Offboarding a system
Users assigned as system trustees can use the System: Offboard request to disable, archive or delete a system.
Disable involves disabling listing of accounts on the system.
Archive involves moving the system and all of its accounts to an archive. All password history for the accounts will be kept. The listing operation for archived systems remains enabled. To disable the listing operation, run the System: offboard request with the "Disable" option.
Caution
If systems are decommissioned, and the listing operation is not disabled, it could cause discovery failure.
Delete involves removing the system and all of its accounts from the archive. All password history for the accounts will be lost.
You cannot delete a system that still has managed accounts associated with it.
From the home page, click Manage resources.
Select the System: Offboard request.
Select a managed system and an action to take.
Click Next .
Confirm that you want to proceed.
Click Submit.
Bravura Security Fabric notifies authorizers to review the request if required.
Click the View request link at the top of the page to view the status of the request.
Archiving systems via reports
If the team management component has been installed, pre-defined requests to archive or delete onboarded systems can be submitted from the Managed System Summary report. This functionality can be used to perform scheduled offboarding for systems that cannot be offboarded through import rules.
To enable this functionality, the pre-defined request that will offboard managed systems must be available through reports, and the user submitting the request must be a trustee of the team to which the system is attached.
See Reports for more information.
API automation for system offboard
Once the API has been configured (See ”SOAP API” in Bravura Security Fabric Remote API (api.pdf) and your script has been authenticated to the API (Login or LoginEx API calls), the WF API calls can be used to create an API request.
Use the WFPDRSubmit function to create a workflow request and submit the request for publishing.
When submitting a request, use ”ARCHIVE_ONBOARDED_SYSTEM” as the PDR ID. The request uses the following attributes:
attrkey | value |
|---|---|
HOSTID | The ID of the system. |
OFFBOARD_ACTION | DISABLE to disable listing of the system, DELETE to remove the system. |
CONFIRM_ACTION | T to confirm, F to cancel. |
REQUEST_TEAM | The team in which its system trustee(s) will be used to authorize the request. See REQUEST_TEAM attribute for more information. |
ARCHIVE_ONBOARDED_SYSTEM batch request sample:
HOSTID","OFFBOARD_ACTION","CONFIRM_ACTION" "D39B55F07A6A487AABE4BD8C9EC1679C","DELETE","T"
The REQUEST_TEAM attribute is the team in which its system trustee(s) will be used to authorize the request. This can be a different value depending on which PDR is used. In some cases, the value is auto filled and in other cases, a value is not required.
PDR ID | API submittable | REQUEST_TEAM required | REQUEST_TEAM auto-filled |
|---|---|---|---|
BATCH_REQUEST | No | N/A | N/A |
CREATE_LARGE_CREDENTIAL | No | N/A | N/A |
UPDATE_LARGE_CREDENTIAL | No | N/A | N/A |
WEBAPP_DISCLOSURE_CREATE | No | N/A | N/A |
WEBAPP_DISCLOSURE_DELETE | Yes | No | N/A |
WEBAPP_DISCLOSURE_UPDATE | No | N/A | N/A |
TEAM-CREATE | Yes | Yes | Yes |
TEAM-DELETE | Yes | Yes | Yes |
TEAM-MEMBERS | Yes | Yes | Yes |
TEAM-UPDATE | Yes | Yes | Yes |
CREATE_VAULT_SYSTEM | Yes | Yes | Not required |
ARCHIVE_VAULT_SYSTEM | Yes | Yes | Yes |
UPDATE_VAULT_SYSTEM (1 - same team) | Yes | Yes | Yes |
UPDATE_VAULT_SYSTEM (2 - transfer) | Yes | Yes | Yes |
CREATE_VAULT_ACCOUNT (1 - team vault) | Yes | Yes | Yes |
CREATE_VAULT_ACCOUNT (2 - system vault - same team) | Yes | Yes | Yes |
CREATE_VAULT_ACCOUNT (3 - system vault - different team) | Yes | Yes | Yes |
ARCHIVE_VAULT_ACCOUNT | Yes | Yes | Yes |
UPDATE_VAULT_ACCOUNT (1 - team vault) | Yes | Yes | Yes |
UPDATE_VAULT_ACCOUNT (2 - system vault - same team) | Yes | Yes | Yes |
UPDATE_VAULT_ACCOUNT (3 - system vault - transfer) | Yes | Yes | Yes |
ONBOARD_SYSTEM | Yes | Yes, but not enforced | No |
ARCHIVE_ONBOARDED_SYSTEM | Yes | Yes, but not enforced | No |
UPDATE_ONBOARDED_SYSTEM | Yes | No | If the destination team is unset or the destination team is the same as the source team |
ONBOARD_ACCOUNT | Yes | Yes, but not enforced | No |
OFFBOARD_ACCOUNT | Yes | Yes | Yes |
UPDATE_ONBOARDED_ACCOUNT | Yes | Yes, but not enforced | No |
CREATE_PAMUTIL_API_USER | Yes | No | Not required |
improper display of the team in update/archive when the destination team's vault trustee is not in a team owning the vault system. This will be fixed in a future release.