Symantec Access Management

 View Only
Expand all | Collapse all

Siteminder Policy Reader


LudovicApr 10, 2013 06:36 AM

  • 1.  Siteminder Policy Reader

    Broadcom Employee
    Posted Feb 21, 2013 08:06 AM

    Latest version of SMPolicyReader, available at bottom of this post,  last updated build 466 on 29-April-2019.


    A lot has happened since Feb-2013 when this was first put into the communities.  Mostly it is bug fixes, but there have been some large feature additions and look & feel changes.  To help identify what has been added I will add links to articles that discuss any new features here :    Recent SMPolicyReader articles : 


    Tech Note : Storing SSO policy changes in Revision Control - viewing changes 

    Tech Note : Howto place SSO policy changes under revision control using git 

    May - 2017

    SMPolicyReader update - xcart - screen to check for xcart object references 


    Using SMPolicyReader to generate xcart selection. 



    Siteminder Policy Reader

    Attached is a java Siteminder Policy Reader tool, that has been developed internally by CA Support engineers for use within CA Siteminder Support. Given that CA Siteminder customers, face similar issues with viewing exported XPS & SMDIF policy stores, it was felt that this was a good candidate tool, even though it is at a fairly early stage of development, for release on the CA community website.

    Here is a quick list of features:

    • Ability to Read XPS export files
    • Ability to read SMDIF export files
    • Ability to read raw LDAP .ldif exports of policy store
    • Ability to connect directly to active policy store via LDAP and ODBC and read store
    • Similar in look to the older Siteminder Applet
    • View History and history navigation (prev and next toolbar, as well as history menu)
    • Find function
    • Ability to display objects in detached window (see screenshot below).
    • Tab that displays Object Properties
    • Tab that displays all References to an Object.
    • Screen that displays All Policy Store Objects; with filter, select and browse options - (see screenshot below)
    • Basic Policy Store Stats
    • Ability to find errors such as missing xpsParent, or xps Link when using direct read for ODBC or LDAP policy store 
    • Ability to compare two policy stores, and give visual display of differences.
    • Compare can be done via Xid or via Name.

    SMPolicyReader Demonstration Video
    The best way to see what it can do is to watch the video demonstration :
    (please excuse the presenter, he will re-record the sound sometime in the near futher, with less stuttering)


    Screenshots of SMPolicyReader in use:

    This is the main tree and selected object display. Note the "<" and ">" toolbar buttons for navigating your viewing history, the "find" tool bar buttons, and the three tabs for the object "Properties", which is what is displaying, "Stats" which displays some summary details for the object and "References" which displays all of the links to this object. Properties, Child tables and Reference tables are all navigatable by double clicking on the row/child object, and if it is a link it will navigate you to that object (you can then user the back button "<" to return).

    This is the browse All Objects screen. You can see all the Xid, Object Name and Class Name in the table, it can be filtered and sorted to pick up the items you want to view (for example you can enter Xid or part of Xid here, to find your object). You then have the choice of showing that object in the main policy browser tree, or showing it in a detached window.

    This is the Detached Object View, with references tab selected. You can have as many of these open as you like, double clicking on any of the references (or properties) will show the referece object/properties i the main policy tree window.

    The results of a compare operation. Added objects/properties are shown in dark blue, deleted are displayed in red strikethought, and changed objects are shown in bold black. Comparison can be done by Xid (default) or by Name, as set by the "Options" menu item.


    This is an internally generated tool, done by CA Support engineers and subject to the limitations of the disclaimer applied to this discussion group for uploads.


    The SMPolicyReader is developed on a part time basis, so it is likely never to be complete, certainly there are bugs, limitations, and also many features we would like to add. But the tool has proved useful internally with CA Support, as it currently is and hope you find it useful as well.


    We certainly welcome feedback; and these forums provide the best place to discuss and ask questions about the PolicyReader, but I am also avaialble via my CA email address, odoma04 at ca dot com


    Cheers - Mark


    Attached new SMPolicyReader dist :  ALPHA-427 - (6-May-2017)

         Added XCart screen to view (and then add) external obj references.

         Added Env mode for storing/viewing policy under Git revision control.


    Attached new SMPolicyReader dist :  ALPHA-390 - (4-Apr-2017)

         Fixed bug in setting links (it was seeing them as strings) in ldif import. 

         There is bunch of stuff for using policy store in revision control - but not in use yet.


    Attached new SMPolicyReader dist :  ALPHA-361 - (14-Dec-2016)

         Added ability to build and edit xcart selection for use in xpsexport. 


    Attached new SMPolicyReader dist :  ALPHA-355 - (12-Oct-2016)

          *note* this one fixes a bug in the compare with ldif read - but I am a bit worried the scope of the change was big, so 

          354 may be better one to use - if you find a problem.


    Attached new SMPolicyReader dist :  ALPHA-354 - (11-Oct-2016)

    (lots of other updates as well ) ...  version 354- 360  from Oct-2016 - July-2017. 



    Update Alpha-462 - (19-July-2017)

     Last few versions have had the code for git commit and review revisions of policy store, as per the links at the top of the screen.

    Last few versions have had the ability to do a load and export of xcart object lists.  It can follow references as well, to easily add them - still one flaw here, since would be nice to recognise system object,s and when it needs to import whole object not just subcomponent /oid that it references into.

    Fix display of attributes when loading policy store from: raw  .ldif; direct read from ODBC; direct read from  LDAP; and read from the .dumpLDAP and .dumpODBC files.  Various improvements to mapping of the raw parameters to xps export type names. 

    Add extra tabs for:  Config and Federation - so now from xpsexport it will show the parameter values and split all the Fed objects into its own tab.   

    Spent some time mapping fed objects to child objects for better display. 


    Update Alpha-466 (29-April-2019) 

    When reading from .ldif files (with tombstoned recorded) it report when it finds a tombstoned parent with active children (issue from support case that arose and was difficult to detect).

  • 2.  RE: Siteminder Policy Reader

    Posted Feb 21, 2013 11:33 PM
    nice video.

    do you know if the tool has the ability to find orphan object(s) such as this

    Object #1396 has parent #1406, which does not exist


  • 3.  RE: Siteminder Policy Reader

    Broadcom Employee
    Posted Feb 22, 2013 12:59 AM
    Hi Tony

    tlefam wrote:

    nice video.
    Thanks very much.

    tlefam wrote:

    do you know if the tool has the ability to find orphan object(s) such as this

    Object #1396 has parent #1406, which does not exist
    That error occurs with XPSInport and XPSExport, where the program finds an inconsistency within the policy store db (either LDAP or ODBC), So the problem is found when reading the database to create an XPS export, or when merging/loading objects into the database when loading from an export file) . Unfortunately it is not an error that will occur within the XPS export xml file by itself.

    For XPS export files :
    The structure of the XPS xml export file, is different to the database structure, In the XPS xml file child objects are actually embedded in their parent object, so the xml file will never have the problem, in the database the parent is stored in a field value, where obviously there is a data consistency problem .

    But I agree it is a real problem, Engineering are modifying the XPSInput to have a "-validate" option to assist in resolving these sorts of errors.

    The SMPolicyReader is limited to reading the XPS exported xml files , to find this issue it would have to directly read the LDAP or ODBC data store - although long term I would like to do this - to be able to give a diff report from of an XPS backup to the live data - but there are no current plans for it.

    For SMDIF export files :
    This error is detectable in SMDIF files ,since the (exported smdif) structure contains the parent, with an attribute that contains a list of its children. So all lost children are easy to calculate, the test is coded inside the SMPolicyReader, but not currently enabled (when I merged the XPS stuff, it had some crossover issues, so it was disabled). The issues are simple, just require some time to resolve, so for SMDIF files, orphaned objects will appear in a future version. Detected orphans will appear as children of another Error object at the root level, and will also appear, along with the reference errors, on the summary report.

    Cheers - Mark

  • 4.  RE: Siteminder Policy Reader

    Posted Feb 22, 2013 09:59 PM
    Wow! it's very useful for me!

    There is no problem except that the multi byte character set (Japanese characters) of Desc field is garbled.
    but it's not a big problem.

    Thank you Mark !


  • 5.  RE: Siteminder Policy Reader

    Broadcom Employee
    Posted Feb 24, 2013 12:04 AM
    Hi Tamu

    ttamu wrote:

    Wow! it's very useful for me!
    Thank you very much.

    ttamu wrote:

    There is no problem except that the multi byte character set (Japanese characters) of Desc field is garbled.
    but it's not a big problem.
    If you are able to send me an email with an export in it, (to then I will have a look and see what I can do, somethimes these can be fairly simple to resolve.

    Cheers - Mark

  • 6.  RE: Siteminder Policy Reader

    Posted Feb 26, 2013 12:20 PM
    This is great! Thanks for posting this Mark! :grin:

  • 7.  RE: Siteminder Policy Reader

    Posted Apr 10, 2013 06:36 AM

    Thank you very much.



  • 8.  RE: Siteminder Policy Reader

    Posted Jun 05, 2013 10:10 PM

    I joined this community just to say Thank You!
    This is awesome tool.
    We have been looking for a long time for something like this to document the SM configuration for the Build Book.

  • 9.  RE: Siteminder Policy Reader

    Posted Jun 13, 2013 03:16 PM
    Thank you, Mark! :)

    Quick question : I see the 'edit property value' option for the elements in the property window. But it does not seem to be usable. Is this perhaps a future provision?

  • 10.  RE: Siteminder Policy Reader

    Broadcom Employee
    Posted Jun 20, 2013 05:03 AM
    Hi Peter

    petercyril wrote:

    Quick question : I see the 'edit property value' option for the elements in the property window. But it does not seem to be usable.
    There are a few items I experimented with, or are incomplete, I think I left that one to remind me to put in a view, to be able to show properties better, when they are multivalued or need decoding.

    petercyril wrote:

    Is this perhaps a future provision?
    It would be a nice idea, but there are no current plans - I still need to live up the cmd line promise for the SMPolicyTraceTool, upgrading that is likely to be my next spare-time project.

    Cheers - Mark

  • 11.  RE: Siteminder Policy Reader

    Posted Jan 09, 2014 02:59 PM

    Hey Mark.

    Great tool.  I have been an SM  admin for many years, and have used an older tool that was open source back in the day called Safe 2.0.  This policy reader is much more usable and better designed.  Thanks for publishing it.

    My question or problem is that I have allways struggled to define and produce anything that states an all encomposing list of related objects for a domain.  I'm in the middle of migration from V6.3 to SM12.5.  It would be extremely usefull to have a way to pick a domain in this tool and generate a list of all the related objects, including sytem objects.  IE agents, directories.

    What I think would be cool is to have a report that says if you want to move this domain... here are all the things it would require you move with it.

    Am I missing something about this tool?  Is it possible for it to do what I'm asking it to do.

    Any help would be appreciated...

    Thanks - David

  • 12.  RE: Siteminder Policy Reader