command"

• Section A.6.11, "searchuser Command"

A.6.1 displayallgroups Command

Use the displayallgroups command to display a listing of all groups.

Note:

You must be an administrator with the User Manager Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallgroups <options>

The following table describes the options you can use with this command:

Option	Description
[-help]	Optional. Displays usage options for this command.

A.6.2 displayallusers Command

Use the displayallusers command to display a listing of all users.

Note:

You must be an administrator with the User Manager Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallusers <options>

The following table describes the options you can use with this command:

Option	Description
[-help]	Optional. Displays usage options for this command.

A.6.3 grantgroupaccess Command

Use the grantgroupaccess command to give a group access to a privileged account.

[-url <url>] -u <username> [-p <password>] [-debug] -x grantgroupaccess <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account to which the group is granted access.
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify the account to which the group is granted access. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
-groupname <group name>	Identify the group to be given access.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.6.4 grantuseraccess Command

Use the grantuseraccess command to give a user access to a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x grantuseraccess <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account to which the user is granted access.
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify the account to which the user is granted access. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
-userid <user id>	Identify the user to be given access.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.6.5 removegroupaccess Command

Use the removegroupaccess command to remove a group's access to a privileged account.

[-url <url>] -u <username> [-p <password>] [-debug] -x removegroupaccess <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account where access is being removed
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify the account where access is being removed. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
-groupname <group name>	Identify the group whose access is being removed.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.6.6 removeuseraccess Command

Use the removeuseraccess command to remove a user's access to a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removeuseraccess <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify the account where access is being removed.
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify the account where access is being removed. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
-userid <user id>	Identify the user whose access is being removed.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.6.7 retrievegrantees Command

Use the retrievegrantees command to get information about the grantees on a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegrantees <options>

The following table describes the options you can use with this command:

Option	Description
[-accountid <account id>]	Optional. Identify from which account the grantees are to be retrieved.
([-accountname <account name>] and [-targetname <target name>])	Optional. Identify from which account the grantees are to be retrieved. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.
[-help]	Optional. Displays usage options for this command.

Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.6.8 retrievegroup Command

Use the retrievegroup command to get information about a group.

Note:

You must be an administrator with the User Manager Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegroup <options>

The following table describes the options you can use with this command:

Option	Description
-groupname <group name>	Provide the name of the group to retrieve.
[-help]	Optional. Displays usage options for this command.

A.6.9 retrieveuser Command

Use the retrieveuser command to get information about a user.

Note:

You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveuser <options>

The following table describes the options you can use with this command:

Option	Description
-userid <user id>	Identify the user to be retrieved.
[-help]	Optional. Displays usage options for this command.

A.6.10 searchgroup Command

Use the searchgroup command to search for a group.

Note:

You must be an administrator with the User Manager Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchgroup <options>

The following table describes the options you can use with this command:

Option	Description
[-groupname <group name>]	Optional. Provide the name of the group to search for.
[-description <description>]	Optional. Provide a description of the group.
[-accountname <account name>]	Optional. Provide the name of the account to search.
[-targetname <target name>]	Optional. Provide the name of the target to search.
[-help]	Optional. Displays usage options for this command.

A.6.11 searchuser Command

Use the searchuser command to search for a user.

Note:

You must be an administrator with the User Manager Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchuser <options>

The following table describes the options you can use with this command:

Option	Description
[-userid <user id>]	Optional. Search for the user by the user ID.
[-firstname <first name>]	Optional. Provide the user's first name.
[-lastname <last name>]	Optional. Provide the user's last name.
[-accountname <account name>]	Optional. Provide the name of the account to search.
[-targetname <target name>]	Optional. Provide the name of the target to search.
[-help]	Optional. Displays usage options for this command.

A.7 Working with Plug-Ins

The following sections describe the commands that you can use to configure and deploy Java plug-ins for Oracle Privileged Account Manager.

• Section A.7.1, "addplugin Command"

• Section A.7.2, "addplugincustomattr Command"

• Section A.7.3, "removeplugincustomattr Command"

• Section A.7.4, "retrieveplugin Command"

• Section A.7.5, "searchplugin Command"

• Section A.7.6, "modifyplugin Command"

• Section A.7.7, "removeplugin Command"

A.7.1 addplugin Command

Use the addplugin command to add a plug-in to a resource.

Note:

You must be an administrator with the Application Configurator Admin Role to execute this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x addplugin

The following table describes the options you can use with this command:

Note:

Oracle Privileged Account Manager uses some of these options as filtering rules to decide whether to execute the plug-in. In addition, Oracle Privileged Account Manager evaluates these filtering rules in a certain order to decide one rule's precedence over another.

For more information, about the filtering rules and creating plug-in configurations, refer to Section 11.2.8, "Filtering Rules." and Section 11.3, "Creating a Plug-In Configuration" respectively.

Option	Description
-pluginname <plugin name>	Specify a name for the new plug-in.
-resource <target/account/server>	Identify the resource on which the plug-in will perform.
-operation <plugin operation>	Specify the operation the plug-in will perform. Note: Refer to Section 11.2.7, "Supported Operations and Timings" for a complete list of supported operations.
-timing <pre/post>	Specify the plug-in timing. Pre-plug-in: Performed before the Oracle Privileged Account Manager operation. Post-plug-in: Performed after the Oracle Privileged Account Manager operation.
-order <plugin order>	Specify the order in which the plug-in should be queued for execution. Where the smaller the number, the closer to the top (or beginning) of the queue. (Minimum value is 1.)
-classname <plugin class name>	Specify the plug-in's class name.
-classpath <plugin class path> [Multi-Valued]	Specify the path to the plug-in's jar file.
[-description] <plugin description>	Optional. Provide a description of the plug-in.
[-status] <active/disabled>	Specify the plug-in execution status. Where active: Allows the plug-in to execute at runtime. disabled: Does not allow the plug-in to execute at runtime.
[-enableuser] <plugin enabled user> [Multi-Valued]	Optional. Add one or more users to the plug-in's enabled user list. If the logged in user belongs to the enabled user list, then Oracle Privileged Account Manager will execute the plug-in.
[-disableuser] <plugin disabled user> [Multi-Valued]	Optional. Add one or more users to the plug-in's disabled user list. If the logged in user belongs to the disabled user list, then Oracle Privileged Account Manager will not execute the plug-in.
[-enablegroup] <plugin enabled group> [Multi-Valued]	Optional. Add one or more groups to the plug-in's enabled group membership list. If the logged in user belongs to the enabled user membership group, then Oracle Privileged Account Manager will execute the plug-in.
[-disablegroup] <plugin disabled group> [Multi-Valued]	Optional. Add one or more groups to the plug-in's disabled group membership list. If the logged in user belongs to a disabled membership group, then Oracle Privileged Account Manager will not execute the plug-in.
[-enablehttpresult] <plugin enabled HTTP result> [Multi-Valued]	Optional. Specify the enabled HTTP response.
[-version] <plugin version>	Optional. Specify the plug-in version.
[-timeout] <plugin timeout>	Optional. Specify the plug-in timeout.
[-help]	Optional. Displays usage options for this command.

Note:

You must specify all multi-valued attributes in this format: value1|value2|...

A.7.2 addplugincustomattr Command

Use the addplugincustomattr command to add a plug-in custom attribute.

Note:

You must be an administrator with the Security Administrator Admin Role or the Application Configurator Admin Role to execute this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug]  -x addplugincustomattr

The following table describes the options you can use with this command:

Option	Description
-pluginname <plugin name>	Identify the plug-in on which to add the custom attribute.
-pluginattrname <plugin custom attribute name>	Specify the name of the custom attribute.
-pluginattrvalue <plugin custom attribute value> [Multi-Valued]	Specify the value of the custom attribute.
[-help]	Optional. Displays usage options for this command.

Note:

You must specify all multi-valued attributes in this format: value1|value2|...

A.7.3 removeplugincustomattr Command

Use the removeplugincustomattr command to remove a custom attribute from a plug-in.

Note:

You must be an administrator with the Security Administrator Admin Role or the Application Configurator Admin Role to execute this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug]  -x removeplugincustomattr

The following table describes the options you can use with this command:

Option	Description
-pluginname <plugin name>	Identify the plug-in from which the custom attribute should be removed.
-pluginattrname <plugin custom attribute name>	Specify the name of the custom attribute to be removed.
[-help]	Optional. Displays usage options for this command.

A.7.4 retrieveplugin Command

Use the retrieveplugin command to get information about a plug-in. This information does not include passwords.

Note:

You must be an administrator with the Security Administrator Admin Role or the Application Configurator Admin Role to execute this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug]  -x retrieveplugin <options>

The following table describes the options you can use with this command:

Option	Description
-pluginname <plugin name>	Identify the plug-in to retrieve.
[-help]	Optional. Displays usage options for this command.

A.7.5 searchplugin Command

Use the searchplugin command to search for a plug-in.

Note:

You must be an administrator with the Security Administrator Admin Role, the User Manager Admin Role, or the Application Configurator Admin Role to execute this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug]  -x searchplugin <options>

The following table describes the options you can use with this command:

Option	Description
[-pluginname] <plugin name>	Optional. Identify the plug-in to search for.
[-description] <plugin description>	Optional. Identify the plug-in description to search for.
[-pluginstatus] <active/disabled>	Optional. Identify the plug-in status to search for.
[-resource] <target/account/server>	Optional. Identify the plug-in resource to search for.
[-operation] <plugin operation>	Optional. Identify the plug-in operation to search for.
[-timing] <pre/post>	Optional. Identify the plug-in timing to search for.
[-help]	Optional. Displays usage options for this command.

You can use any combination of -pluginname, -description, -pluginstatus, -resource, -operation or -timing to identify the plug-in. If you do not provide any of these options, then the search returns all plug-ins.

For example, the following search returns all plug-ins:

https://<host name>:<port>/opam/plugin/search?

Whereas, the following search returns all plug-ins whose status is active and timing is pre:

https://<host name>:<port>/opam/plugin/search?pluginstatus=active&timing=pre

A.7.6 modifyplugin Command

Use the modifyplugin command to modify a plug-in.

Note:

You must be an administrator with the Security Administrator Admin Role or the Application Configurator Admin Role to execute this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug]  -x modifyplugin <options>

The following table describes the options you can use with this command:

Note:

You must specify all multi-valued attributes in this format: value1|value2|...

Option	Description
-pluginname <plugin name>	Identify the plug-in to be modified.
-propertyname <propertyname>	Specify the name of the property that you want to modify.
-propertyvalue <propertyvalue>	Specify the property value that you want to modify.
[-help]	Optional. Displays usage options for this command.

You can modify plug-in with the following property names:

Note:

These property names are case-sensitive.

Property Name	Description
pluginStatus <active/disabled>	Modify the plug-in's status.
pluginDescription	Modify the plug-in description.
pluginResource <target/account/server>	Modify the resource on which the plug-in will perform.
pluginOperation	Modify the operation the plug-in performs.
pluginTiming <pre/post>	Modify the plug-in timing.
pluginOrder	Modify the plug-in order.
pluginClassName	Modify the plug-in's class name.
pluginClassPath [multi-valued]	Modify the plug-in's class path.
pluginEnableUser [multi-valued]	Modify the plug-in's enabled user list.
pluginDisableUser [multi-valued]	Modify the plug-in's disabled user list.
pluginEnableGroup [multi-valued]	Modify the plug-in's enabled group list.
pluginDisableGroup [multi-valued]	Modify the plug-in's disabled group list.
pluginEnableHTTPResult [multi-valued]	Modify the plug-in's enabled HTTP response.
pluginVersion	Modify the plug-in's version.
pluginTimeout	Modify the plug-in's timeout.

A.7.7 removeplugin Command

Use the removeplugin command to remove a plug-in.

Note:

You must be an administrator with the Application Configurator Admin Role to execute this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug]  -x removeplugin <options>

The following table describes the options you can use with this command:

Option	Description
-pluginname <plugin name>	Identify the plug-in to be removed.
[-help]	Optional. Displays usage options for this command.

A.8 Exporting and Importing Data

The following sections contain information about the commands that you use when exporting and importing Oracle Privileged Account Manager data.

• Section A.8.1, "export Command"

• Section A.8.2, "filedecryption Command"

• Section A.8.3, "import Command"

A.8.1 export Command

Use the export command to export data stored in Oracle Privileged Account Manager, such as targets and accounts, to XML format. This option and the "import Command" are useful for performing the following operations:

• Bulk operations, such as querying or loading large volumes of data

• Back-up and recovery operations, such as periodically backing up Oracle Privileged Account Manager data to XML

• Migration operations, such as exporting data from one Oracle Privileged Account Manager instance and importing it to another instance

Note:

You must be an administrator with the Security Administrator Admin Role to use these commands.

The export command exports all Oracle Privileged Account Manager data; including targets, accounts, policies, and grants.

Note:

Exporting accounts also exports the passwords for those accounts. For added security, you can export the passwords in an encrypted format by using the -encpassword and -enckeylen options.

Be sure to note the encryption password and encryption key length because you must provide that same password for decryption during the import operation.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x export <options>

The following table describes the options you can use with the export command:

Option	Description
-f <export file>	Specify an export file name.
[-encpassword <encryption password>]	Optional. Specify a password to use when encrypting the account passwords to the exported file.
[-enckeylen <key length for password encryption>]	Optional. Specify the minimum key length for an encryption or decryption password. (Defaults to 128 bits)
[-log <log file location>]	Optional. Specify a file name and location for the log file. (Defaults to opamlog_<timestamp>.txt)
[-noencrypt <true/false>]	Optional. Specify whether to provide an encryption password. (Defaults to false) true: Skip the encryption password and export the output file in clear text. false: Encrypt the output file with the encryption password.
[-help]	Optional. Displays usage options for this command.

The XML schema for an export file is located in the following file:

ORACLE_HOME/opam/jlib/OPAMBulkTool.xsd

The following example shows some sample XML definitions of Oracle Privileged Account Manager elements.

Example A-3 Sample XML Definition of Oracle Privileged Account Manager Elements

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
  <usagepolicy>
    <name value="Accounting Usage Policy"/>
    <status value="active"/>
    <description value="My Usage Policy"/>
    <globaldefault value="n"/>
    <dateorduration value="duration"/>
    <expiremin value="30"/>
    <expiredate value="08/08/2088"/>
    <expiretime value="11:30am"/>
    <timezone value="America/Los_Angeles"/>
    <usagedays>
      <day fromtime="12:0am" totime="12:0am" value="monday"/>
      <day fromtime="12:0am" totime="12:0am" value="tuesday"/>
 
     <day fromtime="12:0am" totime="12:0am" value="wednesday"/>
      <day fromtime="12:0am" totime="12:0am" value="thursday"/>
      <day fromtime="12:0am" totime="12:0am" value="friday"/>
      <day fromtime="12:0am" totime="12:0am" value="saturday"/>
      <day fromtime="12:0am" totime="12:0am" value="sunday"/>
    </usagedays>
  </usagepolicy>
  <passwordpolicy>
    <name value="Accounting Password Policy"/>
    <status value="active"/>
    <description value=""/>
    <globaldefault value="n"/>
    <changepassevery value="30-days"/>
    <changepasscheckout value="y"/>
    <changepasscheckin value="y"/>
    <passwordlength max="20" min="8"/>
    <minalphabets value="1"/>
    <minnumeric value="1"/>
    <minalphanumeric value="2"/>
    <specialchars max="5" min="1"/>
    <repeatedchars max="1" min="0"/>
    <minuniquechars value="1"/>
    <minuppercasechars value="1"/>
    <minlowercasechars value="1"/>
    <startwithchar value="n"/>
    <accountnameaspass value="n"/>
    <passwordhistorydays value="30"/>
  </passwordpolicy>
  <target>
    <type name="database"/>
    <name value="AccountsDB"/>
    <attributes>
      <attributeName name="domain" value="Accounting"/>
      <attributeName name="host" value="localhost"/>
      <attributeName name="jdbcUrl" value="jdbc:oracle:thin:@dbhost:1521:orcl"/>
      <attributeName name="loginUser" value="system"/>
      <attributeName name="loginPassword" value="welcome1"/>
      <attributeName name="dbType" value="Oracle"/>
      <attributeName name="description" value="Accounting Database"/>
      <attributeName name="organization" value="Accounting"/>
      <attributeName name="connectionProperties" value=""/>
    </attributes>
  </target>
  <account>
    <name value="ACCT_DBA"/>
    <target name="AccountsDB"/>
    <description value="Accounts Database"/>
    <passwordpolicy name="Accounting Password Policy"/>
    <grantee>
      <user name="johndoe usagepolicy="Accounting Usage Policy "/>
      <user name="janedoe usagepolicy="Default Usage Policy "/>
    </grantee>
    <shared value="false"/>
  </account>
</OPAMData>

