Skip to main content

Assigning Profile IDs

Every Bravura Security Fabric user must have a unique profile ID. Bravura Security Fabric can apply this ID as a standard user ID across systems. When a user is created using Bravura Security Fabric , their ID is automatically generated. It can then be automatically applied to all new accounts. This section shows you how to configure options for profile ID generation.

Bravura Identity includes a plugin, plugin-id.psl, to automatically generate a unique profile ID for a new account request. By default, an ID has a maximum of eight characters, composed of the first six characters of the user’s last name, and the first two characters of the user’s first name (if defined). For example, the plugin generates ’RusselJa’ for user Jack Russell, and ’HillTe’ for user Terry Hill. Bravura Security Fabric preserves the case of what is imported or entered, although their usage is case insensitive.

If the plugin generates an ID already in use, it will retry by appending a numeric value or overwriting it. The number of attempts it makes is configured by the IDSYNCH ID PLUGIN RETRY option.

The plugin is called by the IDSYNCH ID PLUGIN plugin point. You can configure the plugin to use different composition rules using the IDSYNCH ID PLUGIN MASK setting. You can also modify plugin-id.psl to adjust conflict resolution rules.

Write a custom profile ID generator plugin

Requirements

See Writing plugins for general requirements.

Execution points

This plugin is run by the View and update profile (IDR) module and the Workflow Manager Service.

Input

The plugin receives all attributes used in a provisioning request. The first time the plugin is called, the input does not include a conflict KVGroup. If the plugin generates an ID already in use, it is called again. On subsequent attempts, a conflict KVGroups are included in the input with the value and reason of the previous attempt.

"" "" = {
   "<attribute key>" = "<value>" # An attribute is listed for each value that is
                        # part of the request.  Multi-value attributes
                        # are listed for each unique value.
   "sessionid" = "<session ID>" # The session ID of the requester.
         
   "request" "" = {   # Standard request data listing resources
      "resource" "" = {}
   }
   "requester" "" = { # Requester's data
   }
   "conflict" "<previous id>" = {
      "conflictReason" = "<invaliduser|validuser|account|reservation>"
   } # 0 or more; Only present when a conflict is detected from a previous call
  "SUGGESTED_USERID" = "<value>"
}

The conflict reason can be one the following values:

  • invaliduser The profile ID proposed is in conflict with a profile ID that has previously been a valid user in Bravura Security Fabric . The profile IDs that are terminated in Bravura Security Fabric are retained and no longer valid. Overriding this conflict will re-enable the profile.

  • validuser The profile ID proposed is in conflict with a profile ID that is currently active in Bravura Security Fabric . Overriding the conflict will treat the active profile as the recipient.

  • account The profile ID proposed is in conflict with a short ID on a target system is currently loaded in Bravura Security Fabric . Overriding the conflict will reuse the account on the target system.

  • reservation The profile ID proposed is in conflict with an existing reservation for the profile ID. Overriding the conflict can cause all requests to affect the same profile ID. See Listing 13.1.9 for detail on reservation ID.

Any of these conflicts can be overridden using the forceUseID key-value pair on the output. If the forceUseID key-value is not used and the generated profile ID is in conflict, the plugin will be called again. The Workflow Manager Service calls the plugin until either the plugin fails, the generated profile ID is not in conflict, or the maximum retry attempts are reached (IDSYNCH ID PLUGIN RETRY).

The following is an example of the input sent to an ID generator plugin on a retry:

"" "" = {
  "FIRST_NAME" = "Simon"
  "LAST_NAME" = "Lee"
  "RBACENFORCE" = "T"
  "SUGGESTED_USERID" = "LeeSi"
  "sessionid" = "S3f0234b4-f9b8-4058-a83e-42efde5fab0e"
  "request" "" = {
    "entryDate" = "1305125803"
    "macroStatus" = "U"
    "notes" = ""
    "prequest" = ""
    "reason" = ""
    "recipient" = ""
    "recipientEmail" = ""
    "requestID" = "15F9AFCC9AC5B5FD400921D95CFC14C5"
    "requester" = "ACOS0000"
    "requesterEmail" = "alyce.acosta@norse.bravurasecurity.com"
    "requesterName" = "Alyce Q Acosta"
    "reservationid" = "00000000-0000-0000-0000-000000000000"
    "segment" = ""
    "attribute" "EMAIL" = {
      "value" "" = {
      }
    }
    "attribute" "FIRST_NAME" = {
      "oldValue" "" = {
      }
      "value" "" = {
        "value" = "Simon"
      }
    }
    "attribute" "LAST_NAME" = {
      "oldValue" "" = {
      }
      "value" "" = {
        "value" = "Lee"
      }
    }
    "attribute" "ORGCHART_MANAGER" = {
      "value" "" = {
      }
    }
    "attribute" "OTHER_NAME" = {
      "value" "" = {
      }
    }
    "attribute" "RBACENFORCE" = {
      "oldValue" "" = {
      }
      "value" "" = {
        "value" = "T"
      }
    }
    "attribute" "VIEWABLE_BY_RECIPIENT" = {
      "value" "" = {
      }
    }
    "resource" "43C26C65DBEFDAB74E5BEE3665AB7900" = {
      "authorizationsReceived" = "0"
      "authorizationsRequired" = "0"
      "autoselect" = "none"
      "enact" = "true"
      "finalized" = "false"
      "groupApproval" = "00000000-0000-0000-0000-000000000000"
      "implicit" = "true"
      "itemType" = "template"
      "notes" = ""
      "operation" = "ACUA"
      "parentRole" = "STANDARD_ROLE"
      "pseudoData" = ""
      "pseudoOp" = "false"
      "pseudoTag" = ""
      "reason" = ""
      "result" = "O"
      "targetid" = "NORSE"
      "template" = "NORSE_TEMPLATE"
    }
    "resource" "964F1A51A7E777491AC767D52AC86EEF" = {
      "authorizationsReceived" = "0"
      "authorizationsRequired" = "0"
      "autoselect" = "optional"
      "enact" = "true"
      "finalized" = "false"
      "groupApproval" = "00000000-0000-0000-0000-000000000000"
      "implicit" = "false"
      "itemType" = "role"
         
      "notes" = ""
      "operation" = "RLUA"
      "parentRole" = ""
      "pseudoData" = ""
      "pseudoOp" = "false"
      "pseudoTag" = ""
      "reason" = ""
      "result" = "O"
      "role" = "STANDARD_ROLE"
    }
    "resource" "0CC3F830AC79E5197A526853FC8FABAA" = {
      "authorizationsReceived" = "0"
      "authorizationsRequired" = "0"
      "autoselect" = "none"
      "enact" = "true"
      "finalized" = "false"
      "groupApproval" = "00000000-0000-0000-0000-000000000000"
      "groupID" = "CN=FIN-AP,OU=resources,OU=staff,DC=norse,DC=bravurasecurity,DC=com"
      "implicit" = "true"
      "itemType" = "groupID"
      "notes" = ""
      "operation" = "GRUA"
      "parentRole" = "STANDARD_ROLE"
      "pseudoData" = ""
      "pseudoOp" = "false"
      "pseudoTag" = ""
      "reason" = ""
      "result" = "O"
      "targetid" = "NORSE"
      "template" = "NORSE_TEMPLATE"
    }
  }
  "requester" "user" = {
    "id" = "ACOS0000"
    "name" = "Alyce Q Acosta"
  }
}

Output

Output from the plugin is as follows:

   "" "" = {
     "errmsg" = "" # Contains any error message to return
     "retval" = "0"  # Mandatory; zero is success and non-zero is failure
     "try" = "<Profile ID>" # The ID gerenated by the plugin
     "forceUseID" = "<true|false>"
       # Optional; overrides any conflicts with the profile ID
     "reservationid" = "<reservation ID>"
       # If a reservation functions are used, any reservation made needs to
       # be returned
   }

The follow are examples of KVGroup plugin output:

  1. To suggest "DanielsJo1" be used:

    "" "" = { 
  "errmsg" = "" 
  "retval" = "0" 
  "try" = "DanielsJo1" 
}

  2. To return a failure:

    "" "" = { 
  "errmsg" = "Fail" 
  "retval" = "1" 
}

  3. To suggest "DanielsJo2" be used and force it to be used:

    "" "" = { 
  "retval" = "0" 
  "try" = "DanielsJo2" 
  "forceUseID" = "true" 
}
In this section: