#Credentials_v2 type identifier column headers
A shared access comma-separated value (CSV) file can include #Credentials_v2 type identifier column headers. It is suggested that you use the #Credentials_v2 type identifier instead of the #Credentials type identifier in your CSV files. The #Credentials type identifier is deprecated and is provided for users with existing CSV files from a previous release.
Attribute for column header | Description | Required |
---|---|---|
ACCOUNT_UID | Specifies the user ID that is associated with the credential. | Required. |
ORG_URI | Specifies the organizational container under
which the credential must be created. The organizational container
might be an admin domain, organizational unit, or location, for example.
However, if the ORG_URI value is not specified
but the ORG_PDN value is provided, then IBM® Security Privileged Identity Manager uses
the ORG_PDN attribute value. If neither of
the attributes is provided or if the ORG_URI or ORG_PDN value
is incorrect, then the entry is invalid. This attribute specifies the Uniform Resource Identifier. You can add this field by adding the eruri attribute to the container form template when you design forms. |
Required. You must specify either ORG_URI or ORG_PDN when you create a credential. Specifying these attributes is optional when you update the credential. |
ORG_PDN | An organization pseudo DN can be associated
with multiple organizational containers. In this case, IBM Security Privileged Identity Manager considers
the first organizational container as the container under which the
credential must be created. The following pseudo BNF notation represents the syntax for ORG_PDN:
For example:
where ou=<admin domain name> |
Required. You must specify either ORG_URI or ORG_PDN when you create a credential. Specifying these attributes is optional when you update the credential. |
RESET_PASSWORD | Specifies whether the password must be reset after adding the credential to the vault. The valid values are TRUE and FALSE. The default value is FALSE. | Optional. |
PASSWORD | Specifies the password of the credential. If the credential already exists and the specified password is different from the password that is stored in the vault, the credential password in the vault will be updated. | Optional. |
DESCRIPTION | Provides a brief description about the credential that is added to the credential vault. | Optional. |
USE_DEFAULT_SETTINGS | Specifies whether to apply the global default
settings to the credentials. The valid values are TRUE and FALSE.
If this setting is TRUE, then the other credential
settings columns are ignored. Note: If this column is not specified,
the value is set as follows:
|
Optional. |
ACCESS_MODE | Specifies the access mode of the credentials.
You can use the following valid values:
|
Optional. |
PASSWORD_VIEWABLE | Specifies whether to display the credential password to users on the self-service user interface. The default value is TRUE. | Optional. |
MAX_CHECKOUT_DURATION | Specifies how long a credential can be checked
out. Specify the time in weeks, days, or hours by adding the suffix,
as described in the following examples:
If you do not specify a value, then the default time duration is 8 h. |
Optional. |
ENABLE_CHECKOUT_SEARCH | Specifies whether the checkout search is enabled for the credential on the self-service user interface. The default value is TRUE, which indicates that the checkout search is enabled for the credentials on the self-service user interface. To disable the checkout search for credentials, specify FALSE. | Optional. |
RESET_PASSWORD_ON_CHECKIN | Specifies whether the password must be reset on the self-service user interface after you check in a credential. You must specify this attribute if the access mode value is 0. The default value is TRUE, which indicates that the password is reset on the self-service user interface after you check in a credential. If you do not want the password to be reset after you check in a credential, specify FALSE. This value is valid only for a credential that you are connecting to an account. | Optional. |
RESOURCE_UID | Uniquely identifies the resource for which you are adding credentials to the vault. Identifies the repository on which this user ID is hosted. For example, the unique identifier might be the IP address or the URL of a host or application. _UID is required if CONNECT_SERVICE_PDN is not specified. You must specify at least one of these two columns. | Required. _UID is required if CONNECT_SERVICE_PDN is not specified. |
CONNECT_SERVICE_PDN | Required only when you are adding a credential
from an account or connecting a credential to an account. Specifies
the service distinguished name (DN) that uniquely identifies a service
or a service pseudo DN for the account to which you are connecting
the credential. If multiple accounts are found for the CONNECT_SERVICE_PDN specified,
or if no accounts are found for it, this entry will fails, and an
error message is logged. If you specify a blank value for this column,
the resource aliases
are cleared. The following pseudo Backus-Naur Form (BNF) notation
represents the syntax for CONNECT_SERVICE_PDN:
For example:
where <idp
attribute>=<value>,ou=<admin
domain name> |
Optional. |
DISCONNECT | Specifies whether to disconnect the credential
from the account. Specify TRUE if you want
to disconnect the credential from the account or FALSE if
you do not want to disconnect. When a credential is disconnected from the associated account:
|
Optional. |
CREDENTIAL_TAG | Specifies the credential tags. You can specify multiple tags in the following format: tag1|tag2|tag3 This attribute is used to group credentials into a pool. If the credential tags match the rule definition of a pool that resides on the same resource, the credential is resolved as a member of the pool. |
Optional. |
PASSWORD_ROTATION_INTERVAL | Optional. Specifies the number days before IBM Security Privileged Identity Manager resets the password. The value must be an integer. This parameter applies only when the credential is connected to an identity provider. For example: 5. | Optional. |
First example
The following sample CSV file contains information about the credentials to be added or updated in the credential vault:
#Credentials_v2
ACCOUNT_UID,ORG_PDN,PASSWORD,RESOURCE_UID,RESOURCE_NAME
vicgreen,"ou=Finance,o=Organization",not_secret,vic.example.com,Vic's Linux Service
In this example, the credential (user ID vicgreen, password not_secret) is added to the credential vault. The _UID is a URL, vic.example.com. Global credential settings are used. Other than the password and the resource name, only the required attributes are specified. The password must be rotated after 5 days.
The shared access CSV file lists the column headers in a default sequence. You can change the sequence of these column headers according to your requirements. However, do not change the name of these column headers.
Second example
In this example, the user specifies only required fields and the fields that are important and do not match the defaults. The credential (user ID vicgreen, password not_secret) is added to the vault. The password is not viewable, and the other credential settings use the defaults. That is, the access mode is exclusive (checkout is required), the maximum checkout duration is 8 hours, and checkout search is enabled.Third example
#Credentials_v2
ACCOUNT_UID,ORG_PDN,PASSWORD,RESOURCE_UID,RESOURCE_NAME,CREDENTIAL_SERVICE,CONNECT_SERVICE_PDN,PASSWORD_ROTATION_INTERVAL
vicgreen,"ou=Finance,o=Organization",not_secret,vic.example.com,Vic's Linux Service,Vic_Linux|VicGreen_Linux,description=winlocalService,
l=San Francisco,ou=Admin,o=ibm,5
In this example, credential vicgreen is added from the winlocal account.