Skip to content

Transferring Data Classification Policies Between Systems

Data Access Security provides an easy way to transfer data classification policies from one system to another, through a command line interface. Administrators can use the import/export tool to import/export custom policies from one server to another.

Note

Importing Data Classification Policies can only be done between versions listed in the Data Classification Importer section within Import Data Classification Policies

Note

You must be defined as an Administrator in the Data Access Security administrative client.

Note

You can only execute the import/export tool in its file working directory.

To run the Import/Export tool, perform the following steps:

  1. Use the Windows command line to navigate to the following directory:

    CD % SAILPOINT_HOME%\FileAccessManager\Server Installer\Tools\PolicyExporter

    CD % SAILPOINT_HOME%\FileAccessManager\Server Installer\Tools\PolicyImporter

  2. In the Windows command line, type:

    cd {path to the tool directory}

PolicyExporter.exe {options}
    OR

    PolicyImporter.exe {options}

Note

The tool argument can be a minus sign (-) followed by a letter in upper case, or two minus signs (--) followed by a word in lower case letters. For example, -U DOMAIN\USER or --user DOMAIN\USER

The tool validates arguments before performing any action and the system alerts the user if one or more arguments are missing or are invalid. If you do not provide arguments, a Help screen displays.

Each Data Classification Policy is assigned with a unique global ID (GUID). When new policies are imported, Data Access Security compares the GUID’s on both policies to identify them uniquely.

Note

While the name of the tool is Import/Export, the procedural order is to export data classification policies first.

Exporting Data Classification Policies

Data classification policies are exported with their rules, policy objects, categories, file properties, and rule criteria. The tool transfers an output file to the target server for import. The tool also creates a log file, which Data Access Security technical support team can use as a reference for troubleshooting.

If a policy object includes a verification algorithm created by the user, this dll file will be exported as well.

As noted in Transferring Data Classification Policies Between Systems , you must have administrative rights in Data Access Security and use the file working directory.

To export data classification policies, perform the following steps:

  1. Run the tool with the following selected options:

    1. -O, --output (Default: output_policies.bin) (Output file location)

      Note

      The output file is in binary format and cannot be edited.

      The file location can be both either absolute (c:\program files\Sailpoint\outputs) or relative (....\outputs).

    2. -A, --all

    3. The tool exports all policies available from current system.

    4. -L, --policies

      The tool exports specific policies (each policy specified by its policy name and not case sensitive) and with a comma separating the name of one policy from the other.

      Policy names that contain spaces ( ), should be in quotation marks (“) Example: PolicyExporter.exe -U domain\user -L “policy1 – my policy”,”POLICY2 – HIS POLICY”

      Note

      Select either -A or -L, since they are mutually exclusive.

    5. -U, --user (Required.)

  2. This is the name of the user to whom data classification policies are exported, and should include both the user name and the domain name (if there is one).

    1. -P, --password
    2. The user password validates the export. The system will only prompt you three times to provide a password.
    3. --help
    4. The Help screen displays.
    5. –version

    The version information displays.

Importing Data Classification Policies

Data classification policies are exported with their rules, policy objects, categories, file properties, and rule criteria. The tool creates a file with a summary of what was imported and what was not imported. The tool also creates a log file, which Data Access SEcurity technical support team can use as a reference for troubleshooting.

As noted in Transferring Data Classification Policies Between Systems, you must have administrative rights and use the file working directory.

To import data classification policies, perform the following steps:

Note

The only way to run an import or export on the tools is by the command line.

  1. Run the tool with the following selected options:

    1. CD %SAILPOINT_HOME%\FileAccessManager\Server Installer\Tools\PolicyImporter
    2. -I, --input (Input file location)

    3. The exported output file path

      The file location can be either absolute (c:\program files\Sailpoint\outputs) or relative (....\outputs).

    4. -R, --override (Default: false)

      The system recognizes a policy by its unique ID, not by its policy name. Override refers to overriding existing data classification policies and policy rules.

    5. -C, --activate (Default: false)

      Activate refers to activation of all policies immediately after migration.

      Note

      The option to activate supersedes the policy and policy rule association on the exported server - if the option to activate is specified will all be activated, otherwise will all be deactivated.

    6. -O, --output (Default: output_stats.txt)

      The output summary file is in the selected location.

      The file location can be absolute location (c:\program files\Sailpoint\outputs) or relative (....\outputs).

      Examples:

      • --output ....\imported.log
      • -O c:\temp\stats.txt
      • -T, --test (Default: false)

      Any changes made during this simulation of the importation of policies and policy rules are rolled back afterward so you can see what has been changed without altering any policies or policy rules.

    7. -M, --multi-output (Default: false)

      The output summary is written in one or more files, with a time stamp appended to the file name.

      Example:

      • output_stats.180507091022.txt

        Note

        When this option is not used, append the content of the result to the same file, along with the time stamp.

    8. U, --user (Required).

      This is the name of the user to whom data classification policies are exported, and should include both the user name and the domain name (if there is one).

    9. -P, --password

    After inserting all parameters and executing the command, the tool will indicate either a success or fail message (displayed in the command line). It will also create a log file which the Data Access Security Technical Support Team can use as a reference for troubleshooting.