Configuring source systems
When automatic discovery options are enabled for a target system, Bravura Security Fabric can extract additional data for privileged access management.
On Active Directory target systems, you can list:
Server and workstation computer objects
On Microsoft Windows NT target systems, you can list:
Service manager accounts (local and domain)
Scheduled task accounts (local and domain)
IIS manager accounts (local and domain)
DCOM manager accounts (local and domain)
Built-in administrator group members
On scripted target systems, you can list all of the above. This requires additional configuration in the script files. See Script Systems for details.
Service accounts are accounts that are used to manage services and dcom objects, authorize scheduled tasks, and manage iiswebsite permissions. These lists are used by Bravura Privilege to manage systems and accounts according to import rules. See Enabling resource discovery to learn how to enable these options.
Bravura Security Fabric can also make listed accounts from any type of target system into discovered account objects. See Enabling all accounts found on system to be discovered objects to learn how to enable this option.
Enabling resource discovery
You can enable resource discovery using the Automatically discover resources to load option on a target system’s Discovery options tab, or using manually created list files that are processed during auto discovery . If you are loading resources manually by providing list files, do not select the Automatically discover resources to load option.
Caution
Take care when configuring target systems to list computer objects that you do not attempt to list the same computer more than once. For example, when targeting a domain to list from specified OUs, and a computer exists in more than one OU.
On Windows target system, make sure the Remote Registry service is started (On Windows workstations it is disabled by default, on Windows servers it is enabled by default).
To enable resource discovery options:
Add a target system or select an existing target system.
On the page, select the Discovery options tab.
The Automatically discover resources to load option is enabled by default.
Select the resources to load into the Bravura Security Fabric database:
Select Link accounts on this target system to subscribers if accounts on the target are used to run subscribers.
Select Incrementally discover objects if you want to enable incremental listing of computer attributes.
This setting prevents attributes from being deleted from discovered computers at load time if no attributes at all were discovered. Attributes are still deleted if some attributes were discovered; the new set supersedes the old set.
Click Update.
Once selected, Bravura Security Fabric lists these additional resources for each target system during auto discovery and generates a corresponding list file in the psconfig directory.
These discovered objects are saved in the database. To view and manually manage discovered server and workstation computer objects, click Manage the system > Resources > Discovered objects. See Managing discovered objects for more information about viewing and managing discovered objects.
Before Bravura Security Fabric can update services, tasks, IIS and DCOM objects using domain accounts, they must be discovered during auto discovery otherwise password changes on domain accounts could cause services to stop working.
Enabling all accounts found on system to be discovered objects
Bravura Security Fabric can make listed accounts from managed systems of any target type into discovered account objects.
To discover listed accounts:
On the page, select the Discovery options tab.
Check Enable import rules for accounts on this system.
Run Auto discovery.
You can also use account attributes in import rules if they are supported and loaded. Only NOSGRPID , NOSGRPNAME and NOSSHORTID group attributes can be used for groups that have been managed.