A.8.2 filedecryption Command

Use the filedecryption command to decrypt an encrypted Oracle Privileged Account Manager configuration file.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x filedecryption 
-f <encrypted file> -df <destination file> [-encpassword <decryption password>] <options>

Note:

This operation does not require any server connectivity when the -offline true option is provided.

The following table describes the options you can use with this command:

Option	Description
-f <file with encrypted data>	Specify the encrypted Oracle Privileged Account Manager configuration file.
-df <file to write decrypted data>	Specify where to write the decrypted file.
[-encpassword <encryption/decryption password>]	Optional. Specify the password to use when decrypting the data.
[-enckeylen <Key length for encryption/decryption password>]	Optional. Specify the minimum key length for an encryption/decryption password. (Defaults to 128 bits)
[-force <true/false>]	Optional. Enables or disables the requirement for connection validation. true: Skips connection validation. false (default): Enforces connection validation.
[-log <log file location>]	Optional. Specify a file name and location for the log file. (Defaults to opamlog_<timestamp>.txt)
[-offline <true/false>]	Specify whether the command can connect to the Oracle Privileged Account Manager server. true: Command will not connect to the server. false (default): Command will connect to the server.
[-help]	Optional. Displays usage options for this command.

For example, use the following command if you do not have server connectivity:

sh opam.sh -x filedecryption -f <encrypted file> -df <destination file> 
  -offline true

A.8.3 import Command

Use the import command to import data to Oracle Privileged Account Manager from an XML file. This option and the "export Command" are useful for performing the following operations:

• Bulk operations, such as querying or loading large volumes of data

• Back-up and recovery operations, such as periodically backing up Oracle Privileged Account Manager data to XML

• Migration operations, such as exporting data from one Oracle Privileged Account Manager instance and importing it to another instance

Note:

You must be an administrator with both the Security Administrator Admin Role and the User Manager Admin Role to use these commands.

If the account status is checked-in, users do not have to provide status when importing data to Oracle Privileged Account Manager.

You can create an import XML file from previously exported data or you can manually create the file. If you previously exported the XML file with an encryption password, then you must provide the same password for decryption during import.

In addition to object creation, you can also use the import command to update and delete objects. Refer to reference for more information.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x import <options>

The following table describes the options you can use with this command:

Option	Description
-f <import file>	Specify an import file name.
[-encpassword <encryption password>]	Optional. Specify a password to use when decrypting account passwords from the exported file.
[-enckeylen <key length for password encryption>]	Optional. Specify the minimum key length for an encryption/decryption password. (Defaults to 128 bits)
[-force <true/false>]	Optional. Enables or disables the requirement for connection validation. true: Skips connection validation. false (default): Enforces connection validation.
[-log <log file location>]	Optional. Specify a file name and location for the log file. (Defaults to opamlog_<timestamp>.txt)
[-noencrypt <true/false>]	Optional. Specify whether to decrypt the imported file. (Defaults to false) true: Skip the encryption password. The system will import the file in clear text. false: Use the encryption password to decrypt the import file, and then load the decrypted data into the system.
[-help]	Optional. Displays usage options for this command.

The XML schema for an import file is located in the following file:

ORACLE_HOME/opam/jlib/OPAMBulkTool.xsd

The following examples show some sample XML definitions of Oracle Privileged Account Manager elements.

