Moving users across security domains using RSA Authentication Manager Bulk Administration (AMBA)
Originally Published: 2018-11-17
Article Number
Applies To
RSA Product/Service Type: Authentication Manager Bulk Administration (AMBA)
Issue
Resolution
Change User/Token Security Domain
This command can be used to move a user and/or tokens to a new security domain. The command can move all users or individual users by default login. Optionally, all tokens, assigned token or no tokens can be moved to the new security domain.
| Action | CUSD |
| Required Fields | DefLogin, DestinationSecurityDomain |
| Optional Fields | MiscVariable, IndetitySource, SecurityDomain, SubDomain, Limit |
DefLogin:
If DefLogin contains an entry, that specific user account will be moved. If Deflogin contains the value "<all>" (without the quotes) all user accounts will be moved to the DestinationSecurityDomain. Case is not significant for <all>.
DestinationSecurityDomain:
This variable is used to declare the security domain to move the user account to and it must already exist in the Authentication Manager database.
Processing the AMBA text file
- Prepare the .csv or .txt, adding the columns with headers of the defined functions fields listed in the RSA Authentication Manager 8.4 Bulk Administration Utility (AMBA) Guide.
- Logon with the rsaadmin account and enter the rsaadmin password when prompted
- Copy the file to the Authentication Manager directory.
- Run the file using the command used in the /opt/rsa/am/utils directory:
./rsautil AMBulkAdmin -i <filename>.csv -a [superadmin] -P ‘[password]’
The command shown here changes the users domain from SystemDomain to new domain created from the Security Console.
Change the security domain to a new security domain
There is an optional field called SecurityDomain that has a default value of SystemDomain. Because that is the default value for the field, so in this case you do not need to include it when moving users from SystemDomain to another security domain.The syntax is:
action,DefLogin,DestinationSecurityDomain
CUSD,<userid>,<newdomain>
For example,
rsaadmin@alaa:/tmp> cat text.csv
cif,action,Deflogin,DestinationSecurityDomain
CUSD,rbauser,newsubdomain
CUSD,restrict,newsubdomain
After running the AMBulkAdmin utility, the security domain shown in the Security Console has changed to newsubdomain:
Change the security domain to the SystemDomain
This example changes the users domain back to the SystemDomain, which is the default domain.The value of the current domain must be specified in the .txt or .csv file, as the default value of this header will be SystemDomain.
If the value is not specified, the function will not work because the system will read the file as moving the users from SystemDomain to SystemDomain.
The function will be:
action,DefLogin,DestinationSecurityDomain,SecurityDomain
CUSD,<userid>,SystemDomain,<currentdomain>
For example,
rsaadmin@alaa:/tmp> cat text.csv
action,Deflogin,DestinationSecurityDomain,SecurityDomain
CUSD,rbauser,SystemDomain,newsubdomain
CUSD,restrict,SystemDomain,newsubdomain
As shown here, the security domain has changed from newsubdomain back to SystemDomain:
Notes
MiscVariable
This option is used to control weather or not tokens will be moved.
The possible values for MiscVariable are:
IfDefLogin contains a userID:
0 - Move tokens assigned to specific user
1 - Do not move any tokens assigned to the specific user.
This option is used to control weather or not tokens will be moved.
The possible values for MiscVariable are:
IfDefLogin contains a userID:
0 - Move tokens assigned to specific user
1 - Do not move any tokens assigned to the specific user.
