Skip to main content

Deleting systems and accounts from Bravura Privilege using import rules

Target system import rules can be used to delete a system and its accounts from Bravura Privilege . When a delete is processed by a target system import rule the following happens:

  • The managed system and its managed accounts will be removed from all managed system policies they are bound on.

  • The system and accounts are removed from all policies (including HISTORICAL_DATA_GRP) and are then deleted from Bravura Privilege . Passwords will no longer be accessible.

  • Resource attributes for the managed system are deleted. Resource attributes for this system’s managed accounts are deleted.

  • Other information associated with the system and accounts (e.g. password history, etc) will also get deleted.

Target system import rules will delete system and accounts when it matches the conditions of a delete rule:

  • A target system delete rule is an import rule that sets Action to perform on matching objects = Delete all discovered objects that satisfy this rule in the General Tab.

Teams are assigned by resource attributes in Bravura Privilege . When resource attributes are removed due to target system delete via import rules they are offboarded from the team to which they are assigned.

The target system delete rule will be unable to perform the deletion if active checkouts exist on the managed accounts. The managed accounts must first be checked in and the deletion will be re-attempted the next time the delete rule is evaluated.

If the system is deleted directly from Active Directory the Bravura Privilege discovered system (from which the import rule evaluates conditions against) remains unchanged and the system will not be deleted unless handled manually or explicitly by a target system import rule.

Delete rule configuration example

To delete a push type system that can no longer be contacted by the Bravura Security Fabric server, create a target system delete rule. For example, you could configure the rule with one of the following conditions :

  • The number of days since the system was last discovered is greater than 100:

    1. Set the PUSH COMP NOT DISCOVERED THRESHOLD system variable to 100.

    2. Configure a condition containing:

      Type: Attribute

      Attribute: compNotDiscoveredPastThreshold

      Comparison Method: equals

      Value type: Number

      Value: 1

  • The number of days since the last successful connection to the system is greater than 100:

    1. Set the PUSH COMP NOT CONNECTED THRESHOLD system variable to 100.

    2. Configure a condition containing:

      Type: Attribute

      Attribute: compNotConnectedPastThreshold

      Comparison Method: equals

      Value type : Number

      Value: 1

  • The number of days since the last successful agent interaction (e.g. connection / randomization / listing / etc) with the system is greater than 100:

    1. Set the COMP FAILURE THRESHOLD system variable to 100.

    2. Configure a condition containing:

      Type: Attribute

      Attribute: compFailurePastThreshold

      Comparison Method: equals

      Value type: Number

      Value: 1

Take care when configuring an unbind rule to prevent misconfigurations. See Considerations when configuring import rules to offboard or delete managed objects for more information.

In this section: