User Bulk Load

Scope of the Import Process

Who Participates?

In order to participate in the initial import process, an identity must meet both of these criteria:
  • The identity must be included in the import tables. If your identity information is distributed across several authentication providers or user registries, extract information from each source and then combine the resulting sets of tables into one set of canonical tables.
    To limit the import tables, you can perform these tasks:
    • Define a starting point. For example, when you extract identity information from Active Directory, you specify a Distinguished Name as the starting point. Only identities that exist below that Distinguished Name in the Active Directory hierarchy are extracted.
    • Define filters. For example, when you extract identity information from Active Directory, you can use a filter to extract entries only for people who are members of a particular group.
    • Make manual changes to the import tables.
  • The identity must not already exist in the SAS environment. You can't import an identity that has the same name as an identity that already exists in the metadata.
CAUTION:
Do not delete existing SAS identities in order to include them in an initial import. When you delete a SAS identity, you lose that identity's associations (such as access controls). Creating a new identity with the same name does not restore those associations.
You can incorporate a manually created identity into the synchronization process. To do this, add an external identity on the General tab of that identity's metadata definition.

What Information Is Imported?

The import process can add this information to the metadata:
  • user, group, and role definitions with names, display names, descriptions, and membership information
  • job titles, contact information, and personal logins for users
    Note: In most cases, passwords are not added to the metadata because they typically can't be extracted from an authentication provider. If passwords are present in the extracted data, they are loaded into the metadata. It usually isn't necessary to include passwords in logins.
    Note: Synchronization can process logins for groups. The initial import process does not support these tasks.
  • authentication domains
These constraints apply to the initial import:
  • When combined with information that already exists in the metadata, the input data must meet uniqueness requirements. For example, you can't import an identity that has the same name as an identity that already exists in the metadata.
  • In order to import a user, group, or role, only a name and one external identity value (keyid) is required. However, each user should also have at least one login in order to establish an individual SAS identity.

How to Import Identities

Note: It is a good practice to run a backup before you perform an import.
To import identity information:
  1. Locate the sample code that best fits your external identity source.
  2. Decide which attributes you want to add to the metadata. For each attribute, identify a corresponding field in your authentication provider.
  3. In the SAS Program Editor, adapt the sample code. The comments in the sample code provide essential details.
  4. Submit the code and review the log.
  5. In the User Manager plug-in in SAS Management Console, verify that new identities exist. On the General tab of an imported user, group, or role, select External Identities. You should see an external identity value that matches the identity's keyid in the import tables.
  6. Save a copy of your import program for inclusion in your synchronization program.