Profile comparison ("Model after" provisioning)
Many organizations have security administration processes where requesters effectively ask to "Create Bob like Mary" or "Adjust Bob’s security rights so he can do what Mary can do." Collectively, this is a model after approach.
The "model after" approach is very user friendly. Users often don’t know what to ask for, but they just as often do know who already has that which they need. The "model after" approach can also be dangerous. Configuration errors and excessive privileges owned by the model user can be copied to the new user. The net effect is to increase entropy in the security database.
Bravura Security Fabric provides a solution with the usability advantage of this approach while eliminating the security problems that come with it.
The feature is configured by setting profile comparison rules , which define the relationship between the requester, recipient, and model user. For example, you can configure the profile comparison rules so that a manager can create a new subordinate user modelled after another of her subordinates, or compare two of her subordinates and add or remove resources and privileges as necessary. The manager can be prevented from using a user who is not a subordinate as a model user. Requesters also require profile comparison permissions.
Bravura Security Fabric uses template accounts to create the new user, based on the accounts that the model user has. One template account per target system is configured to be used as the profile comparison template.
There are options that affect ”model after” functionality in the Manage the system > Modules > View and update profile (IDR). You can set MODELAFTER VALID ONLY option to only display valid model users when using profile comparison. Performance can be significantly slower when this option is enabled. Enable MODELAFTER SHOWDIFFS to display differences between profiles when using profile comparison by default.
Once the rules and other settings are configured, users can request to Copy entitlements from an existing user when creating a new user profile.