Skip to main content

Defining group sets in a managed system policy

You can define group sets in a managed system policy to determine which groups Bravura Privilege can grant users membership to. The managed system policy must have the group set authentication type to define group sets. A group set can specify an individual group, such as Administrators in Active Directory, or inclusion criteria to define a set that includes multiple groups. A user can check out a group set, meaning their account is temporarily added to every matching group at checkout time, and removed at check-in time. This eliminates the need to manipulate passwords when granting access.

You can organize group sets, for example, to contain privileges that may be required to access files or folders, or to perform a specific task on an Active Directory domain, a Windows server, or a Linux server.

A simple use case:

  1. An administrator admin1 wants to perform a task on a managed system that requires group membership from groupA and groupB .

  2. admin1 requests access to a group set groupsetX , which contains the required groups groupA and groupB .

  3. Once approved by an authorizer, admin checks out groupsetX .

  4. admin1 is now given membership to groupA and groupB .

  5. admin1 performs the task with the required elevated privilege.

  6. Once finished with the task, admin checks in groupsetX .

  7. admin1 is detached from groupA and groupB .

If the user has membership in some groups in the group set prior to checkout of the group set, on checkin/expiry, membership in those groups will not be removed – only those added by the temporary checkout are removed.

Requirement

In order to define group sets in a managed system policy , the Authentication type on the General tab must include ”Group set”.

Adding a group set

To add a group set :

  1. Navigate to the Managed system policy information page .

  2. Select the Group sets tab.

  3. Click Add new… to add a new group set .

  4. Type a unique identifier containing only ASCII characters, and a description of the group set.

  5. Select the Notify requesters of groups from this set that do not exist on the managed system they have selected if you want to notify requesters by email.

  6. Click Add.

    The group set should now appear in the list of Group sets.

Next:

Add groups as members of the group set.

Adding groups

You can define group members in a group set in several ways:

  • Selecting from a list of groups

  • Adding a new group

  • Using group inclusion rules

Selecting from the list of groups

You can choose which groups to add to the group set by selecting them from a list of groups. Each group contains a unique identifier, description, and member system the group belongs to.

To add groups from a list of groups:

  1. From the group set page , add or select a group set and click the Explicitly attached groups sub-tab.

  2. Click Select… to select from a list of groups to add to the group set.

  3. Select the groups you want to include in the group set.

  4. Click Select when you have finished selecting groups.

    The groups should now appear in the list of explicitly attached groups.

Adding a new group to a group set

You can manually define a group with an identifier to be searched against the groups on members of the managed system policy. If a group has a matching ID it will be included in the group set.

For example:

  1. A managed system policy has member systems TargetA and TargetB .

  2. Both member systems have the same group named ManagedGroup .

  3. If you define a new group named ManagedGroup , then Bravura Security Fabric searches for this group on all member systems of the policy. Using this common group identifier, ManagedGroup from TargetA and TargetB will be added to the group set.

To manually define a group:

  1. From the group set page , add or select a group set and click the Explicitly attached groups sub-tab.

  2. Click plus icon Add new… .

    A virtual window appears.

  3. Specify a group identifier and description.

    The group identifier is case-insensitive.

  4. Click Add.

  5. Close the virtual window.

    The group should now appear in the list of explicitly attached groups.

Defining group set members using rules

You can define groups automatically for a group set using inclusion rules. You can specify groups solely using this method, or in conjunction with explicitly attached groups. The groups are determined at request time, and are based on the groups that are currently discovered.

To add a new group inclusion rule:

  1. From the group set page , add or select a group set and click the Group inclusion rules sub-tab.

  2. Click Add new… to create a new inclusion rule.

  3. Specify a unique ID, rule Type to test against, and Value.

    The value can be tested against:

    • Long ID

    • Short ID

    • System ID

    • Description

    Select the Use SQL ’LIKE’ expression checkbox if you want the value to match only part of the rule type.

    Select Case-sensitive if you want the value to be matched as entered.

  4. Click Add.

    The rule should now appear in the list of group inclusion rules.

Testing a group inclusion rule

After you have added a group inclusion rule, you can test it to see if includes groups that are currently managed on member systems.

  1. On the Group inclusion rules sub-tab, select a rule and click Test.

    Bravura Security Fabric displays the Test group inclusion rules page.

  2. Enter the Managed system ID you want to perform the test on, or leave the field blank to include all groups that satisfy the rule.

  3. Click Test.

3063.png

Specifying other target systems hosting user accounts

By default, requesters will be able to request temporary group access to a group set that contains groups on the same managed system as the account requested for. However, it is also possible to define target systems where the accounts do not belong to the same managed system as the groups in the group set .

Some examples include, but are not limited to, requesting temporary access to domain groups for a domain account on another domain in the forest, or requesting temporary access to local groups for a domain account.

If you only want to grant temporary access to the group set using an account from the managed system, then specifying a target system is not required.

To include a target system that will be used when applying group memberships:

  1. From the group set page , add or select a group set and click the Target systems hosting user account sub-tab.

  2. Click Select… to add a target system hosting user accounts.

  3. Select the target system that will be added to the group set.

  4. Click Select .

    The target system should now appear in the list of Target systems hosting user account list.

Removing a group set from a managed system policy.

You can manually remove a group set and its member groups from a managed system policy. If you choose to remove a group set , all of its groups, inclusion rules and target systems defined in the group set will be removed as well.

If a group set is currently checked out, then it cannot be removed from a managed system policy.

To remove a group set from a managed system policy, select the group set and click Delete.

In this section: