Migrating using export_data_components.py
The export_data_components.py script exports product configurations as components and an environment file. The resulting data components and an environment file can be applied to a different instance.
This section shows you how to export current configurations into components and environment files using the export_data_components.py script.
This is supported only for components from the same major+minor release.
Warning
Consult with support@bravurasecurity.com before using this script.
Preparation
Set up the configuration export command-line program
The configuration export program (export_data_components.py) is a Python executable script located in the script directory. To run it from the command line, you need to configure several environment variables. To do this:
Launch a command prompt as an Administrator and navigate to the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ directory.
Run the command:
instance.bat
Navigate to the script directory.
You should now be able to run the configuration export program. Ensure that you always run it as an Administrator.
Prepare an export folder
You should create a temporary folder, for example, c:\temp\export, to export files. Ensure that script users have write permission.
Export configurations
The export option is used export all the configurations since the installation of the product. It will generate an environment file that contains all the changes that have occurred in the installed components. It will also generate data components for all other configurations.
export_data_components.py export
They can also be specified in the output option.
export_data_components.py --output env export
Example: Export account attributes
Often during component-based configuration migration, it's required to export account attribute override changes. Bravura Security Fabric version 12 introduced a number of changes, such as to component Types.
To export account attributes:
Export all ObjectAttrs:
C:\Program Files\Bravura Security\Bravura Security Fabric\<instance>\script\export_data_components.py --dir c:\temp\AcctAttrs --output component export --type ObjectAttr
Find the relevant json and manifest files by searching in the export for the relevant attribute names.
For example, in a bash window open in the c:\temp\AcctAttrs\Data\ :
$ grep -r lastLogoff * objectattr_00a74f927a3c4367a2ed88c108a03a7f/config.json: "attrkey": "lastLogoff", objectattr_b6c58ea86bd44ea2abb16a18f5ba8fa7/config.json: "attrkey": "lastLogoff",
Collect all Custom attribute components from the export, and clear out (delete) the rest of the Data directory, or datestamp the name of the Data directory and keep it for later reference or for bulk comparisons/diffs
If the override is changed later, edit the .json file manually or perform the export update on it:
C:\Program Files\Bravura Security\Bravura Security Fabric\<instance>\export_data_components.py --dir c:\temp\AcctAttrs --output component export --comparison_set c:\temp\AcctAttrs\custom_pam_2022-10-26.json --type ObjectAttr
Notes:
AccountAttr Data component Type is deprecated and exists only for legacy compatibility.
From version 12.0.0+, AccountAttrs export as ObjectAttrs.
There are currently three types of listed objects: "ATTR", "GRP" and "COMP", for account, group and computer, respectively.
ObjectAttrs also exports the "Attribute" Data type, which is for profile attributes.
Bravura Security highly recommends using comparison sets (step 5) on an already existing JSON Data file, that is pre-exported or manually created (instead of using --ignore_filesystem),
As demonstrated in step 2 above, ObjectAttrs are over-exported due to not being able to detect changes against legacy (pre-12.0.0 AccountAttr) components.
Failure to export AccountAttr Data Type
While importing legacy AccountAttr Type Data components will succeed, attempting to export them will fail:
C:\Program Files\Bravura Security\Bravura Security Fabric\<instance>\script\export_data_components.py --dir c:\temp\AcctAttrs --output component export --ignore_filesystem --type AccountAttr ERROR: AccountAttr does not support direct listing
Example config.json for the ObjectAttr Data Type
Use Prerequisites for the target, targets or target type (also known as "platform") where the attribute is to be overridden.
{
"Prerequisites": [
{
"Reference": {
"id": "AD"
},
"Type": "Target"
}
],
"Fields": {
"attrkey": "SOME_ATTR",
"attrtype": "S",
"chgboost": false,
"copy": true,
"createaction": "S",
"discoveredtype": "ACCT",
"encoding": "N",
"grpno": 0,
"guid": "778dac0d-52f7-4392-98f7-01a2121d5dbb",
"ignore": true,
"listattr": true,
"makediffs": true,
"maxvalues": 1,
"minvalues": 0,
"override": 2,
"platformid": "AD",
"priority": 50,
"profileattr": "DESC_APP",
"replace": true,
"seqno": 0,
"set": true,
"setuserattr": true,
"structid": "",
"targetid": "AD",
"updateaction": "S"
},
"Type": "ObjectAttr"
}Export configurations to components
The export option can also be used to export a complete set of components which includes installed components, with updated configuration settings, and components for all other configurations.
To create data components of the configuration changes, specify the output option to component.
export_data_components.py --output component export
Examples:
To export all configuration objects: (this may take a while, you should only run this command if you do not know what the export type is.)
script\export_data_components.py --output component --dir export export --ignore_filesystem
To export attribute configuration:
script\export_data_components.py --output component --dir "export" export --type Attribute --ignore_filesystem
To export target configuration:
script\export_data_components.py --output component --dir "export" export --type Target --ignore_filesystem
To export system variables:
script\export_data_components.py --dir export --output both export --type SysVar
To export question sets:
script\export_data_components.py --dir export --output both export --type QuestionSet
To export HRAPP target:
script\export_data_components.py --dir export --output both export --type ObjectAttr --field targetid=HRAPP
To export AD target account attributes:
script\export_data_components.py --dir export --output both export --type ObjectAttr --field targetid=AD
Export to a specific directory
A specific location can be specified for the script to export to. The default is the instance directory. The following will export to the specified folder. If the folder does not exist, it will create it.
export_data_components.py --dir c:\Temp export
Additional export options
The script can filter the results using the following options.
Option | Meaning |
|---|---|
---audit | Try to calculate changes from the audit table. |
---comparison_set | A json configuration to compare product configuration against. You can generate complete comparison sets using product_json mode. |
---ignore_filesystem | Ignore existing components in component\Default and component\Custom. |
---type | The idmconfig Type of the desired object. If none is given, all types will be searched. |
---field | Key/Value pair of form: key=value. Specify a single key/value pair to match against. Can be specified multiple times. |
---user or ---not_user | Specify audit user(s) to search or filter out configs for. |
---module or ---not_module | Specify audit module(s) to search or filter out configs for. |
---start_time | A start time to search for configs from. The format is SQL format YYYY-MM-DD hh:mm:ss |
---end_time | An end time to search for configs, too. The format is SQL format YYYY-MM-DD hh:mm:ss |
Encrypted fields
The script will not decrypt encrypted fields in the component configurations. When moving components to a new environment, the script can be used to ensure the encryption is valid. If the script determines that the encrypted fields are not valid it will allow the user to update the fields.
To use this option, the new components will be copied into the Custom directory of the new environment. To validate the encrypted fields, specify the check_encrypted option.
export_data_components.py check_encypted
Product configuration dump
The script can output a complete product configuration into a single json file. This json configuration can be used when exporting with the comparison_set option.
export_data_components.py product_json