Skip to main content

Automated workflow request options

Bravura Security Fabric can automatically assign roles and groups to users on the basis of user class. The autores program, run as part of auto discovery, compares members of a class with a list of users who have a resource. The program can be configured to submit requests to assign or remove resources. When a user initiates a request, potential automatic assignments will be detected and submitted once the initial request has been approved and processed.

See usage information for autores .

To configure automated workflow settings:

  1. Click Workflow > Options > Automation.

  2. Enable options and type values for the fields listed in Table 1, “Automated workflow options.

  3. If required, configure event options listed in Table 2, “Automated workflow events that launch interface programs.

  4. Click Update.

Table 1. Automated workflow options

Option

Description

ATTR AUTO PROPAGATE EXECUTE

Enable this to automatically execute the propagation of changes to profile/request attributes to account attributes on subordinate systems.

ATTR AUTO PROPAGATE REQUESTER

The profile ID of the user that will submit change requests to the Bravura Security Fabric workflow system to synchronize account attributes to new profile attribute values.

ATTR AUTO PROPAGATE WRITE

Enable this to automatically write the propagation of changes to profile/request attributes to a work file. You can set this one alone to make changes manually, or combined with ATTR AUTO PROPAGATE EXECUTE for logging purposes.

ATTR AUTO PROPAGATE THRESHOLD

Control the number of requests to be submitted due to changes to profile attributes, unless overridden on the command line. If the threshold is exceeded, no requests will be submitted automatically by idtrack . Bravura Security Fabric sends an email to the product administrator (defined by RECIPIENT EMAIL) who can decide whether to run idtrack manually to submit those requests.

AUTO ASSIGNMENT MAX SUBMIT DEFAULT

Maximum number of submissions in a single run of the automatic assignment utility, unless overridden on the command line.

You can override this for individual groups or roles by selecting Ignore submission limit during auto discovery.

AUTO ASSIGNMENT GROUP DELETE ORPHAN ACCOUNT

Enable this to automatically remove orphaned accounts from a group. An orphaned account is currently not associated to an existing profile.

AUTO ASSIGNMENT GROUPDELETE ORPHAN ACCOUNT RECIPIENT

A valid profile ID of the user that will be the recipient of the request to remove the orphaned account.

AUTO ASSIGNMENT PROPAGATE REQUESTER

The profile ID of the user that will submit change requests to the Bravura Security Fabric workflow system to assign resources to users based on user classes.

AUTO ASSIGNMENT REQUEST SPLIT

The name of the plugin script to split an automatic assignment request into separate requests.

AUTO ASSIGNMENT THRESHOLD

A threshold number of requests to be submitted in a single run of the automatic assignment utility (autores), unless overridden on the command line. If the threshold is exceeded, no requests will be submitted by autores .

AUTO ASSIGNMENT VARIANCE FILTER

The name of the plugin script to filter automatic assignment variance detections before automatic submission.

OOB REQ GROUP JOIN REQUESTER

The requester’s profile ID when automatically submitting requests to add a user or a group to a group, if the user or group’s membership was changed outside of Bravura Security Fabric ’s control.

OOB REQ GROUPLEAVE REQUESTER

The requester’s profile ID when automatically submitting requests to remove a user or a group from a group, if the user or group’s membership was changed outside of Bravura Security Fabric ’s control.



Automatic assignment request splitting

You can use a plugin to break up automatic assignment requests into separate requests; for example to make allocations take place immediately, and de-allocations take place later.

To use an automatic assignment request splitting plugin:

  1. Click Manage the system > Workflow > Options > Automation.

  2. Type the name of the plugin program or PSLang script in the AUTO ASSIGNMENT REQUEST SPLIT field.

  3. Click Update.

There are no shipped plugins for the automatic assignment request splitting plugin point.

Write a custom plugin for automatic assignment request splitting

Requirements

The plugin must be placed in the \<instance>\plugin\ directory and runs on the Bravura Security Fabric server. See Writing plugins for general requirements.

Execution points

The automatic assignment request splitting plugin is run when end users view requests in the View and update profile (IDR) module and Requests app, and when the autores program executes.

Input

The automatic assignment request splitting plugin receives information about operations to be performed on resources, for example:

  "" "" = {
    "request" "" = {
      // All actions generated to resolve variances from this run
      "resource" "" = {
      ...
      }
      "resource" "" = {
      ...
      }
      ...
    }
    // Existing generated auto assignment requests
    "request" "" = {
      "autoressig" = "..."
      "requestID" = "..."
      // Existing resources in this request
      "resource" "" = {
      ...
      }
      "resource" "" = {
      ...
      }
    }
    ...
    "request" "" = {
      ...
    }
  }

Output

The automatic assignment request splitting plugin returns changes to the original request:

  "" "" = {
   // Changes are made for existing requests
    "request" "" = {
      "autoressig" = "..."
      "requestID" = "..."
      // Resources should be in this request
      "resource" "" = {
      ...
      }
      "resource" "" = {
      ...
      }
    }
    ...
    // New requests
    "request" "" = {
      "resource" "" = {
      ...
      }
      "resource" "" = {
      ...
      }
    }
    "changed" = "true"/"false"
    // If the requests that are not returned should be retained or removed
    "retainResources" = "true"/"false"
    "retval" = "0"
    "errmsg" = ""
  }

Automatic assignment filtering

You can use a plugin to filter automatic resource assignment requests on a per-user basis.

To use an automatic assignment filter plugin:

  1. Click Manage the system > Workflow > Options > Automation .

  2. Type the name of the plugin program or PSLang script in the AUTO ASSIGNMENT VARIANCE FILTER field.

  3. Click Update.

There are no shipped plugins for the automatic assignment filter plugin point.

Write a custom automatic assignment filter plugin

Execution points

The automatic assignment filter plugin is run when the user attempts to view automatically assigned resources. The plugin is also run when the autores program executes.

Filter plugins operate differently from most plugins, which are synchronous. All filter plugins support asynchronous calling. There are two forms of asynchronous calling:

Standard input/output mode automatic assignment

In standard input/output (stdio) mode, filter plugins work in the following way:

  1. An event triggers a CGI program to call the plugin program or script and sends it standard user data .

  2. The calling program continues to stream input from stdin, one item at a time until there are no more items.

  3. For each item, the plugin returns the filter result to stdout.

  4. The calling program receives the final standard output and continues.

Input

Input is similar for all resource filter plugins. The plugin first receives standard data in the format:

"" "" = {
  "sessionid" = "<session ID>" # The session ID of the request.
  "module" = "<idr|ids|idp|idwfm>"
                     
  "accountID" = "<account ID>" # The account ID of the recipient.
                     
  "template = "<template ID>" # The selected template ID.
  "targetid" = "<target ID>" # The target ID for the recipient.
  "navigation" "" = { ... } # User navigation data
                            # See Navigation data.
                     
  "recipient" "<user|empty>" = {
     # The "recipient" group contains standard information about the
                     
     # subject of the request.
     # See Request data for details.
                     
   }
  "viewer" "user" = {
     # The "viewer" group contains standard information about the
     # person using the CGI.
     # See User data for details.
                     
   }
  "request" "" = {
     # The "request" group contains standard information about the
     # the request.
     # See Request data for details.
                     
   }
 }

Some of the values above may be empty, due to the stage and type of the request.

The plugin then receives a series of KVGroups; one for each item. The automatic assignment filter plugin receives, for example:

"User" "" = {
  "userid" = "AWaygood"
  "Variance" "" = {
    "type" = "group"
    "id" = "1d05cb04-b2b7-4f09-9af9-e1b6733a98dc"
    "hostid" = "AD"
    "longid" = ""
    "surplus" = "false"
    "throttle" = "true"
  }
  "Variance" "" = {
    "type" = "group"
    "id" = "f1192163-80cc-47e3-9fc7-775af4173002"
    "hostid" = "AD"
    "longid" = ""
    "surplus" = "true"
    "throttle" = "true"
  }
}

Output

For each item, one output KVGroup is expected on stdout, with an optional "filter" = "true" pair to indicate that the item should not be displayed:

"" "" = {
"filter" = "true|false"
       # If false, the user is displayed
       # If true, the user is not displayed
"retval" = "<#>"
       # Optional, if non-zero returned, abort the plugin
}

A plugin that encounters errors in its processing can add standard output pairs for individual items, which should cause the plugin execution to be aborted.

The automatic assignment filter can optionally add and remove resources that will be requested in an additional request.

Returning the "User" "" = {} KVGroup with the desired modifications will alter the potential request. When this option is used any calculated variances will be discarded and the returned KVGroup will be used.

"" "" = {
  "User" "" = {
    "userid" = "AWaygood"
    "Variance" "" = {
      "type" = "group"
      "id" = "f1192163-80cc-47e3-9fc7-775af4173002"
      "hostid" = "AD"
      "longid" = ""
      "surplus" = "true"
      "throttle" = "true"
    }
    "Variance" "" = {
      "type" = "role"
                     
      "id" = "ROLE1"
      "surplus" = "false"
      "throttle" = "false"
    }
  }
}

Callback mode automatic assignment

In callback mode the resource filter plugin uses two functions:

  • OnFilterInit(const $inkvg, output $detail) This function is called once to retrieve initial information about the request, requester, and viewer.

    $inkvg – the viewer

    $detail – if 0, no detail provided on input kvg for each user

    – if 1, detail is provided on input kvg for each user

    – can also be expressed as a KVGroup

  • OnItemFilter(const $inkvg, output $msg, output $allow) This function is called once per item to determine what resource the user can view or manage.

    $inkvg – the resource to filter (each item is as found in Listing 8.4.4.1)

    $msg – error message

    $allow – if 1, this user is displayed and available

    – if 0, this user is not displayed and is unavailable

Example

A simple example is as follows:

 function OnFilterInit( const $inkvg, output $detail )
 {
     log ( kvgToString( $inkvg ))
     $detail = 0;
     return 0;
 }
 function OnItemFilter(const $inkvg, output $msg, output $allow )
 {
     log ( "OnItemFilter:" );
     log ( kvgToString( $inkvg ))
     $msg = ""; # Error message
     $allow = 0; # not allowed
     # $allow = 1; # allowed
     return 0;
 }
In this section: