Automatic Assignment
In addition to role enforcement , Bravura Security Fabric supports role-based access control with automatic assignment. Automatic assignment is controlled by user class. Users who are members of a configured user class can be assigned a resource (role or managed group) automatically if they do not already have it. The resource can be removed from non-members. This automation is triggered during a scheduled job, and in real time when a user’s user class membership changes.
Automatic assignment works with the following:
Program | Purpose |
|---|---|
View and update profile (IDR) module | Allows users to request changes to profile attributes or group membership. |
Workflow Manager Service | Handles requests to add or remove resources. The requests can be auto-approved or reviewed by authorizers. |
autores | Determines deficits and surpluses and issues requests to assign role and group membership. |
You cannot enable role enforcement and automatic assignment at the same time for managed groups.
Typical automatic assignments may proceed in the following way:
User requests a change in department
The user submits a request to update profile information that is linked to an account attribute on a target system.
When the request for the attribute update is approved, Bravura Security Fabric automatically submits additional requests:
Remove the user from the original department group (auto-approved change).
Add the user to the new department group (requires approval).
User added to the Support group on an Active Directory domain
The group membership change is detected during auto discovery .
Bravura Security Fabric automatically submits a request:
Add the user to the help desk role (requires approval).