Skip to main content

Overview of role-based access control

The following are the configurable elements of Bravura Security Fabric that support role-based access control.

Roles

Roles define requirements for specified sets of users. Requirements can be mandatory or optional, and may include template accounts, managed groups, and sub-roles. Assigning the role to a user allows the user to meet the requirements of the role, such as having accounts on certain target systems, or being a member of certain managed groups. Roles simplify the provisioning of a set of access privileges for members; for example:

  • New users must have an account on the company’s Active Directory domain. A template account is set up as a resource member of a role.

    New users created and assigned this role have an account on the AD server automatically created for them.

  • Certain members of the Finance department need to be members of the Accounts Payable managed group.

    A role is created with this managed group configured as a resource member. New users created and assigned this role are automatically made a member of this group.

Role enforcement triggers

The role enforcement engine can identify users who have excessive or insufficient access during auto discovery , and issue workflow requests to correct violations; for example, the role enforcement engine is triggered where:

  • A user has access to a database system that is role enforced, but has not been assigned the role. The engine can issue a request to remove the resource or grant the user an exception to explicitly have the resource.

  • Accountants have access to the finance server, via being assigned a role. A new finance server is created, and added by the administrator to the role. Requests are then made to ensure that all users in the accountant role have the new system resource.

When enabling role enforcement for managed groups, only direct group memberships can be enforced. The role enforcement engine cannot identify users with access due to indirect group membership, nor will it submit requests to correct any surpluses due to indirect group membership.

Segregation of duties rules

Segregation of duties rules are used to identify exceptions to roles or possible access conflicts. Rules are created that specify conflicting resources that a user should not have simultaneous access to. Once the rules are in place, users in violation of the rules are automatically identified. Permission to override the rule is granted on a case by case basis and must be approved.

For example, rules can be set up so that:

  • If a user is a member of two particular managed groups, then they are in violation of the rule. In this case, the two managed groups are set up as resource members of the rule. Users that have membership in both managed groups will be flagged as in violation of the rule. Steps can then be taken to remedy the situation.

  • A restricted set of users are assigned accounts on a particular server; for example, only certain HR staff may have access to the database that contains confidential and sensitive personnel documents.

Nonetheless, there will be situations where certain individuals require access to resources such that they violate a segregation of duties rule. There is a process so that exceptions to the rule can be applied for and managed. The exceptions must be authorized and a record of the authorization is kept.

See also:

Automatic resource assignment is another feature that supports role-based access control.

In this section: