A Beginner’s Guide to the ETAUTIL ADD Command Line Function

Article By: Adarian Dunmeyer

The Provisioning Server is the LDAP server that manages additional accounts that are assigned to an Identity Manager user. The Provisioning Server also contains provisioning roles and account templates that create and manage global users across Identity Manager to endpoint accounts. ETAUTIL is a command line utility that allows users to run commands directly to the Provisioning Server to perform functions without the User Interface of Provisioning Manager. Below is a basic instructional guide to the ETAUTIL ADD command line function. 

Needs to Know

  • Global Users are the Users that are stored in the Provisioning Manager that are associated to Identity Manager users in the corporate user store.  
  • Endpoints are the endpoint programs and applications that are managed by the provisioning server, such as Active Directory, Oracle, Amazon AWS, etc.
  • Account Templates are the objects that are given to global users to define the accounts that exist in managed endpoints. 
  • Provisioning Roles can be comprised of more than one Account Template and can be given to a global user to create and manage multiple endpoint accounts for the user. 
  • There are two ways that the Provisioning Server creates and maintains relationships between these objects: Non-Inclusion Object Associations and Inclusion Object Associations. For more information on this topic, see the Beginner’s Guide to Provisioning Server Object Associations(Inclusions).
  • ETAUTIL has several Operations that aid in maintaining the properties and inclusions for Provisioning Manager objects: ADD, COPY/COPYALL, DELETE, EXPLORE, MASSCHANGE, REPORT, UPDATE.
  • The ADD command creates an inclusion between the Provisioning Objects and is how the relationships are established in the Provisioning server.
  • The syntax prefix for the add command are between the following:
    • etautil [-d domain] [-u user [-p password]] -o add
    • etautil [-d domain] [-u user [-p password]] -DYN -o add
  • -d domain Specifies the name of the provisioning domain. The default domain is “im”.
  • -u user Specifies the global username for authentication. 
  • -p password Specifies the password of the named global user for authentication.
  • -o prints the operation out to the command prompt.
  • The -DYN command is for Dynamic endpoints and account templates that may not have native integration into the Provisioning Server. 

Instructions

Task 1 – Adding Provisioning Roles to Users

Global Users exist in the container ‘eTGlobalUserContainerName= Global Users’ and Provisioning Roles exist in the container ‘eTRoleContainerName=Roles’ under the parent container ‘eTNamespaceName=CommonObjects’ in the DIT structure of Provisioning Server.

Using the previously mentioned etautil prefix, an example of a provisioning role to a user would be the following:

Run in the command interface, this is the result:

Task 2 – Adding Account Templates to Provisioning Roles

As stated in Task 1, Provisioning Roles exist in the container ‘eTRoleContainerName=Roles’. Account Templates are organized by endpoint type and are referred to as Policies inside the Provisioning Server.   For Example, Active Directory Account Templates exist under ‘eTADSPolicyContainerName=Active Directory Policies’ inside of the CommonObjects; Unix v2 Account Templates exist under ‘eTDYNPolicyContainerName=DYN Policies,eTNamespaceName=UNIX v2’.

Active Directory:

Unix:

Note: Not every endpoint type will be covered in this guide.Please look forward to more information on how to run ETAUTIL commands for each Endpoint Type.

Using the previously mentioned etautil prefix, an example of an account template to a provisioning role would be the following:

Active Directory:

Unix:

Run in the command interface, this is the result: 

Active Directory:

Unix:

Task 3 – Adding Endpoints to Account Templates

As stated in Task 2, Account Templates are organized by endpoint type and are referred to as Policies inside the Provisioning Server. While account templates exist under the CommonObjects OU, Endpoints are located on the root of the DIT Structure.  For Example, Active Directory Endpoints exist under ‘eTNamespaceName=ActiveDirectory’ and Unix v2 Endpoints Templates exist under ‘eTNamespaceName=UNIX v2’.

Note: Not every endpoint type will be covered in this guide. 

Please look forward to more information on how to run ETAUTIL commands for each Endpoint Type.

Using the previously mentioned etautil prefix, an example of an endpoint to account template would be the following:

Active Directory:

Unix:

Run in the command interface, this is the result: 

Active Directory:

Unix:

Summary of the ETAUTIL ADD Command Line Function

The ADD operation of ETAUTIL creates the associations between provisioning manager objects. It can associate Global Users to Provisioning roles, Account Templates to Provisioning roles, and endpoints to account templates. This guide only covers the general use of the operation. For the coverage of other operations available in ETAUTIL or Importing Endpoint Types, check the website for updates on the corresponding guide. 

Looking for additional help with the ETAUTIL ADD command line function? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including identity management. Take your interoperability to the next level, and contact an ISX consultant today.

ISXA Beginner’s Guide to the ETAUTIL ADD Command Line Function

Leave a Reply

Your email address will not be published. Required fields are marked *