User Import Macros

User Import

	Scope of the Import Process
	How to Import Identities

In order to participate in the initial import process, an identity must meet both of these criteria:

The identity must be included in the import tables. If your identity information is distributed across several authentication providers or user registries, extract information from each source and then combine the resulting sets of tables into one set of canonical tables.

To limit the import tables, you can perform these tasks:
- Define a starting point. For example, when you extract identity information from Active Directory, you specify a Distinguished Name as the starting point. Only identities that exist below that Distinguished Name in the Active Directory hierarchy are extracted.
- Define filters. For example, when you extract identity information from Active Directory, you can use a filter to extract entries only for people who are members of a particular group.
- Make manual changes to the import tables.
The identity must not already exist in the SAS environment. You can't import an identity that has the same name as an identity that already exists in the metadata.

CAUTION:
Do not delete existing SAS identities in order to include them in an initial import. When you delete a SAS identity, you lose that identity's associations (such as access controls). Creating a new identity with the same name does not restore those associations.
You can incorporate a manually created identity into the synchronization process. To do this, add an external identity on the General tab of that identity's metadata definition. See External Identities.

The import process can add this information to the metadata:

user, group, and role definitions with names, display names, descriptions, and membership information
job titles, contact information, and personal logins for users

Note: In most cases, passwords are not added to the metadata because they typically can't be extracted from an authentication provider. If passwords are present in the extracted data, they are loaded into the metadata. It usually isn't necessary to include passwords in logins.

Note: Synchronization can process logins for groups. The initial import process does not support these tasks.
authentication domains

These constraints apply to the initial import:

When combined with information that already exists in the metadata, the input data must meet uniqueness requirements. For example, you can't import an identity that has the same name as an identity that already exists in the metadata. See Unique Names and IDs.
In order to import a user, group, or role, only a name and one external identity value (keyid) is required. However, each user should also have at least one login in order to establish an individual SAS identity. See Authentication to the Metadata Server. Windows user IDs must be qualified. See User ID Formats.

Note: It is a good practice to run a backup before you perform an import. [cautionend]

To import identity information:

Locate the sample code that best fits your external identity source.
- For import from Active Directory, see About the Sample Code for Active Directory Import.
- For import from UNIX /etc/passwd files, see About the Sample Code for UNIX /etc/passwd Import.
- For other formats, the first step is to figure out how to extract the data from your authentication provider. If you have LDAP, you might be able to modify the Active Directory sample for your purposes. Otherwise, use the %MDUIMPC macro to create empty canonical tables, and then use DATA steps to extract the information and insert it into those tables. See Sample Code for Generic File Import.
Decide which attributes you want to add to the metadata. For each attribute, identify a corresponding field in your authentication provider.
In the SAS Program Editor, adapt the sample code. The comments in the sample code provide essential details.
Submit the code and review the log.
In the User Manager plug-in in SAS Management Console, verify that new identities exist. On the General tab of an imported user, group, or role, select External Identities. You should see an external identity value that matches the identity's keyid in the import tables.
Save a copy of your import program for inclusion in your synchronization program.