Adding a managed system policy
To add a managed system policy:
Click Manage the system > Privileged access > Managed system policies.
Click Add new… .
Type a unique ID containing only ASCII characters, and a Description of the policy.
Select the Mode of service to use with this policy.
Different configuration options become available depending on the selected mode. See below for details on the configuration options.
The mode cannot be changed after adding the policy. See Setting up Privileged Access Management for a descriptions and planning notes for each mode.
With a limited license you can only add vault-only mode policies. The ability to add push-mode or local-service mode policies is only available with a full Bravura Privilege license.
Click Add.
For push mode and local service mode policies, Bravura Security Fabric displays warnings
about setup requirements that you must meet before you can reset passwords on member systems. You can now configure the policy as outlined in the following sections.
Select the Privileged Access Manager Service in the Managed by list. This is the service that will manage systems in this policy.
The service ID is automatically generated when Bravura Security Fabric is installed. There may be more than one if Bravura Security Fabric has been installed on multiple nodes using either a shared schema, or in replication.
Select the Authentication type to use during check-out and check-in:
Group set
Password
SSH key
Configuration options for the managed system policy become available depending on the authentication types selected. Authentication types cannot be removed if there are managed accounts or group sets configured for the policy.
For push mode policies with the password or SSH key authentication type, set the Scope of password synchronization:
No password synchronization – Managed accounts within this policy may have different passwords.
Synchronize all accounts in policy – All managed accounts within this policy will be synchronized to have the same password.
Synchronize accounts with same ID All managed accounts with the same ID within this policy will be synchronized to have the same password.
If managed system and managed account import rules are defined, you can associate them with new push- or local-service-mode policies, so that discovered objects are automatically added to the policy, by selecting them in the import rules section .
Select the Privileged Access Manager Service in the Managed by list. This is the service that will manage systems in this policy.
The service ID is automatically generated when Bravura Security Fabric is installed. There may be more than one if Bravura Security Fabric has been installed on multiple nodes using either a shared schema, or in replication.
Select the Authentication type to use during check-out and check-in:
Group set
Password
SSH key
Configuration options for the managed system policy become available depending on the authentication types selected. Authentication types cannot be removed if there are managed accounts or group sets configured for the policy.
If managed system and managed account import rules are defined, you can associate them with new push- or local-service-mode policies, so that discovered objects are automatically added to the policy, by selecting them in the import rules section .
Select the Privileged Access Manager Service in the Managed by list. This is the service that will manage systems in this policy.
The service ID is automatically generated when Bravura Security Fabric is installed. There may be more than one if Bravura Security Fabric has been installed on multiple nodes using either a shared schema, or in replication.
Only the password Authentication type is available for vault-only systems to use during check-out and check-in:
For vault-only mode policies, select Enforce password policy to have the option to configure a password policy for this specific managed system policy. If left deselected, the Password policy tab will be hidden, and a password policy requiring only at least one character is applied.
See Manually manage accounts on a vault-only system for a vault-only example.