Onboarding
Bravura Workforce Pattern includes scenario components to manage the onboarding of users into the Bravura Security Fabric system. This can include automatic onboarding triggered by new users added to a System of Record (SoR), and manually-requested onboarding.
Automation
Bravura Identity can be configured to automate the onboarding process of new users by monitoring an SoR target system for changes. Bravura Pattern includes a scenario dedicated to this particular process, as described below.
im_corp_automated_onboard
Purpose:
Implements an automated onboarding process, triggered by new users added to a monitored system of record (SoR).
Configuration:
This scenario relies on configuration data located in the following external data store (extdb) tables:
hid_global_configuration: Adds ONBOARD_* settings under the AUTOMATION namespace, to define parameters such as the target ID for the SoR or the pre-defined request to be used for automated onboarding requests.
im_policy_authorization: Adds an authorization rule to allow
idtrack(automation) requests to be auto-approved so they can be fulfilled immediately, without any manual intervention.You will notice, for example, that there are two rules in this table for PDRId = NEW-EMPLOYEE. One of them has RequesterUserclass = IDTRACK. This rule uses the NEW-EMPLOYEE PDR when an automated request is made.
hid_policy_attrval_*: Adds rules involving profile and request attributes, so automated onboarding requests can be processed successfully by the workflow engine.
Manual requests
Manual onboarding requests are workflow requests initiated by people logging into Bravura Security Fabric ’s portal and filling out a request form with all the details necessary to create new accounts for users.
In order to provide better flexibility and control over the manual onboarding process, Bravura Pattern includes two scenarios dedicated to this use case. They are described in sections below.
im_corp_manual_onboard_contractors
Purpose:
Implements a use case allowing requesters to submit onboarding requests for contractor type users via the NEW-CONTRACTOR pre-defined request.
Configuration:
External data store (extdb) tables containing configuration relevant to this scenario:
im_termination: Dictates what happens with contractor users whose scheduled termination date is approaching or has passed.
hid_policy_attrval_*: Adds rules involving profile and request attributes calculation and validation, so that contractor onboarding requests can be processed successfully by the workflow engine.
im_policy_authorization: Adds an authorization rule to require a member of the CONTRACT-HIRE-APPROVAL user class to approve contractor onboarding requests.
im_corp_manual_onboard_employees
Purpose:
Similar to the automated onboarding process, this scenario provides all the necessary configuration to allow users to submit onboarding requests for new employees, using the NEW-EMPLOYEE pre-defined request.
Configuration:
This scenario relies on configuration data located in the following external data store (extdb) tables:
im_policy_authorization: Adds an authorization rule to require a member of the HR team to approve employee onboarding requests.
hid_policy_attrval_*: Adds rules involving profile and request attributes calculation and validation, so that employee onboarding requests can be processed successfully by the workflow engine.
Supporting scenarios
Bravura Pattern includes a number of components which provide shared functionality for other scenarios. We call these "supporting" or "library" components.
When the onboarding scenarios described above are installed, the supporting scenarios described below are also installed as dependencies.
im_corp_onboard
Purpose:
This scenario provides configuration data, library methods and scripted logic required by other scenarios which provide onboarding related functionality. The scenario will be automatically installed as a dependency along with other onboarding scenarios; it should never be installed on its own.
The im_corp_onboard component does not exist in version 12.4 or 12.5. Suggest this is made into a version variant from when it last appears. - Siobhan
hid_first_login
Purpose:
This scenario provides all the configuration necessary to deploy a "first login" experience for newly onboarded users – or users accessing the system for the first time. As its prefix suggests, this component can be installed in both Bravura Pass and Bravura Identity instances. Depending on the type of information available, the scenario allows new users to authenticate into the product’s portal by using some alternate authentication factors such as PII information or a PIN sent to their email address or their cell phone via SMS. Once authenticated, they have the option to register security questions, their mobile device and set an initial password on their accounts. The hid_first_login scenario is often installed alongside other onboarding scenarios in order to streamline the user onboarding experience and reduce the amount of manual work required for post-onboarding tasks.
Configuration:
When installed, this scenario adds a number of new authentication chains to the product instance. External data store (extdb) tables containing configuration relevant to this scenario:
hid_authchain_select: Adds authentication chains rules to allow users logging in for the first time to authenticate using an alternate factor, such values of their PII attributes or a PIN sent to their mailbox or mobile device via SMS. Where PII attributes are used, they are collected during onboarding and then discarded once the user has used them during authentication.
im_corp_passgen
Purpose:
A supporting (dependency) scenario for other onboarding scenarios, it implements a password generation plugin for new accounts using the default password policy configured for the instance. Without this, requesters would be prompted to enter an initial password for new accounts and automated onboarding requests would fail.
hid_profileid
Purpose:
Another scenario typically installed alongside other onboarding scenarios, it generates an attribute called PROFILEID when attribute validation is run as part of onboarding requests. This attribute can then be referenced to reliably determine the profile ID for a user, even if their profile has not yet been created during onboarding requests.
Configuration:
External data store (extdb) tables containing configuration relevant to this scenario:
hid_global_configuration: under the PDR setting, add or edit the comma-separated list of the IDs of the PDRs for which this Scenario has to work
hid_policy_attrval_*: Adds rules for the setting the PROFILEID attribute based on the FIRST_NAME, LAST_NAME and OTHER_NAME profile attributes.