IBM Security Privileged Identity Manager, Version 2.0.2

#Credentials_v2 type identifier column headers

A shared access comma-separated value (CSV) file can include #Credentials_v2 type identifier column headers. It is suggested that you use the #Credentials_v2 type identifier instead of the #Credentials type identifier in your CSV files. The #Credentials type identifier is deprecated and is provided for users with existing CSV files from a previous release.

The following list describes the #Credentials_v2 type identifier column headers that you can use in the CSV file.
Table 1.
Attribute for column header Description Required
ACCOUNT_UID Specifies the user ID that is associated with the credential. Required.
ORG_URI Specifies the organizational container under which the credential must be created. The organizational container might be an admin domain, organizational unit, or location, for example. However, if the ORG_URI value is not specified but the ORG_PDN value is provided, then IBM® Security Privileged Identity Manager uses the ORG_PDN attribute value. If neither of the attributes is provided or if the ORG_URI or ORG_PDN value is incorrect, then the entry is invalid.

This attribute specifies the Uniform Resource Identifier. You can add this field by adding the eruri attribute to the container form template when you design forms.

 Required.

You must specify either ORG_URI or ORG_PDN when you create a credential. Specifying these attributes is optional when you update the credential.
ORG_PDN An organization pseudo DN can be associated with multiple organizational containers. In this case, IBM Security Privileged Identity Manager considers the first organizational container as the container under which the credential must be created.

The following pseudo BNF notation represents the syntax for ORG_PDN:

orgDn ::= orgRdn | orgRdn "," orgDn
orgRdn ::= orgAttr '=' value
orgAttr::= string (Must be a valid attribute name 
of the organizational container.)

For example: 

ou=Valerie Workspace

where ou=<admin domain name>

 Required.

You must specify either ORG_URI or ORG_PDN when you create a credential. Specifying these attributes is optional when you update the credential.
RESET_PASSWORD Specifies whether the password must be reset after adding the credential to the vault. The valid values are TRUE and FALSE. The default value is FALSE. Optional.
PASSWORD Specifies the password of the credential. If the credential already exists and the specified password is different from the password that is stored in the vault, the credential password in the vault will be updated. Optional.
DESCRIPTION Provides a brief description about the credential that is added to the credential vault. Optional.
USE_DEFAULT_SETTINGS Specifies whether to apply the global default settings to the credentials. The valid values are TRUE and FALSE. If this setting is TRUE, then the other credential settings columns are ignored.
Note: If this column is not specified, the value is set as follows:
  • If none of the credential setting columns (ACCESS_MODE, PASSWORD_VIEWABLE, MAX_CHECKOUT_DURATION, ENABLE_CHECKOUT_SEARCH, RESET_PASSWORD_ON_CHECKIN) are specified, the USE_DEFAULT_SETTINGS value is set to TRUE.
  • If at least one of the credential setting columns is specified, the credential will not use global default settings; the USE_DEFAULT_SETTINGS value is set to FALSE.
 Optional.
ACCESS_MODE Specifies the access mode of the credentials. You can use the following valid values:
  • 0 indicates exclusive permissions. (Requires checkout and checkin.)
  • 1 indicates nonexclusive permissions. (Does not require checkout and checkin.)
  • 2 indicates nonshared credentials. (Credential is not shared.)
If you do not specify a value, then the default value is 0 (exclusive).		 Optional.
PASSWORD_VIEWABLE Specifies whether to display the credential password to users on the self-service user interface. The default value is TRUE. Optional.
MAX_CHECKOUT_DURATION Specifies how long a credential can be checked out. Specify the time in weeks, days, or hours by adding the suffix, as described in the following examples:
  • 8 w indicates eight weeks.
  • 8 d indicates eight days.
  • 8 h indicates eight hours.

If you do not specify a value, then the default time duration is 8 h.

 Optional.
ENABLE_CHECKOUT_SEARCH Specifies whether the checkout search is enabled for the credential on the self-service user interface. The default value is TRUE, which indicates that the checkout search is enabled for the credentials on the self-service user interface. To disable the checkout search for credentials, specify FALSE. Optional.
RESET_PASSWORD_ON_CHECKIN Specifies whether the password must be reset on the self-service user interface after you check in a credential. You must specify this attribute if the access mode value is 0. The default value is TRUE, which indicates that the password is reset on the self-service user interface after you check in a credential. If you do not want the password to be reset after you check in a credential, specify FALSE. This value is valid only for a credential that you are connecting to an account. Optional.
RESOURCE_UID Uniquely identifies the resource for which you are adding credentials to the vault. Identifies the repository on which this user ID is hosted. For example, the unique identifier might be the IP address or the URL of a host or application. _UID is required if CONNECT_SERVICE_PDN is not specified. You must specify at least one of these two columns.

Required.

_UID is required if CONNECT_SERVICE_PDN is not specified.

CONNECT_SERVICE_PDN Required only when you are adding a credential from an account or connecting a credential to an account. Specifies the service distinguished name (DN) that uniquely identifies a service or a service pseudo DN for the account to which you are connecting the credential. If multiple accounts are found for the CONNECT_SERVICE_PDN specified, or if no accounts are found for it, this entry will fails, and an error message is logged. If you specify a blank value for this column, the resource aliases are cleared.
The following pseudo Backus-Naur Form (BNF) notation represents the syntax for CONNECT_SERVICE_PDN:
servicePDN ::= serviceAttr '=' value ',' orgDn
orgDn ::= orgRdn | orgRdn "," orgDn
orgRdn ::= orgAttr '=' value
serviceAttr::= string (Must be a valid attribute name of the service.)
orgAttr::= string (Must be a valid attribute name of the organizational
container.)
value ::=string
For example: 
erservicename=winlocalService,ou=Valerie Workspace
where <idp attribute>=<value>,ou=<admin domain name>
 Optional.
DISCONNECT Specifies whether to disconnect the credential from the account. Specify TRUE if you want to disconnect the credential from the account or FALSE if you do not want to disconnect.

When a credential is disconnected from the associated account:

  • Users can still check out the credential, but the system cannot reset the password when the credential is checked back in.
  • The account password is not synchronized to the credential vault when the account password is changed.
 Optional.
CREDENTIAL_TAG

Specifies the credential tags. You can specify multiple tags in the following format: tag1|tag2|tag3

This attribute is used to group credentials into a pool. If the credential tags match the rule definition of a pool that resides on the same resource, the credential is resolved as a member of the pool.

Optional.
PASSWORD_ROTATION_INTERVAL Optional. Specifies the number days before IBM Security Privileged Identity Manager resets the password. The value must be an integer. This parameter applies only when the credential is connected to an identity provider. For example: 5. Optional.

First example

The following sample CSV file contains information about the credentials to be added or updated in the credential vault:

#Credentials_v2
ACCOUNT_UID,ORG_PDN,PASSWORD,RESOURCE_UID,RESOURCE_NAME
vicgreen,"ou=Finance,o=Organization",not_secret,vic.example.com,Vic's Linux Service

In this example, the credential (user ID vicgreen, password not_secret) is added to the credential vault. The _UID is a URL, vic.example.com. Global credential settings are used. Other than the password and the resource name, only the required attributes are specified. The password must be rotated after 5 days.

The shared access CSV file lists the column headers in a default sequence. You can change the sequence of these column headers according to your requirements. However, do not change the name of these column headers.

Second example

In this example, the user specifies only required fields and the fields that are important and do not match the defaults. The credential (user ID vicgreen, password not_secret) is added to the vault. The password is not viewable, and the other credential settings use the defaults. That is, the access mode is exclusive (checkout is required), the maximum checkout duration is 8 hours, and checkout search is enabled.

Third example

#Credentials_v2
ACCOUNT_UID,ORG_PDN,PASSWORD,RESOURCE_UID,RESOURCE_NAME,CREDENTIAL_SERVICE,CONNECT_SERVICE_PDN,PASSWORD_ROTATION_INTERVAL
vicgreen,"ou=Finance,o=Organization",not_secret,vic.example.com,Vic's Linux Service,Vic_Linux|VicGreen_Linux,description=winlocalService,
l=San Francisco,ou=Admin,o=ibm,5
Note: Be sure to specify all of the data on one line in your CSV file. The data is divided into two lines in the example for display purposes.

In this example, credential vicgreen is added from the winlocal account.

Parent topic: Format of the bulk upload CSV file

Feedback