Example A-4 Data Creation

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns=http://www.example.org/OPAMBulkTool
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
  <usagepolicy>
    <name value="Accounting Usage Policy"/>
    <status value="active"/>
    <description value="My Usage Policy"/>
    <globaldefault value="n"/>
    <dateorduration value="duration"/>
    <expiremin value="30"/>
    <expiredate value="08/08/2088"/>
    <expiretime value="11:30am"/>
    <timezone value="America/Los_Angeles"/>
    <usagedays>
      <day fromtime="12:0am" totime="12:0am" value="monday"/>
      <day fromtime="12:0am" totime="12:0am" value="tuesday"/>
      <day fromtime="12:0am" totime="12:0am" value="wednesday"/>
      <day fromtime="12:0am" totime="12:0am" value="thursday"/>
      <day fromtime="12:0am" totime="12:0am" value="friday"/>
      <day fromtime="12:0am" totime="12:0am" value="saturday"/>
      <day fromtime="12:0am" totime="12:0am" value="sunday"/>
    </usagedays>
  </usagepolicy>
  <passwordpolicy>
    <name value="Accounting Password Policy"/>
    <status value="active"/>
    <description value=""/>
    <globaldefault value="n"/>
    <changepassevery value="30-days"/>
    <changepasscheckout value="y"/>
    <changepasscheckin value="y"/>
    <passwordlength max="20" min="8"/>
    <minalphabets value="1"/>
    <minnumeric value="1"/>
    <minalphanumeric value="2"/>
    <specialchars max="5" min="1"/>
    <repeatedchars max="1" min="0"/>
    <minuniquechars value="1"/>
    <minuppercasechars value="1"/>
    <minlowercasechars value="1"/>
    <startwithchar value="n"/>
    <accountnameaspass value="n"/>
    <passwordhistorydays value="30"/>
  </passwordpolicy>
  <target>
    <type name="database"/>
    <name value="AccountsDB"/>
    <attributes>
      <attributeName name="domain" value="Accounting"/>
      <attributeName name="host" value="localhost"/>
      <attributeName name="jdbcUrl" value="jdbc:oracle:thin:@dbhost:1521:orcl"/>
      <attributeName name="loginUser" value="system"/>
      <attributeName name="loginPassword" value="welcome1"/>
      <attributeName name="dbType" value="Oracle"/>
      <attributeName name="description" value="Accounting Database"/>
      <attributeName name="organization" value="Accounting"/>
      <attributeName name="connectionProperties" value=""/>
    </attributes>
  </target>
  <account>
    <name value="ACCT_DBA"/>
    <target name="AccountsDB"/>
    <description value="Accounts Database"/>
    <passwordpolicy name="Accounting Password Policy"/>
    <grantee>
      <user name="johndoe usagepolicy="Accounting Usage Policy "/>
      <user name="janedoe usagepolicy="Default Usage Policy "/>
    </grantee>
    <shared value="false"/>
  </account>
</OPAMData>

Example A-5 Data Modification: Modify An Account Password Policy

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
  <account operation="modify">
    <name value="account2"/>
    <target name="lockbox_target1"/>
    <passwordpolicy name="test-pass-policy"/>
    <shared value="true"/>
  </account>
</OPAMData>

Example A-6 Data Modification: Modify A Password Policy

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
<passwordpolicy operation="modify">
    <name value="test policy"/>
    <status value="active"/>
    <description value="test"/>
    <globaldefault value="n"/>
    <changepassevery value="45-hours"/>
    <changepasscheckout value="n"/>
    <changepasscheckin value="n"/>
    <passwordlength max="20" min="5"/>
    <minalphabets value="0"/>
    <minnumeric value="0"/>
    <minalphanumeric value="0"/>
    <specialchars max="5" min="0"/>
    <repeatedchars max="10" min="0"/>
    <minuniquechars value="0"/>
    <minuppercasechars value="0"/>
    <minlowercasechars value="0"/>
    <startwithchar value="y"/>
    <requiredchars value="a,b,c,d,e"/>
    <allowedchars value="a,b,c,d,e,f,g,h"/>
    <disallowedchars value="z,-,x"/>
    <accountnameaspass value="y"/>
  </passwordpolicy>
</OPAMData>

Example A-7 Data Deletion: Delete a Target

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
  <target operation="delete">
    <type name="lockbox"/>
    <name value="lockbox_target1"/>
  </target>
</OPAMData>

Example A-8 Data Deletion: Delete an Account

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
<account operation="delete">
    <name value="account3"/>
    <target name="lockbox_target1"/>
</account>
<account operation="delete">
    <name value="account4"/>
    <target name="lockbox_target1"/>
</account>
</OPAMData>