My question is in the subject: How can I copy my PROD ISIM data to my TEST or DEV environment?

I found this extremely helpful post: https://idmdepot.com/How_To/IBM_Security_Identity_Manager_How_To.html , but it doesn't talk about the transactional database (ITIMDB) at all. Is there anything in the transactional database that needs to be copied over? Or is there a different set of documented steps out there for this task?

My customer is on ISIM V10.0 (working on upgrading, but that's the current version) on RHEL Linux 8.10.

Frank

Hello, 

If you want to copy provisioning policies, account profiles , you can export and import via jar. Your ldap base point and organization names should be the same in these situations. ( for example dc=com, O=organization, ou=short name etc. ) I suggest installing profiles from jar and never overwriting them again to be safe. You can transfer workflows, policies, operations, LCR.. ITIM views are not exported and ITIM groups may fail because of that. Just check and re-import in most cases. 

Access Configurations have to be exported manually into csv , however that doesn't export/import assigned workflows and some settings. (I just recently wrote some custom AL for that, gonna make an IDEA request) 

You can copy/transfer , user data via ldif export import, SDI AL (LDAP -> TIMDSMLv2) . If you used same encrpyption password setting up ISIM that would be ok. Even passwords will work. For target data, you should reconcile from TEST or DEV anyway. 

ITIMDB is not mentioned because, as far as i know, it only holds reconciliation schedules/filters when it comes to configuration. Everything else is just the data you saw in view all requests, (pending jobs, LCR, reports)  which you won't want and won't work/mean anything in different environment anyway. So you can start with an empty ITIMDB but populate LDAP with all above. That's what we usually do when moving from TEST -> PROD so reverse should be OK too.

Hope this helps. 

My question is in the subject: How can I copy my PROD ISIM data to my TEST or DEV environment?

I found this extremely helpful post: https://idmdepot.com/How_To/IBM_Security_Identity_Manager_How_To.html , but it doesn't talk about the transactional database (ITIMDB) at all. Is there anything in the transactional database that needs to be copied over? Or is there a different set of documented steps out there for this task?

My customer is on ISIM V10.0 (working on upgrading, but that's the current version) on RHEL Linux 8.10.

Frank

Thanks for the reply, Ali. The encryption keys are absolutely the same, so LDAP is easy - db2ldif and bulkload will get everything there.

And thank you for letting me know that you believe ITIMDB just stores reconciliation and process data. That's what it looks like to me, but I want to be certain before trying to do this.

I don't understand the point you made about Access Configurations. What do you mean by "Access Configurations have to be exported manually into csv"? Is that information not in LDAP?

Hello, 

If you want to copy provisioning policies, account profiles , you can export and import via jar. Your ldap base point and organization names should be the same in these situations. ( for example dc=com, O=organization, ou=short name etc. ) I suggest installing profiles from jar and never overwriting them again to be safe. You can transfer workflows, policies, operations, LCR.. ITIM views are not exported and ITIM groups may fail because of that. Just check and re-import in most cases. 

Access Configurations have to be exported manually into csv , however that doesn't export/import assigned workflows and some settings. (I just recently wrote some custom AL for that, gonna make an IDEA request) 

You can copy/transfer , user data via ldif export import, SDI AL (LDAP -> TIMDSMLv2) . If you used same encrpyption password setting up ISIM that would be ok. Even passwords will work. For target data, you should reconcile from TEST or DEV anyway. 

ITIMDB is not mentioned because, as far as i know, it only holds reconciliation schedules/filters when it comes to configuration. Everything else is just the data you saw in view all requests, (pending jobs, LCR, reports)  which you won't want and won't work/mean anything in different environment anyway. So you can start with an empty ITIMDB but populate LDAP with all above. That's what we usually do when moving from TEST -> PROD so reverse should be OK too.

Hope this helps. 

My question is in the subject: How can I copy my PROD ISIM data to my TEST or DEV environment?

I found this extremely helpful post: https://idmdepot.com/How_To/IBM_Security_Identity_Manager_How_To.html , but it doesn't talk about the transactional database (ITIMDB) at all. Is there anything in the transactional database that needs to be copied over? Or is there a different set of documented steps out there for this task?

My customer is on ISIM V10.0 (working on upgrading, but that's the current version) on RHEL Linux 8.10.

Frank

There is more than audit data and schedules - most of the items added in 5.0 anad 5.1 are storing the data in the RDBMS (e.g. role hierarchies - now role compositions, Role assignment attributes, SoD and recertification policies).

So be careful - do not expect things to be simple ;-) 

On the roadmap it is planned to deliver REST APIs for all Configuration Items - we are not yet there and I do not know the actual time plans - but that will facilitate building Version Control interfaces so that all CIs can be externalized there.

HTH 

Thanks for the reply, Ali. The encryption keys are absolutely the same, so LDAP is easy - db2ldif and bulkload will get everything there.

And thank you for letting me know that you believe ITIMDB just stores reconciliation and process data. That's what it looks like to me, but I want to be certain before trying to do this.

I don't understand the point you made about Access Configurations. What do you mean by "Access Configurations have to be exported manually into csv"? Is that information not in LDAP?

Hello, 

If you want to copy provisioning policies, account profiles , you can export and import via jar. Your ldap base point and organization names should be the same in these situations. ( for example dc=com, O=organization, ou=short name etc. ) I suggest installing profiles from jar and never overwriting them again to be safe. You can transfer workflows, policies, operations, LCR.. ITIM views are not exported and ITIM groups may fail because of that. Just check and re-import in most cases. 

Access Configurations have to be exported manually into csv , however that doesn't export/import assigned workflows and some settings. (I just recently wrote some custom AL for that, gonna make an IDEA request) 

You can copy/transfer , user data via ldif export import, SDI AL (LDAP -> TIMDSMLv2) . If you used same encrpyption password setting up ISIM that would be ok. Even passwords will work. For target data, you should reconcile from TEST or DEV anyway. 

ITIMDB is not mentioned because, as far as i know, it only holds reconciliation schedules/filters when it comes to configuration. Everything else is just the data you saw in view all requests, (pending jobs, LCR, reports)  which you won't want and won't work/mean anything in different environment anyway. So you can start with an empty ITIMDB but populate LDAP with all above. That's what we usually do when moving from TEST -> PROD so reverse should be OK too.

Hope this helps. 

My question is in the subject: How can I copy my PROD ISIM data to my TEST or DEV environment?

I found this extremely helpful post: https://idmdepot.com/How_To/IBM_Security_Identity_Manager_How_To.html , but it doesn't talk about the transactional database (ITIMDB) at all. Is there anything in the transactional database that needs to be copied over? Or is there a different set of documented steps out there for this task?

My customer is on ISIM V10.0 (working on upgrading, but that's the current version) on RHEL Linux 8.10.

Frank