Configuring global privileges
To pre-assign a privilege to a group, assign a value to a default group in the hid_global_configuration table. Create a new row for each privilege that needs to be assigned to a group. The screenshot below shows an example of the same group getting Auto_Approve and Requester privileges:
Team group members can be assigned the following privileges:
Approvers | Users who allow or disallow access requests. Note : Approvers are also referred to as authorizers in the core Bravura Security Fabric configuration and documentation. |
Auto_Approved | Users who can check-out access to accounts without making an access request. These users must also have permission to request access. |
Credential_Manager | User who can override or randomize the stored password on a checked-out account. These users must also have the Requesters privilege. |
Requesters | Users who can make access requests. |
Account_Trustees | Users who can make account management requests; for example, onboard accounts. |
System_Trustees | Users who can make system management requests; for example, onboard privileged systems. |
Vault_Trustees | Users who can make vault management requests; for example, create and update team vaults and accounts. |
Team_Trustees | Users who can make team management requests. |
LC_Trustees | Users who can make large credential management requests; for example, uploading and updating encrypted files, including SSH keys and password protected code signing certificates. |
OTP_Trustees | Trustees who can make OTP API account requests; for example, can create and use OTP accounts. |
Subscriber_Trustees | Trustees who can validate subscribers of onboarded accounts. |
These are the actual values that must be inserted into the hid_global_configuration table.
The following default privileges are assigned to the default group for ”Team: Create” requests:
