SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000036962
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager Bulk Administration (AMBA)
RSA Product/Service Type: Authentication Manager Bulk Administration (AMBA)
Issue
An administrator has a requirement to move user IDs in bulk between domains in the Authentication Manager database.
Resolution
The action that will be used is change the user security domain (CUSD). From page 63 of the RSA Authentication Manager 8.4 Bulk Administration Utility (AMBA) Guide:
If Security Domain and Identity Source are not provided, then the default identity source (Internal Database) and the default security domain (System Domain) will be used.
DefLogin:
If DefLogin contains an entry, that specific user account will be moved. If Deflogin contains the value "<all>" (without the quotes) all user accounts will be moved to the DestinationSecurityDomain. Case is not significant for <all>.
DestinationSecurityDomain:
This variable is used to declare the security domain to move the user account to and it must already exist in the Authentication Manager database.
There is an optional field called SecurityDomain that has a default value of SystemDomain. Because that is the default value for the field, so in this case you do not need to include it when moving users from SystemDomain to another security domain.
The syntax is:
Image description
This example changes the users domain back to the SystemDomain, which is the default domain.
The value of the current domain must be specified in the .txt or .csv file, as the default value of this header will be SystemDomain.
If the value is not specified, the function will not work because the system will read the file as moving the users from SystemDomain to SystemDomain.
The function will be:
Image description
Change User/Token Security Domain
This command can be used to move a user and/or tokens to a new security domain. The command can move all users or individual users by default login. Optionally, all tokens, assigned token or no tokens can be moved to the new security domain.
| Action | CUSD |
| Required Fields | DefLogin, DestinationSecurityDomain |
| Optional Fields | MiscVariable, IndetitySource, SecurityDomain, SubDomain, Limit |
DefLogin:
If DefLogin contains an entry, that specific user account will be moved. If Deflogin contains the value "<all>" (without the quotes) all user accounts will be moved to the DestinationSecurityDomain. Case is not significant for <all>.
DestinationSecurityDomain:
This variable is used to declare the security domain to move the user account to and it must already exist in the Authentication Manager database.
Processing the AMBA text file
- Prepare the .csv or .txt, adding the columns with headers of the defined functions fields listed in the RSA Authentication Manager 8.4 Bulk Administration Utility (AMBA) Guide.
- Logon with the rsaadmin account and enter the rsaadmin password when prompted
- Copy the file to the Authentication Manager directory.
- Run the file using the command used in the /opt/rsa/am/utils directory:
./rsautil AMBulkAdmin -i <filename>.csv -a [superadmin] -P ‘[password]’The command shown here changes the users domain from SystemDomain to new domain created from the Security Console.
Change the security domain to a new security domain
There is an optional field called SecurityDomain that has a default value of SystemDomain. Because that is the default value for the field, so in this case you do not need to include it when moving users from SystemDomain to another security domain.The syntax is:
action,DefLogin,DestinationSecurityDomain
CUSD,<userid>,<newdomain>
rsaadmin@alaa:/tmp> cat text.csv
cif,action,Deflogin,DestinationSecurityDomain
CUSD,rbauser,newsubdomain
CUSD,restrict,newsubdomainAfter running the AMBulkAdmin utility, the security domain shown in the Security Console has changed to newsubdomain:
Image description
Change the security domain to the SystemDomain
This example changes the users domain back to the SystemDomain, which is the default domain.The value of the current domain must be specified in the .txt or .csv file, as the default value of this header will be SystemDomain.
If the value is not specified, the function will not work because the system will read the file as moving the users from SystemDomain to SystemDomain.
The function will be:
action,DefLogin,DestinationSecurityDomain,SecurityDomain
CUSD,<userid>,SystemDomain,<currentdomain>
rsaadmin@alaa:/tmp> cat text.csv
action,Deflogin,DestinationSecurityDomain,SecurityDomain
CUSD,rbauser,SystemDomain,newsubdomain
CUSD,restrict,SystemDomain,newsubdomainNotes
To move the token and user to a different security domain add the field MiscVariable to the function, as defined below:
MiscVariable
This option is used to control weather or not tokens will be moved.
The possible values for MiscVariable are:
IfDefLogin contains a userID:
0 - Move tokens assigned to specific user
1 - Do not move any tokens assigned to the specific user.
This option is used to control weather or not tokens will be moved.
The possible values for MiscVariable are:
IfDefLogin contains a userID:
0 - Move tokens assigned to specific user
1 - Do not move any tokens assigned to the specific user.
In this article
