000036962 - Moving users across security domains using RSA Authentication Manager Bulk Administration (AMBA)

Document created by RSA Customer Support Employee on Dec 20, 2018Last modified by RSA Customer Support Employee on Dec 21, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036962
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager Bulk Administration (AMBA)
IssueAn administrator has a requirement to move user IDs in bulk between domains in the Authentication Manager database.
ResolutionThe action that will be used is change the user security domain (CUSD).  From page 63 of the RSA Authentication Manager 8.4 Bulk Administration Utility (AMBA) Guide:

Change User/Token Security Domain



This command can be used to move a user and/or tokens to a new security domain.  The command can move all users or individual users by default login.  Optionally, all tokens, assigned token or no tokens can be moved to the new security domain.
 


ActionCUSD
Required FieldsDefLogin, DestinationSecurityDomain
Optional FieldsMiscVariable, IndetitySource, SecurityDomain, SubDomain, Limit

If Security Domain and Identity Source are not provided, then the default identity source (Internal Database) and the default security domain (System Domain) will be used.

DefLogin:
If DefLogin contains an entry, that specific user account will be moved.  If Deflogin contains the value "<all>" (without the quotes) all user accounts will be moved to the DestinationSecurityDomain.  Case is not significant for <all>.

DestinationSecurityDomain:
This variable is used to declare the security domain to move the user account to and it must already exist in the Authentication Manager database.



Processing the AMBA text file



  1. Prepare the .csv or .txt, adding the columns with headers of the defined functions fields listed in the RSA Authentication Manager 8.4 Bulk Administration Utility (AMBA) Guide.
  2. Logon with the rsaadmin account and enter the rsaadmin password when prompted
  3. Copy the file to the Authentication Manager directory.
  4. Run the file using the command used in the /opt/rsa/am/utils directory:


./rsautil AMBulkAdmin -i <filename>.csv -a [superadmin] -P ‘[password]’


The command shown here changes the users domain from SystemDomain to new domain created from the Security Console.



Change the security domain  to a new security domain


There is an optional field called SecurityDomain that has a default value of SystemDomain.  Because that is the default value for the field, so in this case you do not need to include it when moving users from SystemDomain to another security domain.

The syntax is:



action,DefLogin,DestinationSecurityDomain
CUSD,<userid>,<newdomain>

For example, 


rsaadmin@alaa:/tmp> cat text.csv
cif,action,Deflogin,DestinationSecurityDomain
CUSD,rbauser,newsubdomain
CUSD,restrict,newsubdomain


After running the AMBulkAdmin utility, the security domain shown in the Security Console has changed to newsubdomain:
 


User-added image



Change the security domain to the SystemDomain


This example changes the users domain back to the SystemDomain, which is the default domain.

The value of the current domain must be specified in the .txt or .csv file, as the default value of this header will be SystemDomain.
If the value is not specified, the function will not work because the system will read the file as moving the users from SystemDomain to SystemDomain.  

The function will be:



action,DefLogin,DestinationSecurityDomain,SecurityDomain
CUSD,<userid>,SystemDomain,<currentdomain>

For example, 


rsaadmin@alaa:/tmp> cat text.csv
action,Deflogin,DestinationSecurityDomain,SecurityDomain
CUSD,rbauser,SystemDomain,newsubdomain
CUSD,restrict,SystemDomain,newsubdomain

As shown here, the security domain has changed from newsubdomain back to SystemDomain:

User-added image 
NotesTo move the token and user to a different security domain add the field MiscVariable to the function, as defined below:
 
MiscVariable
This option is used to control weather or not tokens will be moved.
The possible values for MiscVariable are:
IfDefLogin contains a userID:
0 - Move tokens assigned to specific user
1 - Do not move any tokens assigned to the specific user.

Attachments

    Outcomes