Offboarding managed accounts and systems with import rules
Managed account import rules can be used to unbind managed accounts from specific Managed System Policies (MSPs). This process is referred to as "offboarding" the managed account. When a managed account is offboarded by a managed account import rule:
If the managed account password has not yet been modified within Bravura Privilege (randomized / overridden / etc)
The managed account is removed from the MSPs specified by the rule configurations.
Resource attributes for the managed account are deleted.
If the managed account password has been modified within Bravura Privilege :
The managed account is removed from the MSPs specified by the rule configurations and then placed into the HISTORICAL_DATA_GRP policy.
The managed system for the account:
Will be added to the HISTORICAL_DATA_GRP policy
Will be removed from the MSP the account was unbound from given the system has no other managed account assigned to that MSP.
Resource attributes for the managed account are deleted.
The MSP assignment of a managed system is derived from the MSP assignment of its managed accounts. For example, if a managed system has Account1 on Policy1 and Account2 on Policy2 then the managed system belongs to Policy1 and Policy2. Policy1 and Policy2 can be any MSP including HISTORICAL_DATA_GRP. Managed accounts at any given time can only belong to one MSP.
Managed system import rules can be used to unbind managed systems from specific MSPs. This process is referred to as "offboarding" the managed system. When a managed system is offboarded by a managed system import rule:
If the managed system has no managed accounts with passwords modified by Bravura Privilege (randomized / overridden / etc):
Both the managed system and its managed accounts will be removed from the MSP specified by the rule configurations.
Resource attributes for the managed system are deleted. Resource attributes for this system’s managed accounts are deleted.
If the managed system has managed accounts with passwords modified by Bravura Privilege :
Both the managed system and its managed accounts will be removed from the MSP specified by the rule configurations and then placed into the HISTORICAL_DATA_GRP policy.
Resource attributes for the managed system are deleted. Resource attributes for this system’s managed accounts are deleted.
Passwords for managed accounts that get placed in HISTORICAL_DATA_GRP are still accessible, but the passwords can not be randomized.
Managed account/system import rules can offboard a managed account/system in one of two ways:
The object is offboarded when it no longer matches the conditions of the bind rule that managed it.
This happens for import rules which have option Unbind objects if they no longer satisfy this rule enabled in the General tab of the import rule configurations. This type of bind rule should only offboard and remove resource attributes for systems/accounts it originally bound.
The Policies tab shows the MSPs this import rule is acting on behalf of.
The object is offboarded when it matches the conditions of an unbind rule
A managed system/account unbind rule is an import rule that sets Action to perform on matching objects = Unbind all discovered objects that satisfy this rule in the General tab.
The Policies tab shows the MSPs this import rule is acting on behalf of.
Teams are assigned by resource attributes in Bravura Privilege . When resource attributes are removed due to a managed system / managed account offboard via import rules they are offboarded from the team to which they are assigned.
An offboard on either a managed account that is checked out or a managed system with checked out accounts is not possible. The managed account must first be checked in and the unbind will be re-attempted the next time the import rules are evaluated.
Take care when configuring an unbind rule to prevent misconfigurations. See Considerations when configuring import rules to offboard or delete managed objects for more information.