Skip to main content

Setting up access certification

In order to implement access certification using Bravura Security Fabric , you must:

  1. Add target systems that you want to be able to include in the certification process.

    Enable the Allowed in the certification process option for each target system whose users can be reviewed.

    Ensure that target systems have appropriate descriptions and help URLs specified, to assist reviewers in identifying appropriate entitlements.

  2. Manage groups if you want them to be included in the certification process.

    The Allowed in the certification process target system option determines whether the system’s managed groups are selectable when starting a certification campaign . The target system option is disabled by default. You can apply a global override or individual target system override to allow managed groups to be included in certification, regardless of whether the parent target system is allowed in the certification process.

    Note

    The target system option is not accessible in Bravura Privilege, and target systems are not allowed in the certification process by default, so you must apply either the global override or an individual target system override. You can enable managed groups to be certified when a target system is not allowed in certification process .

  3. Optional: Define user classes to divide the user population into segments, so that you can assign a reviewer for each segment.

  4. Optional: Set up roles and segregation of duties rules to be certified.

    When entitlements are assigned to a user via a role, they can only be certified through that role. Reviewers cannot view or certify the member entitlements individually.

  5. Optional: Define profile information that you want reviewers to review.

    Reviewers can view user profile information to help them in their review. You can include basic information, such as name, email address, manager, by default.

    If you define additional profile and request attributes, you must ensure that reviewers have permission to view information about users they are reviewing, by defining the control of user groups over attribute groups .

  6. Optional: Configure pre-defined requests to be used for remediation

    You can specify remediation requests to determine what happens when a review revokes an entitlement, transfers a user, or resolves an SoD violation. Pre-defined request s are set up by default in most cases. Reviewers can also be enabled to create new profiles from within a certification campaign. In this case, you must set up a pre-defined request for this purpose.

  7. Optional: Enable consistency calculations and automatic actions . These options can ease the burden on reviewers by identifying consistent or inconsistent items, and automatically certifying or revoking items based on consistency and risk.

Enabling managed groups to be certified when a target system is not allowed in certification process

To allow all managed groups to be selectable when starting a certification campaign , regardless of whether the parent target system is allowed in the certification process, enable CERT OVERRIDE TARGET CERT ENABLED FOR GROUPS in the Manage the system > Modules > Modules > Manage certification process (CERT) option menu.

Alternatively you can apply an override to individual target systems by configuring a boolean-type resource attribute identified by CERT ATTRIBUTE GROUP CERT. The managed groups of the target system can be certified when the attribute value is set to True.

The following example illustrates:

  1. Define a resource attribute:

    1. Click Manage the system > Resources > Resource attributes > Add new...

    2. Enter the ID; for example GROUP-CERTIFY.

    3. Enter the Description.

    4. Select Type: Boolean.

    5. Set the Default values for the attribute: (None).

    6. Click Add.

  2. Define a resource attribute group:

    1. Click Manage the system > Resources > Resource attribute groups > Add new...

    2. Enter the ID; for example ALLOW-GROUP-CERTIFY.

    3. Enter the Description.

    4. Select Type: Target systems .

    5. Click Add.

    6. Click the Members tab.

    7. Click Select then select the resource attribute you created previously; for example GROUP-CERTIFY.

  3. Configure the option in the Manage certification process (CERT) module:

    1. Click Manage the system > Modules > Manage certification process (CERT) .

    2. Type GROUP-CERTIFY in the CERT ATTRIBUTE GROUP CERT field.

  4. Enable managed groups to be certified for a target system that is not allowed in certification process.

    1. Click Manage the System > Resources > Target systems .

    2. Select the target system.

    3. Set the ALLOW-GROUP-CERTIFY option to ”True”.

    4. Click Update.

Next:

Once you have defined which entitlements, users, and information may be included in the certification process, you can configure and start an access certification campaign .

In this section: