Exporting and Importing User and Group Data
Data from the enaio® security system – user and group data as well as associated workflow information – can be exported and imported. For instance, it is possible to export data from a production system, modify it in a test system, and then import it into the production system.
Export and import processes are carried out as automatic actions. Automatic actions are integrated on the 'Additions' Tab. You can then create configurations for the actions and execute them manually using enaio® administrator or at a scheduled time using enaio® start (see 'Setting Up Automatic Actions').
This action does not require additional license keys.
The 'One-time password' property is not part of the data when importing and exporting user data. This property is given to newly imported users if they were enabled in enaio® enterprise-manager beforehand. Existing users will not receive this property. Technical users should not receive this property.
Exporting User and Group Data
To use the 'Export users/groups' action, you will need to add the axacdirectorysync.dll library.
Once this is done, add the action in the Automatic actions dialog and create a configuration.
Configuration Data
A configuration name is entered on the configuration dialog. The name must be unique. Special characters are allowed.
Then specify a path and name to the export file and an optional log file path. The log file is only generated if you have activated the Write log file checkbox. The log file is given the name of the export file with the prefix 'log'. Both files are XML files. The log file includes an XSLT file for the view.
This logging is carried out independent from the logging in the enaio® system.
If you execute a configuration, an export file will be created. If an export file already exists at the given location, it will be overwritten.
Tick the Rename existing export file checkbox to enable it and rename any existing log file by prepending its date of creation as the time stamp rather than replacing it with the new log.
Export Data
Select the data that you want to export in the Export data selection area. All groups, users, and object types will be listed for the assignment from the security system.
Groups and Object Assignments
Select one or all groups that you want to export.
Export data related to groups include the names, descriptions, and profile assignments.
All further data must be explicitly specified for export:
-
Groups are assigned to object types. This assignment data will be exported if you mark Object assignments (all).
-
Object rights (access rights) are assigned to object types. If you want to export this data, mark Export object rights.
-
Object expressions may make object rights dependent on conditions. If you want to export this data, mark the Export object clauses checkbox.
The spelling of the field names of clauses – database name, internal name, or name in the case of the same language settings – must match the data of a system into which the data will be imported.
-
A profile can be assigned to a group. If so, the user data of the assigned profiles can also be exported. To do so, mark Export profile relations of users and groups.
Users and Object Assignments
Select one or all users whose data you want to export.
A user's export data contains the information that was displayed on the User data tab when the user was created. The password is encrypted.
Data related to the assignment of system roles, data on group memberships, and information on whether a user's account is blocked or enabled can also be exported.
-
Users whose accounts are disabled will be exported if you mark Export blocked users.
-
Users with the 'DMS: Supervisor' system role will only be exported if you mark Export DMS: Supervisor.
-
If a profile is assigned to a user, the user data of the assigned profile can also be exported. To do so, mark Export profile relations of users and groups.
-
By default, the data related to the users' group memberships contain only group names. Mark Export group memberships of users so that the descriptions and profile assignments of the groups are exported in which the exported users are members.
-
Profiles can be assigned to users and to groups. Mark Export profile relations of users and groups to export the user data that is created only as profiles for exported users.
Click OK to confirm the configuration. All data will be saved, and the configuration can be carried out immediately using enaio® administrator or at a scheduled time with enaio® start.
Importing User and Group Data
To use the 'Import users/groups' action, you will need to add the axacdirectorysync.dll library.
Once this is done, add the action in the Automatic actions dialog and create a configuration.
Always back up all of the current user and group data before importing user and group data. Importing data that have been incorrectly configured or modified can lead to violations of data protection regulations.
In case remote user administration areas have been configured, user and group data cannot be imported.
Configuration Data
A configuration name is entered on the configuration dialog. The name must be unique; special characters are possible.
Then, enter the path and the name of the import file. You can specify the naming scheme with the help of placeholders. If you enter a folder name, the import process will check all XML files in the folder.
You can only import user and group data from files which have been created via the 'User and group export' automatic action.
A path for a log file is optional. The log file is only generated if you select the Write log file checkbox. The log file is given the name of the import file with the prefix 'log'. The log file is an XML file and includes an XSLT file for the view.
This logging is carried out independent from the logging in the enaio® system.
Mark Rename import file after processing to add the current date to each import file as a time stamp after import.
Import Data
If you have specified exactly one import file, this data can be shown by pressing the Read import data button in the Import data selection area.
All groups and users available in the import file will then be listed. You can either select all users, all groups, or both depending on whose data you want to import.
If you just enter a folder name or a path syntax using placeholders, you can mark all groups or all users.
Groups
Group data consist of names, descriptions, and profile assignments. They may include object assignments, object rights, and object expressions. Object assignments will always be imported if the objects exist in the import system.
When importing groups:
-
Specify whether or not data of existing groups will be updated.
If you do not select this option, group data will not be imported in the event that a group with the same name exists.
-
Specify whether or not object expressions will be imported.
If object assignments and object rights are imported, the clauses can also be imported. To do this, mark Import object clauses.
Clauses refer to object fields. If these object fields do not exist in the system, the clauses will not be imported.
This option must when Active Directory is being synchronized.
-
Specify whether object rights will be imported.
If the import data include object assignments, they will always be imported. Object assignments that do not exist in the system will not be imported. Object rights will not be imported unless you mark Import object rights.
This option will need to be activated during Active Directory synchronization.
-
Specify whether or not the profile relations of groups will be imported.
A profile can be assigned to groups. If so, the profile user's data will be required. If this data is not available, the profile property of the group to be imported will be deleted in order to avoid inconsistencies.
If profile user data is part of the import data, you can either choose the respective user when selecting import data or activate the Import profile relations of users and groups option in order to automatically import the data of users who have been defined as a profile for other groups or users.
If the import data does not contain profile user data, the system checks whether the necessary profile user data is already in the user administration. If so, the profile property will be retained; otherwise, the profile property will be deleted.
Users
User data contains the information that was shown on the User data tab when the user was created as well as the unique GUID of the user. The password is encrypted. Data related to assigned system roles and group memberships will also be imported.
When importing users:
-
Specify whether or not data of existing users will be updated.
If you do not select this option, user data will not be imported in case a user with the same login name already exists.
-
Define whether users with the 'DMS: Supervisor' system role will be imported or updated.
-
Specify whether or not users whose accounts are blocked will be imported.
If you do not select this option, only users whose accounts are not blocked will be imported.
If you import these users, you can enable their accounts by activating the Enable blocked users checkbox.
-
Specify whether or not the profile relations of users will be imported.
A profile can be assigned to users. If so, the profile user's data will be required. If this data is not available, the profile property of the group to be imported will be deleted in order to avoid inconsistencies.
If profile user data is part of the import data, you can either choose the respective user when selecting import data or activate the Import profile relations of users and groups option in order to automatically import the data of users who have also been defined as profile for other groups or users. The default settings are used for profile assignment, i.e., system roles are overwritten and group memberships added. The default behavior cannot be changed.
If the import data does not contain profile user data, the system checks whether the necessary profile user data is already in the user administration. If so, the profile property will be retained; otherwise, the profile property will be deleted.
If a user initially has a profile function in the import system but relinquishes this as the result of an import update, you will need to mark Replace existing profile user. The profile assignments will then be deleted. None of the settings of users to which the profile has been assigned will be lost. Only the user who now has no profile function any more loses the profile function.
If you do not mark Replace existing profile users, data of profile users is not replaced by the data of user accounts that do not have a profile function.
-
Mark Import group memberships of users so that the descriptions and profile assignments of the groups are imported in which the imported users are members.
-
When marking Add only unassigned user groups, existing group assignments will not be modified, but unassigned groups will be added to user accounts and groups.
-
Specify whether users' workflow information will be imported.
Unique assignment of users to the workflow organization structure is only possible if the XML file to be imported contains the following information: wf-name, wf-surname, wf-email, wf-login, is-wf-user, wf-organization (name, wf-org-id, wf-user-id), wf-role (name, wf-role-id, wf-org-id). Additional workflow information is added.
The workflow organization structures and internal IDs of both the source and the target system must be identical in order to import the file. Otherwise, enaio® user data will be imported without workflow information because it is not possible to uniquely assign users to the workflow organization.
To transfer the workflow organizational structure to the target system, use the export/import feature in enaio® editor-for-workflow.
-
Specify whether or not the workflow roles of users will be updated.
Unlike the Import/update workflow user option, assignments for existing users are not only added but also removed if necessary.
Click OK to confirm the configuration. All data will be saved, and the configuration can be carried out immediately using enaio® administrator or at a scheduled time with enaio® start.
The automatic action 'XSLT directory synchronization' is available for synchronizing data from LDAP-enabled directory services such as Windows Active Directory Services with the enaio® user administration.
enaio® directory-sync is available for synchronization of data from Microsoft Entra ID. enaio® directory-sync is configured as part of an action sequence consisting of 'Export users/groups' and 'Import users/groups'.