Transferring Data Classification Policies Between Systems
File Access Manager provides an easy way to transfer data classification policies from one system to another through a command-line interface. Administrators can use the import/export tool to import/export custom policies from one server to another.
Note
Importing Data Classification Policies can only be done between versions listed in the Data Classification Importer section within Import Data Classification Policies.
Note
You must be defined as an Administrator in the File Access Manager administrative client.
Note
You can only execute the import/export tool in its file working directory.
To run the Import/Export tool, perform the following steps:
-
Use the Windows command line to navigate to the following directory:
CD % SAILPOINT_HOME%\FileAccessManager\Server Installer\Tools\PolicyExporter
CD % SAILPOINT_HOME%\FileAccessManager\Server Installer\Tools\PolicyImporter
-
In the Windows command line, type:
cd {path to the tool directory}
PolicyExporter.exe {options}
OR
PolicyImporter.exe {options}
Note
The tool argument can be a minus sign (-) followed by a letter in upper case, or two minus signs (--) followed by a word in lower case letters.
For example: -U DOMAIN\USER
OR --user DOMAIN\USER
The tool validates arguments before performing any action, and the system alerts the user if one or more arguments are missing or are invalid. If you do not provide arguments, a Help screen displays.
Each Data Classification Policy is assigned with a unique global ID (GUID). When new policies are imported, File Access Manager compares the GUID’s on both policies to identify them uniquely.
Note
While the name of the tool is Import/Export, the procedural order is to export data classification policies first.
Exporting Data Classification Policies
Data classification policies are exported with their rules, policy objects, categories, file properties, and rule criteria. The tool transfers an output file to the target server for import. The tool also creates a log file, which the File Access Manager technical support team can use as a reference for troubleshooting.
If a policy object includes a verification algorithm created by the user, this DLL file will be exported as well.
As noted in Transferring Data Classification Policies Between Systems, you must have administrative rights in File Access Manager and use the file working directory.
To export data classification policies, perform the following steps:
-
Run the tool with the following selected options:
- -O, --output (Default:
output_policies.bin
): Specifies the output file location.
!!! note The output file is in binary format and cannot be edited. The file location can be either absolute (e.g.,
c:\program files\Sailpoint\outputs
) or relative (e.g.,..\..\outputs
).- -A, --all: The tool exports all policies available from the current system.
- -L, --policies: The tool exports specific policies. Each policy is specified by its policy name (not case sensitive), and the names should be separated by commas.
Example:
PolicyExporter.exe -U domain\user -L “policy1 – my policy”,”POLICY2 – HIS POLICY”
!!! note Select either -A or -L, since they are mutually exclusive.
-
-U, --user (Required): This is the name of the user to whom data classification policies are exported. It should include both the username and the domain name (if there is one).
-
-P, --password: The user password validates the export. The system will only prompt you three times to provide a password.
-
--help: The Help screen displays.
- –version: Displays the version information.
- -O, --output (Default:
Import Data Classification Policies
Data classification policies are exported with their rules, policy objects, categories, file properties, and rule criteria. The tool creates a file with a summary of what was imported and what was not imported. The tool also creates a log file, which the File Access Manager technical support team can use as a reference for troubleshooting.
As noted in Transferring Data Classification Policies Between Systems, you must have administrative rights and use the file working directory.
To import data classification policies, perform the following steps:
Note
The only way to run an import or export on the tools is by the command line.
-
Run the tool with the following selected options:
CD %SAILPOINT_HOME%\FileAccessManager\Server Installer\Tools\PolicyImporter
- -I, --input (Input file location)
- The exported output file path (the file location can be either absolute (c:\program files\Sailpoint\outputs) or relative (....\outputs).)
- -R, --override (Default: false). The system recognizes a policy by its unique ID, not by its policy name. Override refers to overriding existing data classification policies and policy rules.
- -C, --activate (Default: false). Activate refers to activation of all policies immediately after migration.
!!! note The option to activate supersedes the policy and policy rule association on the exported server - if the option to activate is specified will all be activated, otherwise will all be deactivated.
- -O, --output (Default: output_stats.txt)
The output summary file is in the selected location.
The file location can be absolute location (c:\program files\Sailpoint\outputs) or relative (....\outputs).
Examples:
- --output ....\imported.log
- -O c:\temp\stats.txt
- -T, --test (Default: false)
Any changes made during this simulation of the importation of policies and policy rules are rolled back afterward, so you can see what has been changed without altering any policies or policy rules.
- -M, --multi-output (Default: false)
-
The output summary is written in one or more files, with a time stamp appended to the file name.
Example:
output_stats.180507091022.txt
Note
When this option is not used, append the content of the result to the same file, along with the time stamp.
- U, --user (Required).
- This is the name of the user to whom data classification policies are exported, and should include both the user name and the domain name (if there is one).
- -P, --password
After inserting all parameters and executing the command, the tool will indicate either a success or fail message (displayed in the command line). It will also create a log file which the File Access Manager Technical Support Team can use as a reference for troubleshooting.
-
If the user needs more information about the File Access Manager version, complete the following in the command line.
-
--help - The Help screen displays.
-
–version - The version information displays.
-
Note
File Access Manager cannot import a Data Classification policy if the policy name exists. Rename the existing policy and rerun the import procedure.
Note
File Access Manager cannot import a Data Classification rule if the rule name exists. Rename the existing rule and rerun the import procedure.