Is it possible to export all existing UIM users and their Roles and Permissions (ACL)?
• There is currently no supported method to export and import users between systems in UIM.
There are multiple dependencies on the tables that are automatically created when adding users or contact/accounts and these cannot be copied/pasted over.
• However if needed it is possible to extract the information about the UIM users and Accounts, manually:
There are different concepts of Users in UIM and different places for "permissions" (ACL's).
1. Regular UIM users (Real Nimbus Users). These are created in IM and are admin users and they are stored in the security.cfg (hub folder) and synched with all other hubs.
Example of a security cfg with the original Administrator and 1 User called testUser and ACL Operator:
permission = super
fullname = administrator
profile = default
password = $1$SY0cCpzO$Rn7K0wUxxxxxol5ACZMC1
description = Initially created user with full privileges
password = $1$nyeJOsZP$Zj63tWixxxxxxQPqCJu/
profile = default
acl = Operator
The Acls and each permission is in the security.cfg in the section:
Note about ACLs:
There are 2 places to create or modify ACL's. IM or Account Admin (OC webapp)
When creating a ACL via IM, it writes it to security.cfg.
When creating it via Account Admin portlet in OC it writes it to the UIM Database to the table CM_ACCOUNT_ACLS > which then replicates to security.cfg.
The IM reads from securiy.cfg to see the ACL and Accountadmin reads from CM_ACCOUNT_ACLS.
So the 2 places will show 2 different sets of ACL. The security.cfg will show ALL the ACL's in UIM while the Account Admin will only have the ACL's created in AccountAdmin***
***Nertheless, it is possible to sync all ACLs by enabling the options described in the KB: Some ACLs from IM are not visible in Account Admin in OC (broadcom.com)
2. Account/Contact Users. These are intended to be users of OC only and these are stored in the database in the table:
3. LDAP Users. Ldap users can be considered Regular Real Nimbus Users. However, if the ACL assigned to the LDAP Group also has an "Account Link" defined in Account Admin they are considered as Contact/Account (SEE HOW TO Add or Modify Users with Account Admin (broadcom.com). The LDAP Users are not stored anywhere in UIM when only logging into Infrastructure Manager. When an LDAP user logs in IM, the hub talks to the LDAP server and does an LDAP query and when the user is found it authenticates it based on the ACL Assigned to the pertaining group. Therefore they are not "Stored". However, they are stored in the DB if they log into OC at least once. (See point 4)
4. Another "place" to find a list of users in UIM is the former "Liferay user" list in the DB which, in UIM 20.3 and later, is the CM_USER table. When a UIM user or an Account/Contact or a LDAP user (account linked or not) logs in for the first time in OC an entry in this table is created.