Skip to main content

Use case: Automatic actions

This use case illustrates how to use entitlement consistency calculations and resource attribute comparison to automatically certify items or identify revocation candidates in a certification campaign.

This use case assumes the following global settings under Manage the system > Modules > Manage certification process (CERT) :

CERT CONSISTENCY ATTRIBUTE GROUP

CERT_ORGCHART_MANAGER

CERT CONSISTENCY CALCULATION

Enabled

CERT CONSISTENCY MINIMUM

5

CERT CONSISTENCY USERS LOWER THRESHOLD

20

CERT CONSISTENCY USERS UPPER THRESHOLD

80

Create a resource attribute to compare to trigger automatic actions

To set up a resource attribute to compare:

  1. Click Manage the system > Resources > Resource attributes.

  2. Click Add new…

  3. On the Resource attribute information page, enter the following values:

    ID

    RISK

    Description

    RISK

    Type

    Integer

    Leave other values as default.

    The resource attribute must be date, boolean, string, or integer type. For string and integer types the maximum number of values must be 1.

  4. Click Add.

    3635.png
Create a resource attribute group

  1. Click Manage the system > Resources > Resource attribute groups.

  2. Click Add new…

  3. On the Resource attribute group definition page, enter the following values:

    ID

    RISK_ATTRIBUTES

    Description

    Risk attributes

    Resource type

    Managed groups

    For this feature, only template accounts, roles, and managed group types are applicable.

  4. Click Add.

    3636.png

  5. Click the Access control tab.

  6. Give the ALLUSERS group read and write permission.

    3637.png

  7. Click the Members tab.

  8. Click Select…

  9. Click the checkbox for RISK and click Select.

    3638.png

    You can repeat this process to add other types of risk attribute if you like. The supported types are integer, string, date, and boolean.

Give the group attribute a value

  1. Click Manage the system > Resources > Groups.

  2. Select a group.

  3. Give the Risk attribute a value.

  4. Click Update.

    3639.png

    Repeat this process for other groups if you like.

Start an entitlement certification campaign

To start an entitlement certification campaign:

  1. From the main menu, click Manage certification process.

  2. Click Start entitlement certification campaign .

  3. Select entitlements to be reviewed.

    3640.png

  4. Click the Reviewers tab to choose reviewers for the campaign.

  5. Click Continue to choose a single reviewer.

  6. Click Select… .

  7. Search for and select the appropriate user.

    3641.png

  8. Click the Peer groups tab to review the settings for marking consistent entitlements.

    Note that the Enable calculating consistency across peers checkbox is enabled by default.

    Modify settings to mark items for consistency as required.

    case-recommend-peer-123

  9. Configure auto-certification:

    1. Click the Automate certification by resource attribute checkbox.

    2. Click the magnifying glass icon to select ”RISK” as the Resource attribute to compare.

    3. Set the Comparison method to ”is less than”.

    4. Set the Resource attribute value to 5.

    case-peer-autocert-123

    Note that the value for Automatically certify items if at least this percent of peers share the item and auto-certify attribute expression is met must be greater than or equal to the value for Mark items as consistent if at least this percent of peers share the item.

  10. Configure auto-revocation:

    1. Click the Identity revocation candidates by resource attribute checkbox.

    2. Click the magnifying glass icon to select ”RISK” as the Resource attribute to compare.

    3. Set the Comparison method to ”is greater than or equal to”.

    4. Set the Resource attribute value to 7.

    case-peer-autorevoke-123

    Note that the value for Identify candidates for revocation if fewer than this percent of peers share the item and auto-revoke attribute expression is met must be less than or equal to the value for Mark items as inconsistent if fewer than this percent of peers share the item.

    While auto-certification is simply recorded in the Bravura Security Fabric database, auto-revocation requires an action on the affected target system. Depending on the type of items included in the campaign, you can select from available pre-defined requests to revoke items.

  11. Click the Submit tab.

  12. Type a Certification campaign description.

    3645.png

  13. Click Launch campaign.

  14. Click Start new campaign.

With the above configuration, an item with a peer group consistency of above 60% and a risk integer value less than 5 will be automatically certified. An item with a peer group consistency of less than 50% and a risk integer value greater than or equal to 7 will be automatically revoked. Reviewers can override these actions when they review items.

Review in certification app

To review items in the certification app:

  1. Log into Bravura Security Fabric as the reviewer

  2. Click the notification link or click Review entitlements and configurations to view the campaign review page.

case-autocert-app-123

In the certification app:

  • These items have been automatically certified, because they have a high consistency score and a low risk attribute value:

    auto-cert-123

  • These items have been flagged as risky, because they have a low consistency score and a high risk attribute value, and are identified as revocation candidates with a small red flag on the upper right part of the revoke action icon:

    revoke-candidates

    As reviewer you can choose to click on the alert icon to open the request wizard and complete the request.

As reviewer you can override any of the above actions or edit the note by clicking the appropriate symbol.

In this section: