Profile ID generation

Every Bravura Security Fabric user must have a unique profile ID. Bravura Security Fabric can apply this ID as a standard user ID across systems. When a user is created using Bravura Security Fabric , their ID is automatically generated. It can then be automatically applied to all new accounts. This section shows you how to configure options for profile ID generation.

Bravura Identity includes a plugin, plugin-id.psl, to automatically generate a unique profile ID for a new account request. By default, an ID has a maximum of eight characters, composed of the first six characters of the user’s last name, and the first two characters of the user’s first name (if defined). For example, the plugin generates ’RusselJa’ for user Jack Russell, and ’HillTe’ for user Terry Hill. Bravura Security Fabric preserves the case of what is imported or entered, although their usage is case insensitive.

If the plugin generates an ID already in use, it will retry by appending a numeric value or overwriting it. The number of attempts it makes is configured by the IDSYNCH ID PLUGIN RETRY option.

The plugin is called by the IDSYNCH ID PLUGIN plugin point. You can configure the plugin to use different composition rules using the IDSYNCH ID PLUGIN MASK setting. You can also modify plugin-id.psl to adjust conflict resolution rules.

Write a custom profile ID generator plugin

Requirements

See Writing plugins for general requirements.

Execution points

This plugin is run by the View and update profile (IDR) module and the Workflow Manager Service.

Input

The plugin receives all attributes used in a provisioning request. The first time the plugin is called, the input does not include a conflict KVGroup. If the plugin generates an ID already in use, it is called again. On subsequent attempts, a conflict KVGroups are included in the input with the value and reason of the previous attempt.

"" "" = {
   "<attribute key>" = "<value>" # An attribute is listed for each value that is
                        # part of the request.  Multi-value attributes
                        # are listed for each unique value.
   "sessionid" = "<session ID>" # The session ID of the requester.
         
   "request" "" = {   # Standard request data listing resources
      "resource" "" = {}
   }
   "requester" "" = { # Requester's data
   }
   "conflict" "<previous id>" = {
      "conflictReason" = "<invaliduser|validuser|account|reservation>"
   } # 0 or more; Only present when a conflict is detected from a previous call
  "SUGGESTED_USERID" = "<value>"
}

The conflict reason can be one the following values:

invaliduser The profile ID proposed is in conflict with a profile ID that has previously been a valid user in Bravura Security Fabric . The profile IDs that are terminated in Bravura Security Fabric are retained and no longer valid. Overriding this conflict will re-enable the profile.
validuser The profile ID proposed is in conflict with a profile ID that is currently active in Bravura Security Fabric . Overriding the conflict will treat the active profile as the recipient.
account The profile ID proposed is in conflict with a short ID on a target system is currently loaded in Bravura Security Fabric . Overriding the conflict will reuse the account on the target system.
reservation The profile ID proposed is in conflict with an existing reservation for the profile ID. Overriding the conflict can cause all requests to affect the same profile ID. See Listing 13.1.9 for detail on reservation ID.

Any of these conflicts can be overridden using the forceUseID key-value pair on the output. If the forceUseID key-value is not used and the generated profile ID is in conflict, the plugin will be called again. The Workflow Manager Service calls the plugin until either the plugin fails, the generated profile ID is not in conflict, or the maximum retry attempts are reached (IDSYNCH ID PLUGIN RETRY).

The following is an example of the input sent to an ID generator plugin on a retry:

"" "" = {
  "FIRST_NAME" = "Simon"
  "LAST_NAME" = "Lee"
  "RBACENFORCE" = "T"
  "SUGGESTED_USERID" = "LeeSi"
  "sessionid" = "S3f0234b4-f9b8-4058-a83e-42efde5fab0e"
  "request" "" = {
    "entryDate" = "1305125803"
    "macroStatus" = "U"
    "notes" = ""
    "prequest" = ""
    "reason" = ""
    "recipient" = ""
    "recipientEmail" = ""
    "requestID" = "15F9AFCC9AC5B5FD400921D95CFC14C5"
    "requester" = "ACOS0000"
    "requesterEmail" = "alyce.acosta@norse.bravurasecurity.com"
    "requesterName" = "Alyce Q Acosta"
    "reservationid" = "00000000-0000-0000-0000-000000000000"
    "segment" = ""
    "attribute" "EMAIL" = {
      "value" "" = {
      }
    }
    "attribute" "FIRST_NAME" = {
      "oldValue" "" = {
      }
      "value" "" = {
        "value" = "Simon"
      }
    }
    "attribute" "LAST_NAME" = {
      "oldValue" "" = {
      }
      "value" "" = {
        "value" = "Lee"
      }
    }
    "attribute" "ORGCHART_MANAGER" = {
      "value" "" = {
      }
    }
    "attribute" "OTHER_NAME" = {
      "value" "" = {
      }
    }
    "attribute" "RBACENFORCE" = {
      "oldValue" "" = {
      }
      "value" "" = {
        "value" = "T"
      }
    }
    "attribute" "VIEWABLE_BY_RECIPIENT" = {
      "value" "" = {
      }
    }
    "resource" "43C26C65DBEFDAB74E5BEE3665AB7900" = {
      "authorizationsReceived" = "0"
      "authorizationsRequired" = "0"
      "autoselect" = "none"
      "enact" = "true"
      "finalized" = "false"
      "groupApproval" = "00000000-0000-0000-0000-000000000000"
      "implicit" = "true"
      "itemType" = "template"
      "notes" = ""
      "operation" = "ACUA"
      "parentRole" = "STANDARD_ROLE"
      "pseudoData" = ""
      "pseudoOp" = "false"
      "pseudoTag" = ""
      "reason" = ""
      "result" = "O"
      "targetid" = "NORSE"
      "template" = "NORSE_TEMPLATE"
    }
    "resource" "964F1A51A7E777491AC767D52AC86EEF" = {
      "authorizationsReceived" = "0"
      "authorizationsRequired" = "0"
      "autoselect" = "optional"
      "enact" = "true"
      "finalized" = "false"
      "groupApproval" = "00000000-0000-0000-0000-000000000000"
      "implicit" = "false"
      "itemType" = "role"
         
      "notes" = ""
      "operation" = "RLUA"
      "parentRole" = ""
      "pseudoData" = ""
      "pseudoOp" = "false"
      "pseudoTag" = ""
      "reason" = ""
      "result" = "O"
      "role" = "STANDARD_ROLE"
    }
    "resource" "0CC3F830AC79E5197A526853FC8FABAA" = {
      "authorizationsReceived" = "0"
      "authorizationsRequired" = "0"
      "autoselect" = "none"
      "enact" = "true"
      "finalized" = "false"
      "groupApproval" = "00000000-0000-0000-0000-000000000000"
      "groupID" = "CN=FIN-AP,OU=resources,OU=staff,DC=norse,DC=bravurasecurity,DC=com"
      "implicit" = "true"
      "itemType" = "groupID"
      "notes" = ""
      "operation" = "GRUA"
      "parentRole" = "STANDARD_ROLE"
      "pseudoData" = ""
      "pseudoOp" = "false"
      "pseudoTag" = ""
      "reason" = ""
      "result" = "O"
      "targetid" = "NORSE"
      "template" = "NORSE_TEMPLATE"
    }
  }
  "requester" "user" = {
    "id" = "ACOS0000"
    "name" = "Alyce Q Acosta"
  }
}

Output

Output from the plugin is as follows:

   "" "" = {
     "errmsg" = "" # Contains any error message to return
     "retval" = "0"  # Mandatory; zero is success and non-zero is failure
     "try" = "<Profile ID>" # The ID gerenated by the plugin
     "forceUseID" = "<true|false>"
       # Optional; overrides any conflicts with the profile ID
     "reservationid" = "<reservation ID>"
       # If a reservation functions are used, any reservation made needs to
       # be returned
   }

The follow are examples of KVGroup plugin output:

To suggest "DanielsJo1" be used:

"" "" = { 
  "errmsg" = "" 
  "retval" = "0" 
  "try" = "DanielsJo1" 
}

To return a failure:

"" "" = { 
  "errmsg" = "Fail" 
  "retval" = "1" 
}

To suggest "DanielsJo2" be used and force it to be used:

"" "" = { 
  "retval" = "0" 
  "try" = "DanielsJo2" 
  "forceUseID" = "true" 
}

Configure composition rules for plugin-id.psl

To configure the default ID generator plugin:

Click Manage the system > Workflow > Options > Plugins.
Ensure the IDSYNCH ID PLUGIN option is set to plugin-id.psl.
Type the IDSYNCH ID PLUGIN MASK to determine how a user ID will be composed.
The default profile ID composition is determined by a PSLang expression that uses the first six characters of the last name and appends the first two characters of the user’s first name. If a first name is not defined, the value is ignored.
Click Update.
If the plugin produces an ID that conflicts with the ID filters , it will fail.

See PSLang Expressions and the PSLang Manual (pslang.pdf) for more information about PSLang expressions.

Click below to view a demonstration:

Check individual target systems for uniqueness

In addition to checking for uniqueness against other profile IDs, the IDSYNCH ID PLUGIN can also check for conflicts with accounts on individual target systems that are not necessarily a source of profile IDs. For example:

John Smith has a user ID johns on Target System A, which is not a source of profile IDs.
New hire John Snow is added on Target System B, which is a source of profile IDs.
Bravura Security Fabric generates the ID johns for John Snow.
John Smith’s accounts on Target System A are erroneously auto-associated with John Snow.

To allow Bravura Security Fabric to check a target system’s account IDs for conflicts with a new profile ID, select the Check accounts for uniqueness when creating new profile IDs option on the Target system information page.

Compose target-specific account IDs

Bravura Security Fabric normally applies a standard profile ID to create new IDs on individual target systems. Some target systems use different rules for case and composition. You can change Bravura Security Fabric ’s default behavior of creating lowercase login IDs by changing the plugin set by the Program to set the case of new IDs option on the Target system information page.

Bravura Security Fabric provides two built-in programs to convert the profile ID to a target-system-specific login ID:

upper.pss – use all uppercase characters.
lower.pss – use all lowercase characters.

You can also write a customized plugin; for example, to create mixed-case IDs, or to create a numerical ID composed from a user attribute. A sample, plugin-idcase.psl, is included in the samples directory.

To configure a target system login ID plugin, type the name of the plugin in the Program to set the case of new IDs field on the Target system information page. The full path is not required.

Write a custom plugin to set the case of new IDs

Requirements

See Writing plugins for general requirements.

Execution points

The plugin is called by the Transaction Monitor Service service, before running a connector to create a new account.

Input

The plugin receives all Bravura Security Fabric plugin data, including requester and recipient information, target system information, and the initial ID entered through the request.

"" "" = {
  "currentTemplate" = "<template ID>" # The template used for account creation (ACUA)
  "fullname" = "<Recipient's fullname>"
  "newid" = "<account ID>" # Suggested new account ID to use in creation
  "userid" = "<profile ID>"
         
  "operation" = "<RENU|ACUA>" # The operation involved in requesting the new account ID.
  "recipient" "user" = { ... } # Recipient's data
  "request" "" = { ... } # Request data
  "requester" "user" = { ... } # Requester's data
  #Target details
  "target" "" = {
    "address" = "<target address>" # address line of the target
    "platform" = "<platform ID>" # platform ID of the target
    "standardid" = "<true|false>" # uses standard ID for auto association
    "targetid" = "<target ID>" # target ID of the target
  }
}

Output

The plugin must return a "newid" value and a standard "retval" value (0=success, 1=failure). It may return a standard "errmsg" value.

"" "" = {
  "errmsg" = ""
  "newid" = "BoBbY OrE"
  "retval" = "0"
}

Failure to return a "newid" value results in an error.

In this section: