Creating a team
To create a new team, use the Team: Create request. When selected, a wizard will guide you through the process of creating a team.
From the home page, click Manage Resources.
Click Team: Create.
Enter a unique Team name and, optionally, a Team description.
Click Next .
Create the initial team groups.
Depending on the installed features, there may be a default set of groups that are displayed here. Change the names to suit your business processes. Use the ”More” icon to add more team name fields to the list.
Click Next .
Enter team group descriptions as required.
Click Next .
Assign privileges to the team groups.
Each group can have one or more privileges . Bravura Security Fabric administrators can set a default set of groups for new teams.
Click Next. Set the initial team trustees for the new team.
Team trustees can manage team groups and members. There must be at least one team trustee in order to create a team.
Click Submit.
Bravura Security Fabric notifies authorizers to review the request if required.
Click the View request link at the top of the page to view the status of the request.
Once the request has been approved, the team will be created and the team trustee will then have access to the following pre-defined requests:
API automation for team creation
Once the API has been configured (See ”SOAP API” in Bravura Security Fabric Remote API (api.pdf) and your script has been authenticated to the API (Login or LoginEx API calls), the WF API calls can be used to create an API request to create a team.
Use the WFPDRSubmit function to create a workflow request and submit the request for publishing.
When submitting a request, use ”TEAM-CREATE” as the pre-defined request (PDR) ID. At a minimum, the request requires the following attributes:
attrkey | value |
|---|---|
TC | The name of the team. |
TC_GROUPS | The team group name(s). |
*_PRIVILEGES | The privileges for the team group, where * is the team group name. This needs to be defined for every team group in TC_GROUPS. |
*_MEMBERS | The profile GUID of the user(s) for the team group, where * is the team group name. This only needs to be defined for team groups with the Team_Trustees privilege only. |
TEAM-CREATE batch request sample:
"TC","TC_GROUPS","Group1_PRIVILEGES","Group2_PRIVILEGES","Group3_PRIVILEGES","Group1_MEMBERS" "TEAM-000000","Group1,Group2,Group3","Team_Trustees","System_Trustees","Account_Trustees","5A8598FA-BCB1-4C36-A504-03F1F0478138"
Verify team configuration
To verify a team's configuration or check why specific users do not get the access expected, run the P AM team Management configuration report on the specific team:
Click Manage reports > Reports > Privileged access: Configuration> PAM Team Management configuration.
Search for the team name you want to include in the report.
Click Run.
The report will display the various team groups, privileges, child groups and members of those groups.
Example: Creating a team
This example demonstrates how to define team administrators, how a team administrator creates a team, and how a trustee manages team group members.
Requirements
This example requires:
Bravura Security Fabric and Connector Pack installed
Bravura Pattern: Privileged Access Edition installed
Active Directory source of profiles
RefBuild.pam_team_management and Scenario.pam_personal_admin_management are installed when Bravura Pattern: Privileged Access Edition is installed.
Click below to view a demonstration:
Log in to Bravura Security Fabric as superuser.
Click Manage the system > Policies > User classes .
Select PAM_TEAM_ADMINS.
Click the Criteria tab.
Bravura Security Fabric displays the user class criteria page.
Click Add new… in the Participants have group memberships matching section.
Bravura Security Fabric displays the add criteria page.
Choose "Required" from the Membership drop-down list to include users who belong to the specified group in the user class.
Search for, and select, the AD target system.
Search for the PAM Server Admins managed group, and select that group.
Click Add.
Click the Test tab and click List to list all users who match the criteria.
The result should display users similar to the image below:
Click the General tab and click Recalculate to update the user class membership cache.
Log in to Bravura Security Fabric as a team administrator.
In the Requests section of the main menu, click Manage Resources.
Click Team: Create.
Enter the following:
Team Name Unix Admin Accounts
Team Description Unix admin accounts for requesting
Click Next
Create the following groups:
Approver
Requester
Trustee
Use the "More" icon
to add more team name fields to the list.
Click Next
Enter the following team group descriptions.
Approver Users who can approve
Requester Users who can request
Trustee Users who can manage team
Click Next .
Assign privileges to the team groups as follows:
Approver Approvers, Auto_approved, Credential_Manager, Requesters
Requester Requesters
Trustee Team Trustees
Note that it is important that users who have the Auto_approved privilege also have the Requesters privilege.
Click Next .
Search for and select a user as the initial team trustee for the new team.
Team trustees can manage team resources and members. There must be at least one team trustee to create a team.
Click Submit.
Bravura Security Fabric notifies authorizers to review the request if required.
Click the View request link at the top of the page to view the status of the request.
You will see that the request has been processed. The team has been fully configured.
To manage team group membership as a team trustee:
Log in to Bravura Security Fabric as the team trustee for the "Unix Admin Accounts" team.
In the Requests section of the main menu, click Manage Resources.
Note the requests that are available to this user.
Click Team: Manage Group Membership.
Select the "Unix Admin Accounts" team.
Click Next .
On the page, select "Approver" and "Requester".
Click Next .
In the Select Child Group for Approver field, select the "IT-UNIX-MANAGERS" group.
In the Select Group Members for Requester field, select the user.
Click Submit.