Importing systems, accounts, domains, databases

You can create an import file to add multiple entities (Systems, Accounts, Domains, and Databases) to Zero Trust Privileged Access Service, and their attributes using the import file template and the Centrify PowerShell script. The import file provides a comma-separated set of required and optional fields that describe the items you want to add. Once you populate the CSV file with the information you want imported into Privileged Access Service, you can run the Centrify PowerShell script and then access the content in the Admin Portal.

To download the import files and populate the CSV file:

  1. Access Github at https://github.com/centrify/centrify-samples-powershell to download the import files to your local computer. The import files include the following:

    • Privileged Access Service PowerShell script (Centrify.Samples.PowerShell.Example.ps1)

    You modify the script file to import entities and their attributes from the CSV file into Privileged Access Service.

    • Privileged Access Service PowerShell module file (Centrify.Sample.PowerShell.CPS.psm1)

    The module file is called from the Centrify PowerShell script and does not require any modification.

    • CSV template (Sample.csv)

    The import template illustrates the format to use in creating your own comma‑separated values (CSV) file with all the entities and attributes you want to import.

  2. Open the Sample.csv template in a text editor or spreadsheet program.
  3. Click File, then Save As to save the file to a location on your local computer.
  4. Edit your custom CSV file, using the template as a guideline, so that each line provides the information regarding Systems, Domains, Databases, and Accounts you want added to Privileged Access Service.

    As illustrated by the examples in the template file, you can leave optional fields blank. When you are finished adding the entities you want to import, remove the template fields and examples—if you haven’t done so already—and save your changes to the file.

For information on the available attributes and what they mean, see Sample.csv template fields.

To import multiple systems, accounts, domains, and databases:

Verify that the computer you are using to import entities has access to the Privileged Access Service Admin Portal.

  1. Open the Centrify.Samples.PowerShell.Example.ps1 script file you downloaded earlier and edit the param section of the script to include the following parameters for your instance:

    #[string]$username = "userexample@centrify.com",

    #[string]$endpoint = "https://cloud.centrify.com",

  2. Edit the Centrify.Samples.PowerShell.Example.ps1 to include a command like the following, where Endpoint includes your Privileged Access Service tenant and CSVFile includes the path and name of the CSV file you created. For example:

    Centrify-CPS-Import -Endpoint 'https://cloud.centrify.com' -Token $token -CSVFile 'C:\ImportFile.csv'

  3. Save the modified file and then start Windows PowerShell to open a command window.
  4. Run the modified Centrify.Samples.PowerShell.Example.ps1 script by entering the full path to the script. For example, C:/scripts/Centrify.Samples.PowerShell.Example.ps1.

    The script calls the Centrify.Sample.PowerShell.CPS.psm1 module to import Systems, Domains, Databases, Accounts and their attributes into Privileged Access Service.

    Depending on the number of entities you are importing, the process might take some time to complete. Once complete, the script outputs the following files to a folder with information on the import status:

    • FailedRows.csv—this file includes all rows that failed to import into Privileged Access Service. You can fix the errors in this file and then re-import the content. If this file is not included in the output, the import was successful.
    • FailedRows.txt—this file provides a summary of the import result for failed rows.
    • WarningRows.txt—this file provides import results for the rows in the CSV file that imported with some errors and an explanation for the errors. If this file is empty, all content in the CSV file imported successfully. If the import fails to complete a particular operation, you can log in to the Admin Portal and correct the failed operation.
    • AllRows.txt—this file provides the results for all rows in the CSV file. The rows in this file are listed in the same order as the Sample.csv.

Sample.csv template fields

The following table describes the template fields in the Sample.csv file. Enter values for each entity type according to the headings designated in the template file. Do not change the template headings; the import functionality requires that the headings match those in the template exactly. The order that you enter entities (Systems, Domains, Databases, and Accounts) into the import file does not affect import functionality.

For this template field You need to do this

Entity Type

Enter one of the following entity types:

  • System
  • Domain
  • Database
  • Account

This field is required.

Name

Type the display name of the system, domain or database you want to add.

As illustrated by the examples in the template, you can have multiple lines with the same name. For example, if you are adding more than one account for the same system, list each account as a separate line with the same system name.

This field is required and applies to Systems, Domains, and Databases.

FQDN

Type the fully-qualified domain name or IP address of the System or Database you want to add.

If you are only adding an account for a system that was previously added, you should not specify the FQDN field.

This field is required and applies to Systems and Databases.

Description

Type any descriptive information you want to add for the entity.

This field is optional and applies to Systems, Domains, Databases, and Accounts.

ComputerClass

Specify the type of system you are adding.

You can specify one of the following values for this field:

  • Windows
  • Unix
  • GenericSsh
  • Cisco AsyncOS
  • CiscoIOS
  • CiscoNXOS
  • JuniperJunos
  • HPNonStopOS
  • IBMi
  • CheckPointGaia
  • PaloAltoNetworksPANOS
  • F5NetworksBIGIP
  • VMwareVMkernel

This field is required and applies to Systems.

ProxyUser

Type the name of the “proxy” user for a system. This field is optional and applies to Systems.

  • For more information about the “proxy” user for Windows systems, see the following topic:

Configuring a proxy user for password operations

  • For more information about the “proxy” user for UNIX and Juniper systems, see the following topic:

Specifying a proxy account for root

ProxyUserPassword

Provide the password for the “proxy” user for a system. This field is optional and applies to Systems.

  • For more information about the “proxy” user for Windows systems, see the following topic:

Configuring a proxy user for password operations

  • For more information about the “proxy” user for UNIX and Juniper systems, see the following topic:

Specifying a proxy account for root

ProxyUserIsManaged

Specify whether you want to manage the password for the “proxy” user. This field is optional and applies to Systems.

You can specify TRUE if you want the Privileged Access Service to manage the password for the “proxy” account, or FALSE if you want to leave the password unmanaged.

ResourceDomain

Type the name of the domain that the system is joined to. This field is optional and applies to Systems.

ResourceDomainOperationsEnabled

Specify whether you want to use the domain administrative account to enable zone role workflow.

You specify TRUE if you want to use the domain administrative account to enable operations such as zone role workflow, or FALSE if you do not want to use the domain administrative account to enable domain operations.

In order to enable domain operations for a system, the user must have grant rights over the domain or else the import will fail.

This field is optional and applies to Systems.

ResourceSessionType

Specify whether you want to use secure shell or remote desktop for remote connections. Enter Ssh for secure shell or Rdp for remote desktop. This field is required and applies to Systems.

ResourceSessionTypePort

Enter the port to be used for remote connections. You only need to enter a value if you do not want to use the default port (default port for SSH is 22 and for RDP it is 3389). This field is optional and applies to Systems.

ResourceWindowsManagementMode

For Windows System types , you can choose a management mode to manage the system.

Enter one of the following management modes:

Unknown (this is equivalent to auto-detect in the Admin Portal)

  • Smb
  • WinRMOverHttp
  • WinRMOverHttps
  • RpcOverTcp
  • Disabled

This field is optional and applies to Systems.

ResourceWindowsManagementPort

For Windows, F5 Networks BIG-IP, and Palo Alto Networks PAN-OS Systems, enter the management port to be used for password management. This field is optional and applies to Systems.

PasswordProfile

Enter a name to add a customized password profile to define the rules applied when managed passwords are generated for systems, domains, or databases. For more information about customizing a password profile, see Configuring password profiles.

This field is optional and applies to Systems, Domains, and Databases.

SetName

Enter a name for system, domain, database, or account sets. Sets are logical groups of a particular type (system, domain, database, or account) to simplify management activity and reporting for entities with attributes in common. To enter more than one set name for an entity, separate the entries by a |. For example, SystemSet1|SystemSet2|SystemSet3.

This field is optional and applies to Systems, Domains, Databases, and Accounts.

DefaultCheckoutTime

Enter a number to specify the length of time (in minutes) that a checked out password is valid. The minimum checkout time is 15 minutes. If no value is specified, the default is 60 minutes. Also see, Setting system‑specific policies.

This field is optional and applies to Systems, Domains, Databases, and Accounts.

AllowRemote

Enter TRUE if you want to allow remote connections from a public network for a selected system of FALSE if you do not want to allow remote connections from a public network.

This field is optional and applies to Systems.

ParentEntityTypeOfAccount

Enter the type of entity related to the account (System, Domain or Database).

This field is required and applies to Accounts.

ParentEntityNameOfAccount

Enter the display name of the system, domain or database associated with the account. This field is required and applies to Accounts.

User

Type the user name for an account to be used with Systems, Domains, and Databases. This field is required and applies to Accounts.

Password

Type the password for the account to be used with the system.

This field is optional and applies to Accounts.

IsManaged

Specify whether you want to manage the password for the user account you are adding for the system.

You can specify TRUE if you want the Privileged Access Service to manage the password for the account, or FALSE if you want to leave the password unmanaged.

This field is optional and applies to Accounts.

AccountMode

Enter the term Expert to add an expert mode account for Checkpoint Gaia systems. This field is optional and applies to Systems.

UseProxy

Specify whether you want to add a “proxy” account for the system.

Specify TRUE if you want to use a “proxy” account, or FALSE if you don’t want to add a “proxy” account for the system.

For UNIX and Juniper systems, use this field if your secure shell environment is configured to not allow the root user to access computers remotely using SSH. You can also use this field for Windows systems if you want to use a proxy account for Windows Remote Management (WinRM) connections to a system.

This field is optional and applies to Accounts.

DatabaseServiceType

Specify the type of database you are adding.

Enter one of the following types:

  • SQLServer
  • Oracle
  • SAP Adaptive Server Enterprise (ASE)

This field is required and applies to Databases.

OracleServiceName

For Oracle databases, you must enter the service name assigned to the Oracle database. Also see, Adding databases.

This field is required and applies to Databases.

SQLInstanceName

For SQL Server databases, you must enter the instance name assigned to the database. Also see, Adding databases.

This field is optional and applies to Databases.

DatabasePort

Specify the port number used to check the status of the database and when updating database passwords.

This field is optional and applies to Databases.

ParentDomain

If a child domain is configured, enter the name of its parent domain.

This field is optional and applies to Domains.

AdministrativeAccount

Enter an account in the format admin@childdomain, admin@mycompany.com or a local account that needs to be set as the administrative account.

This field is optional and applies to Systems and Domains.

AllowAutomaticAccountMaintenance

Specify TRUE to allow out-of-sync passwords to be reset and managed accounts to be unlocked during login or checkout, or FALSE if you do not want to allow it. Requires an Administrative Account be defined for the domain.

This field is optional and applies to Domains.

AllowManualAccountUnlock

Specify TRUE to allow users with the Unlock Account permission to manually unlock accounts, or FALSE if you do not want to allow accounts to be manually unlocked. Requires an Administrative Account be defined for the domain.

This field is optional and applies to Domains.

AllowMultipleCheckouts

Specify whether multiple users can have the same domain account password checked out at the same time for a system, domain, or database.

Enter FALSE if only one user is allowed to check out the password at any given time. Enter TRUE if you want to allow multiple users to have the account password checked out at the same time without waiting for the password to be checked in. Also see, Allow multiple password checkouts.

This field is optional and applies to Systems, Domains, and Databases.

AllowPasswordRotation

Specifies if the managed password should be rotated periodically by Privileged Access Service for a system, domain, or database.

Enter TRUE to allow periodic password rotation or FALSE  to not allow periodic password rotation.

This field is optional and applies to Systems, Domains, and Databases.

PasswordRotateDuration

Specifies the interval at which managed passwords are automatically rotated.

Enter the maximum number of days to allow between automated password changes for managed system, domain, or database accounts.

This field is optional and applies to Systems, Domains, and Databases.

MinimumPasswordAge

Enter the minimum number of days before a password must be rotated.

This field is optional and applies to Systems, Domains, and Databases.

AllowPasswordHistoryCleanUp

Specifies if the retired passwords should be deleted periodically by Privileged Access Service.

Enter TRUE to allow periodic password history cleanupor FALSE to not allow periodic password history cleanup.

This field is optional and applies to Systems, Domains, and Databases.

PasswordHistoryCleanUpDuration

Enter the number of days after which retired passwords matching the duration are deleted.

This field is optional and applies to Systems, Domains, and Databases.