Skip to main content

Managed systems and managed accounts import rules

Use managed systems import rules to determine which systems to manage and under which policies. Use managed accounts import rules to determine which accounts to manage and under which policies.

You can also use import rules to delete managed systems and accounts.

Using managed systems import rules

Use managed systems import rules to determine policy membership; for example:

  1. According to computer organization structure (OU, department, location, purpose, and so on)

  2. As a condition for being put into other policies

    See Defining conditions for examples using the attachedPolicies attribute.

    This could be a staging requirement to put newly discovered systems into a group, before moving them to other policies.

  3. Grouping systems that have issues with them, such as not being contactable in the past few days.

    This is known as a tombstone policy .

    See Defining conditions for examples using the compFailurePastThreshold attribute.

When defining managed systems import rule policies, consider the following:

  • What will all the managed systems in this policy have in common?

  • Will they all manage the same account ID?

  • Will they all have similar services running on them (with corresponding accounts to manage them)?

  • Will they have similar local privileges managed?

Managed systems with checked-out passwords cannot be unbound.

Systems can be unbound without losing managed password histories.

You must link managed systems rules to managed systems policies .

Using managed accounts import rules

Use managed accounts import rules to determine what accounts to manage. It is recommended that you set these rules only after setting up managed system policies and managed system import rules. That way, defining managed account import rules is simply a matter of setting the account ID to look for managed accounts.

Windows service accounts must be listed by Bravura Privilege before they can be managed.

Managed systems must be a member of at least one managed system policy for their accounts to be managed using import rules.

Consider:

  • Is an import rule needed?

    If an account has identical properties and purpose for all members of a policy, for example an administrator or root account, then you can simply manually enter the account ID in the policy configuration.

  • Will the managed system join and leave the policy often?

    If member system is removed from a policy, the managed account ID that is associated with it is automatically removed.

    Managed accounts with checked-out passwords cannot be unbound.

You must link managed accounts rules to managed system policies .

Adding managed systems import rules

To add a managed systems import rule:

  1. Click Manage the system > Privileged access > Import rules > Managed systems .

  2. Click Add new…

  3. Type an ID and Description .

  4. Enable Import all discovered objects of this type if you want all evaluated objects to automatically pass the import rule. Confirm the dialog box.

    If enabled, the next step is not necessary.

  5. Configure the import rule Combining conditions setting so that discovered objects:

    • Must Match all conditions to satisfy the import rule, or

    • Can Match any condition to satisfy the import rule.

  6. Configure Action to perform on matching objects . Select whether to:

    • Bind all discovered managed objects that satisfy this rule, or

    • Unbind all discovered managed objects that satisfy this rule.

  7. Set the Managed systems evaluation type to the type of managed system that the import rule will be applied to - push or local service mode.

  8. Configure the Unbind objects if they no longer satisfy this rule option to determine whether objects that previously passed the import rule should archived when they fail the import rule. Check the option to have objects unbound/archived.

    If this option is not checked, no action will be performed for failed objects. You will have to manually resolve any related issues.

  9. For push mode, configure the Strategy for selecting source systems.

    Click 3332.png to select source systems to include or exclude.

  10. Click Add.

Import rules are disabled by default, and must be enabled to be applied during auto discovery . You can enable or disable an import rule on the Import rules page and on each rule’s specific page.

Best practice

It is best practice to carry out a test or trial run before enabling this option.

Adding managed accounts import rules

To add a managed accounts import rule:

  1. Click Manage the system > Privileged access > Import rules > Managed accounts .

  2. Click Add new…

  3. Type an ID and Description .

  4. Enable Import all discovered objects of this type if you want all evaluated objects to automatically pass the import rule. Confirm the dialog box.

    If enabled, the next step is not necessary.

  5. Configure the import rule Combining conditions setting so that discovered objects:

    • Must Match all conditions to satisfy the import rule, or

    • Can Match any condition to satisfy the import rule.

  6. Configure Action to perform on matching objects . Select whether to:

    • Bind all discovered managed objects that satisfy this rule, or

    • Unbind all discovered managed objects that satisfy this rule.

  7. Configure the Unbind objects if they no longer satisfy this rule option to determine whether objects that previously passed the import rule should archived when they fail the import rule. Check the option to have objects unbound/archived.

    If this option is not checked, no action will be performed for failed objects. You will have to manually resolve any related issues.

  8. Click Add.

Import rules are disabled by default, and must be enabled to be applied during auto discovery . You can enable or disable an import rule on the Import rules page and on each rule’s specific page.

Best practice

It is best practice to carry out a test or trial run before enabling this option.

Linking import rules to policies

Each managed systems and managed accounts import rule must be associated with at least one managed system policy. To link import rules to managed system policies:

  1. Navigate to the Import rules page for a managed system or managed account.

  2. Click Policies .

  3. Select the policies with which you want to associate the rule.

  4. Click Update.

You can also link rules to policies on the Managed system policy information page (Manage the system > Privileged access > Managed system policies > <policy> ).

To unlink an import rule from a managed system policy, all objects that were added by the import rule must first be removed from the policy.

In this section: