8.0 Role Export Utility

The SAP GRC Access Control driver contains a role export utility. The utility is a Java console application that exports the Identity Manager Roles Based Provisioning Modules roles to an Excel spreadsheet, a delimited text file, or both.

The Excel spreadsheet format can be imported into the Compliant User Provisioning (CUP) product in the SAP GRC Access Control suite. The delimited text format can be imported into the Risk Analysis and Remediation (RAR) product in the SAP GRC Access Control suite.

The CUP and RAR maintain separate databases that contain the role information for the SAP GRC Access Control suite. If you are using both products, you must import the Identity Manager Roles Based Provisioning Module roles into each product.

The role export utility supports Java 1.42 or above.

The role export utility is installed in the following default locations when the drivers for the extension for SAP environments is installed.

To run the role export utility:

  1. Verify that the RoleExport.jar, jxl.jar, and ldap.jar files are in the same directory.

  2. From a command line, enter java -jar RoleExport.jar.

  3. Specify the hostname or IP address of the server that contains the Roles Based Provisioning Module definitions.

  4. Specify the LDAP port for a clear text connection. The default port is 389.

  5. Specify the LDAP DN of a user that has rights to read the role definitions.

  6. Specify the password for the user.

  7. Specify the LDAP DN of the container that holds the role definitions.

    The default location of the role definitions container is cn=RoleDefs,cn=RoleConfig,cn=<User App driver>,cn=<driver set>,dc=<container>

  8. Specify an LDAP filter for the set of roles you want to export.

    The default filter is: (objectclass=nrfRole)

  9. Specify 1 to export to Excel, specify 2 to export to a delimited text file, or specify 3 to export to both formats.

  10. (Conditional) If you selected 1 or 3, specify the path and filename where the exported Excel file will be created.

    If a file with the specified name exists, the existing file is overwritten with the new file.

  11. (Conditional) If you selected 1 or 3, specify a value for the ConnectorType in the exported Excel file.

  12. (Conditional) If you selected 2 or 3, specify the path and filename where the delimited text file will be created.

    If a file with the specified name exists, the existing file is overwritten with the new file.

The first time the utility runs, all answers except for the password are saved in the RoleExport.cfg file. The next time the utility runs, the answers in the RoleExport.cfg file are used and you are prompted for the password.

If you want to change an answer, edit the RoleExport.cfg file or delete the file. This is a text file that can be edited with any text editor.