Export command for security assets

You can use the istool command-line interface with the -security parameter to export your InfoSphere® Information Server security assets, such as users and roles.

Purpose

You export assets into a file that can be imported into a different instance of InfoSphere Information Server. For example, you can export from a development environment and import the file into a production or test environment. You can also migrate assets to a newer version of InfoSphere Information Server.

You can export the following assets:
  • Users and groups and their suite and product role assignments (including their credentials when relevant).
  • Users and groups must be exported in separate commands.
  • Engine credential mappings.
  • Project roles are not exported by using the -security parameter. They are exported by commands for the tools that create the project.
The export creates an archive file. By default the file has the suffix .isx.
Note: You cannot transfer access control lists (ACLs) between installations of InfoSphere Information Server. You must create them in each installation.

To transfer all assets of all types, see Moving all assets from one metadata repository to another.

Prerequisites

You must have the Suite Administrator role to export security assets.

The preferred way to run this command is in the istool command-line window. If you run this command in your operating system command-line window or in scripts, you must add istool to the command name.

Command syntax

Optional parameters and values in the syntax are enclosed in brackets, [ ].

export
authentication
[generic options]
-archive "file_name_and_path" 
[-maxArchiveSize number_of_megabytes]
[-updatearchive]
[-abortIfError number_of_errors]
[-preview] | [-responseFile "file_name_and_path"]
-security 
  '-securityUser 
    -userident user_pattern... 
  [–includeUserGroupMemberships] 
  [–includeCredential]
  [-includeCredentialMappings] 
  [-includeRoles]' 
|
  '–securityGroup 
    -groupident group_pattern... 
  [-includeGroupUserMemberships] 
  [-includeRoles]'

Parameters

authentication parameters
Required. All asset interchange commands use authentication parameters to connect to a specific installation of InfoSphere Information Server.
generic parameters
The generic parameters are available to all asset interchange commands. Use the generic parameters to request help on command syntax, to specify silent or verbose operation, and to use a script to run commands.
-archive |-ar "file_name_and_path"
Required. Specifies the .isx file that the assets are exported to.
-maxArchiveSize | -mas number_of_megabytes
For enhanced export and import performance, creates additional archive files when the size of the export file exceeds the specified number of megabytes. For example, if you specify 500 and the total size of the export is 1,300 MB, two additional archive files are created with numeric suffixes added to their names. For import, specifying the first archive file imports all. For more information, see common parameters.
-updatearchive | -up
Adds exported assets to the archive file if it exists. If you do not specify -updatearchive, the content of the existing archive file is overwritten.
-abortIfError | -abort number_of_errors
Stops the export after the specified number of errors.
-preview | -pre
Previews the export. The preview lists the assets that will be exported when the export runs.
-responseFile | -rf "file_name_and_path"
Specifies the name and path of a response file that contains assets that failed to export during a run of a previous istool export -lm command. Not supported with the -preview parameter. For more information, see Using a response file with istool export and istool import commands.
-security | -sec
Specifies that security assets are exported. Must be followed by either '-securityUser subparameters' or '-securityGroupsubparameters'.
-securityUser |-su subparameters
Specifies an export operation of security assets relating to users. The -securityUser parameter is mutually exclusive with the -securityGroup parameter. The -securityUser parameter has the following subparameters:
-userident | -u user_pattern
Specifies user assets to export. User_pattern is a search pattern for locating users. You can use the asterisk (*) character to represent multiple characters, and the question mark (?) character to represent single characters. The following strings are examples of valid search patterns:
  • dsadmin - selects the user dsadmin
  • dsuser? - selects the users dsuser1, dsuser2, and dsuser3
  • ds* - selects the users dsadmin, dsuser1, dsuser2, and dsuser3
  • "dsadmin dsuser2" - selects the users dsadmin and dsuser2
-includeUserGroupMemberships | -incUsrGrpMems
Exports user group relationships, including the referenced groups, along with user details.
-includeCredential | -incCred
Exports user credentials. Encrypted passwords are stored in the asset archive. Passwords are stored in digested form (SHA-1). If the InfoSphere Information Server installation is using an external directory, this parameter is ignored.
-includeCredentialMapping | -incMap
Exports DataStage credential mapping. Encrypted passwords are stored in the asset archive (passwords are stored in XOR encrypted form).
–includeRoles | -incRole
Specifies that user role relationships are also exported.
-securityGroup | -sg subparameters
Specifies an export operation of security assets relating to groups. The -securityGroup parameter is mutually exclusive with the -securityUser parameter. The -securityGroup parameter has the following subparameters:
-groupident | -grp group_pattern
Specifies user group assets to export. Group_pattern is a search pattern for locating user groups. You can use the asterisk (*) character to represent multiple characters, and the question mark (?) character to represent single characters. The following strings are examples of valid search patterns:
  • dsadmins - selects the group dsadmins
  • dsgroup? - selects the groups dsgroup1, dsgroup2, and dsgroup3
  • ds* - selects the groups dsadmins, dsgroup1, dsgroup2, and dsgroup3
  • "dsadmins dsgroup1" - selects the groups dsadmins and dsgroup1
-includeGroupUserMemberships | -incGrpUsrMems
Specifies that group user relationships, including the referenced users, are also exported.
-includeRoles | -incRole
Specifies that group role relationships are also exported.

Exit status

A return value of 0 indicates successful completion; any other value indicates failure.

Examples

The following command exports all users and their roles to the archive file ExportISFSecurityRoles.isx.
export -security '-securityUser -userident "*" -includeRoles'
 -domain host:port -username user
 -password password -archive ExportISFSecurityRoles.isx
The following command exports all groups and their roles to the archive file ExportISFSecurityGroups.isx.
export -security '-securityGroup -groupident "*" -includeRoles'
 -domain host:port -username user
 -password password -archive ExportISFSecurityGroups.isx
The following command exports DataStage users, whose user IDs begin with "ds" on this system, together with their credentials and credential mappings, to the file dsusers.isx.
export -archive "c:\dsusers.isx" 
-domain mysys:9443 -username myid -password mypasswd
-security '-securityUser -userident ds* -includeCredentials 
-includeCredentialMappings'
The following command exports the group iaUsergp, with group role relationships, to the file ia_export.isx.
export -archive "c:\ia_export.isx" 
-domain mysys:9443 -username myid -password mypasswd
-security '-securityGroup -groupident iaUsergp -includeRoles'
Parent topic: Security assets
Related concepts:
Commands and common parameters for istool
Asset interchange
Related tasks:
Using the istool command line