Bill_Patton

Is there a way to export account template and provisioning roles?

Blog Post created by Bill_Patton Employee on Jul 13, 2015

There is no export/import and as 12.6.5 and 12.5.17 this is the only example that we can provide it is for Active Directory, if you have other endpoints you will need to tailor this to it:

 

1)      To create a new AD Account Template based in one already existing:

etautil -u <<USER>> -p <<PASSWORD>> copy 'eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im,dc=eta' eTADSPolicy eTADSPolicyName=<<BASIC ACCOUNT TEMPLATE>> to eTADSPolicyName=<<NEW ACCOUNT TEMPLATE>> eTDescription='New Account Template Description'

 

2)      Then add the Endpoint to the new Account Template (I could verify that the copy does not brings the Endpoint)

etautil -u <<USER>> -p <<PASSWORD>> add 'eTNamespaceName=ActiveDirectory,dc=im,dc=eta' eTADSDirectory eTADSDirectoryName=<< ENDPOINT NAME>> in 'eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im,dc=eta' eTADSPolicy eTADSPolicyName=<<NEW ACCOUNT TEMPLATE>>

 

3)      Then update the Account Container rules for the new Account Template created and also correct the required groups (I could verify that the Account Template copy also messes the Account Container rules):

etautil -u <<USER>> -p <<PASSWORD>> update 'eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im,dc=eta' eTADSPolicy eTADSPolicyName=<<NEW ACCOUNT TEMPLATE>> eTAccountContainer=<<ACCOUNT CONTAINER RULES>> eTADSmemberOf=<<GRUP Full DN>>

 

PS: In this last command I was not able to handle multiple groups. I tried the commands with + eTADSmemberOf and - eTADSmemberOf but none have worked.

 

4)      Then create a new Provisioning Role:

etautil -u <<USER>> -p <<PASSWORD>> add 'eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTRole eTRoleName=<<PROVISIONING ROLE NAME>> eTCustomField01=XXXX eTCustomField02=XXXX eTCustomField03=*** eTComments='XXXXXXX *********' eTDescription='****** *********';

 

5)      And then assign the Account Template to the Provisioning Role:

etautil -u <<USER>> -p <<PASSWORD>> add 'eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTRole eTRoleName=<< PROVISIONING ROLE NAME>> in 'eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im' eTADSPolicy eTADSPolicyName=<<NEW ACCOUNT TEMPLATE>>

 

6)      Create an XML file to input the Provisioning Role data in the IdentityMinder web interface.

Outcomes