Skip to main content
  • Bravura Security Fabric Documentation
  • Configuration
  • Automated User Administration

Automated User Administration

You can use Bravura Security Fabric to implement an automated user administration system, or a rules-based provisioning system. Bravura Security Fabric can monitor an existing system of record, such as a human resources system or corporate directory, track changes, and then automatically:

  • Propagate changes to target systems by:

    • Creating users

    • Changing user attributes

    • Changing user group membership

    • Changing user role membership

    • Deleting existing users

  • Submit access change requests via Bravura Security Fabric ’s authorization workflow system.

    Authorizers are notified by email, then use Bravura Security Fabric to approve, modify, or deny the request. If approved, Bravura Security Fabric automatically applies the changes.

Automation occurs during auto discovery and can be controlled by a script.

Automation is triggered based on tracking changes to user profiles, user accounts, user group membership, account or profile and request attributes. Tracked changes are stored in diff sets. By default the latest diff set is used, although older diff sets are retained and can be used as an alternative.

Changes detected by Bravura Security Fabric are passed through a data filter, which removes users that are outside Bravura Security Fabric ’s scope. For instance, in a scenario where Bravura Security Fabric manages all users in one country, but the HR system is global, Bravura Security Fabric would filter out changes to users from other countries.

Automated user administration aggregates all changes to a given user and executes business logic, with the set of changes as input. This is best illustrated with some examples:

Detected change

Actions

Net result

New user appears in an HR application.

Look up appropriate role based on the user’s location and job code.

Submit a change request to the Bravura Security Fabric workflow engine, to create a new user, with the HR-provided identity attributes and with resources specified by the role.

Auto-provisioning.

New phone number detected on white pages directory.

White pages has a higher priority for the phone number attribute than other systems.

Submit a change request to the Bravura Security Fabric workflow engine, to change the phone number in the user’s profile.

Once approved (most likely automatically), the new phone number is mapped to other login IDs belonging to the user, and connectors are run to update this information on other systems.

Identity synchronization.

Change to termination date is detected on the HR system.

Using the identity synchronization mechanism described above, set this date on the user’s profile.

A separate batch process periodically identifies users with today or earlier termination dates, and submits requests to disable all accounts for every matching user

Automated termination.

User disappears from system of record (HR).

Look up all of a user’s login IDs.

Submit a “disable all accounts” change request to the Bravura Security Fabric workflow engine.

Given the source of the request (employee gone from HR), this type of change may be auto-approved.

Automated termination (2nd method).

User was added to Administrators group on Active Directory domain.

Since the change was detected on AD, it follows that it was not initiated by Bravura Security Fabric .

Submit two change requests to the workflow engine:

  • Remove the user from the Administrators group (this is an auto-approved change).

  • Add the user to the Administrators group (requires approval).

    Submit a security alarm ticket to the help desk system.

Detect unauthorized privilege escalation.

In this section: