Skip to main content

Example: Creating global team groups and privileges

To make creating new teams more efficient, you can define rules in the hid_global_configuration external data store (extdb) table that will configure standard team groups with attached privileges that get automatically created whenever a user triggers the Team:Create pre-defined request.

This example demonstrates how to make the entries required in the hid_global_configuration external data store (extdb) table and create a new team for Windows administrator accounts using the new standardized configuration.

Requirements

This example requires:

  • Bravura Security Fabric and Connector Pack installed

  • Bravura Pattern: Privileged Access Edition installed

  • Active Directory source of profiles

Click below to view a demonstration.

Create global team groups and privileges

  1. Log in to Bravura Security Fabric as superuser.

  2. Click Manage external data store > hid_global_configuration.

  3. Add the following rules to the table:

    • Rules to add a global team group called Approver with the approvers, auto-approved, credential_manager and requesters privileges:

      id: 100

      namespace: pam_team_management

      setting: GROUP-PRIVILEGE-ASSIGNMENT

      key: Approver

      value: Approvers

      description: Add Approver group with approvers privilege to new teams.

      id: 101

      namespace: pam_team_management

      setting: GROUP-PRIVILEGE-ASSIGNMENT

      key: Approver

      value: Auto_Approved

      description: Add Approver group with auto-approval privilege to new teams.

      id: 102

      namespace: pam_team_management

      setting: GROUP-PRIVILEGE-ASSIGNMENT

      key: Approver

      value: Credential_Manager

      description: Add Approver group with credential manager privilege to new teams.

      id: 103

      namespace: pam_team_management

      setting: GROUP-PRIVILEGE-ASSIGNMENT

      key: Approver

      value: Requesters

      description: Add Approver group with requesters privilege to new teams.

    • Rule to add a global team group called Requester with the requesters privilege:

      id: 104

      namespace: pam_team_management

      setting: GROUP-PRIVILEGE-ASSIGNMENT

      key: Requester

      value: Requesters

      description: Add Requester group with requesters privilege to new teams.

    • Rule to add a global team group called Trustee with the trustees privilege:

      id: 105

      namespace: pam_team_management

      setting: GROUP-PRIVILEGE-ASSIGNMENT

      key: Trustee

      value: Trustees

      description: Add Trustee group with trustees privilege to new teams.

  4. Click Update at the bottom of the table once all your entries are added.

    example-teams-configure-groups.png
Create teams using global group rules

  1. Log in to Bravura Security Fabric as a team administrator.

  2. In the Requests section of the main menu, click Manage Resources.

  3. Click Team: Create.

  4. Define values for the team name, description, and members.

    Click Next and proceed to add the information for the team. Group information and the privileges for each group are added automatically.

    example-teams-global-groups.png
    example-teams-global-privileges.png

  5. Click Submit.

    Bravura Security Fabric notifies authorizers to review the request if required.

Add group memberships

  1. Open another browser tab and login as trustee for the "Windows Admin Accounts" team.

  2. Click Manage Resources > Team: Manage Group Membership.

  3. Select the "Windows Admin Accounts" team.

    Click Next .

  4. On the Team Group List page, select "Approver" and "Requester".

    Click Next .

  5. In the Select Child Group for Approver field, select the "IT-WINDOWS-MANAGERS" group.

  6. In the Select Group Members for Requester field, select the "billig" user.

    example-teams-global-members.png

  7. Click Submit.

In this section: