Skip to main content

Features and concepts

The section outlines Bravura Privilege features and factors that should be taken into consideration before implementing them.

Managed system policies

The key to understanding how to configure Bravura Privilege lies in understanding the role the managed system policy plays in managing systems. The managed system policy contains all configuration information required to manage accounts on a managed system . You also manage access controls for product administrators and regular users based on what managed system policies they have access to, and what operations they are allowed to perform on those managed system policies.

In the managed system policy you define:

  • What systems are members of the policy

  • What accounts are managed on the systems

  • Who must authorize access to privileged accounts

  • What authentication types can be used to access accounts or group sets

  • Who will have access to privileged accounts

The following can be defined system-wide or for each managed system policy :

  • How often privileged passwords are randomized

  • The policies for creating passwords

  • How users are granted access

  • Who can access accounts

  • How sessions initiated by users can be monitored and recorded

  • Who can access recorded sessions, and who must authorize their access

Auto discovery and management of systems and accounts

Bravura Security Fabric ’s auto discovery feature can list information about:

  • Systems on a domain

  • Administrator, domain, and user accounts whose credentials are used to manage services, scheduled tasks, IIS websites, or DCOM objects

These discovered objects can be manually or automatically imported to become managed systems and accounts.

See Infrastructure Auto Discovery for more information.

How local workstation service discoveries are processed

Bravura Privilege adds Local Workstation (LWS) discoveries as individual mini-discoveries processed serially, among the other types of discovery that the rest of Bravura Security Fabric runs in much larger batches: Auto-discovery (psupdate), manual discovery (for the entire instance or a specific target), or persistent-listing-triggered discoveries.

None of the above can be executed in parallel, so they must wait for previous ones to finish in the discovery queue (files saved in the instance's db\iddiscover directory).

At a high level, this is how a LWS discovery is generated and processed:

  1. LWS client contacts Bravura Privilege with a poll.

  2. If any changes are found that need to be applied, a .commit (0 bytes file) and a set of .dat files with the same discovery guid in the filename as the .commit, are created in db\iddiscover.

  3. The files wait in the queue until iddiscover can process them.

  4. If no resynchronization has been submitted for the discoveries so far, this discovery is batched with previously submitted ones.

    1. LWS resynchronizations batch with resynchronizations.

    2. Normal or computed-attribute discoveries batch together.

    3. Since the LWS resynchronizations usually are fewer, they are the ones that interrupt normal LWS discovery batching.

    4. psupdate-triggered discoveries don't batch with anything, as they are always PUSH mode batches, they just wait their turn.

    5. Any LWS discoveries coming in while the psupdate processes also wait their turn (between its "starting psupdate" and "done psupdate" entries).

  5. If successful, the .commit and its .dat files are removed, and the discoverystate for that discovery in the backend DB changes from R(unning) to S(successful).

  6. If failed, the .commit is renamed to .archive and the discoverystate for that discovery in the backend DB changes from R(unning) to F(ailed).

    Steps 5 and 6 happen for all discoveries in the same batch as the failed one as soon as one batch fails or succeeds; all LWS discoveries in a batch succeed or fail together.

Password randomization

As explained in Modes , Bravura Privilege can automatically randomize passwords using two modes: push and local service.

Passwords are randomized daily by default. You can change this frequency system-wide, or for individual managed system policies.

See Password randomization for more information.

Authentication types

When creating a managed system policy , administrators must select one (or more) authentication types that will be used for accessing the accounts or group sets in the managed system policy .

There are three authentication types:

  • Password:

    • Use this type if managed accounts in the managed system policy will be checked out using passwords.

    • This type can only be used for single account check-outs and account set check-outs.

  • SSH key:

    • Use this type if managed accounts in the managed system policy will be checked out using SSH keys.

    • This type can only be used for single account check-outs.

  • Group set:

    • Use this type if adding group sets to the managed system policy .

    • This type can only be used for group set check-outs.

For example: if both Password and SSH key are selected for a managed system policy , requesters can choose which authentication type to use for accessing the managed account. Single account access request forms include an Operation to perform during check-out and check-in option.

Support for authentication types depends on the managed system policy mode:

  • Push mode: group set, password, and SSH key are available

  • Local service mode: group set and password are available

  • Vault mode: only password is available

Once authentication types are selected for the managed system policy , administrators are able to modify them. They can add more, remove, or replace authentication types but there are restrictions:

  • Authentication types can only be added if they are valid for the managed system policy mode.

  • The password authentication type can be removed only if the managed system policy has no managed accounts.

  • The SSH key authentication type can be removed only if the managed system policy has no managed accounts

  • The group set authentication type can be removed only if the managed system policy has no group sets.

Vault-only systems

Product administrators can use Bravura Privilege to manually store information in vault-only managed systems. In this case, there is no communication between the Bravura Privilege server and the managed system. In other words, the managed system exists in Bravura Privilege , however, all management is done manually by a user.

Bravura Privilege does not automatically randomize passwords for these managed systems. Users can be granted permission, via access controls, to override the stored password after they have accessed it.

Access request

Regular users can request temporary access to managed accounts or group sets. Depending on how you configure access controls, a given user’s request may be auto-approved, or require authorization. If approved, the user can check-out the requested access within a set time period.

The access permission can be checked-in by the user once they are finished or automatically checked-in if the set time period expires. If they had access to an account, the password is randomized. If they had access to the account using SSH authentication, the user’s SSH public key is removed from the target. If they had group set access, the user is removed from the group membership.

Consider the following when determining who can access and manage privileged accounts or group sets:

  • Who should be able to request access to which accounts or group sets?

  • Who can be auto-approved?

  • Who requires approval from an authorizer?

See:

Access disclosure

Once a user has been granted access to a managed account, access disclosure plugins provide the user with access to the password, or an automatic connection to the managed system.

The following disclosure methods are available with Bravura Privilege :

  • Command prompt control – allow users to automatically connect by launching a program

  • Copy control – allow users to copy and paste the password

  • Remote desktop control – allow users to automatically connect by launching a remote desktop connection

  • Display control – allow users to access privileged accounts on the web interface

  • Browser driver control – provides users access to web sites using managed passwords

Session recording and viewing

The session monitoring feature enables the monitoring, recording, searching, and viewing of actions performed during administrative sessions using Bravura Privilege credentials.

Determine who can do what with recorded sessions:

  • Who should be able to search their own recorded sessions?

  • Who should be able to search other people’s recorded sessions?

  • Who can be auto-approved to search, view or download recorded sessions?

  • Who requires approval from an authorizer?

You can configure Bravura Privilege session monitoring to use one or more collection modules :

  • Keystroke capture – to record keys that were pressed during a session

  • Video capture – to periodically capture screen shots during a session

  • Webcam capture – to periodically capture images from any attached web cams during a recorded session

  • Clipboard capture – to collect copy/paste information during a session

  • User interface capture – to capture text data from user interface elements during a recorded session

  • Process name capture – to capture process created

In this section: