Skip to main content

Handling account attributes

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using in the Manage the system (PSA) module account attributes menu.

See Account attributes in the Bravura Security Fabric configuration documentation for more information.

Supported attributes differ between versions of Exchange. For information about the native Exchange attributes managed by Bravura Security Fabric , consult your Exchange documentation.

Retrieving out-of-office status

The _out_of_office attribute is used by the first chance escalation plugin. This attribute is leveraged to auto-escalate to a different authorizer for approval if the current authorizer is flagged as out-of-office. Retrieval of out-of-office status is only supported on Exchange 2010+ systems.

Creating or deleting Active Directory groups

The following pseudo attributes are supported to allow you to create or delete Active Directory distribution groups and mail enable them.

  • _CreateADGroup: This pseudo attribute allows to create an Active Directory distribution groups. When it exists and has value True, the connector will create the Active Directory group and assign a mailbox.

    If it's false or doesn't exist, the connector assumes the group is already in Active Directory and will just enable a mailbox for it.

  • _DeleteADGroup: This pseudo attribute allows to delete an Active Directory distribution group. When it exists and has value True, it will delete the distribution group in Active Directory, otherwise, it will just remove the mailbox that's attached to that group, but leaving the group still in Active Directory.

Delegating mailbox permissions

The following pseudo attribute is supported to allow the owner of a mailbox to delegate permissions for access for their mailbox to another user:

  • PERM_PermissionAction

  • Permissions:

    • FA - FullAccess

    • EA - ExternalAccount

    • DI - DeleteItem

    • RP - ReadPermission

    • CP - ChangePermission

    • CO - ChangeOwner

    • SA - SendAs

  • Inheritance Type:

    • All

    • Children

    • Descendants

    • None.

    • SelfAndChildren

These options must be set in the same form and fashion as you would set them using Add-MailboxPermission from the Exchange Management PowerShell console.

Examples

The attribute may be submitted in the following format:

  • Grant ReadPermission and remove FullAccess for the user admin1:

    "{grant=admin1@scom.local;mask={RP;-FA;};flags={InheritanceType=All;}}"

  • Deny ReadPermission for the user admin1.

    "{deny=admin1@scom.local;mask={RP;};flags={InheritanceType=All;}}"

  • Remove all permissions granted to the user admin1.

    "{remove=admin1@scom.local;}"

  • Replace existing permissions for the user admin1.

    "{grant=admin1@scom.local;mask={RP;};flags={InheritanceType=All;}replace;}"

Configuring message size limits for a mailbox

The following pseudo attributes are supported across Exchange to configure message size limits for mailboxes:

  • MaxSendSize

    • 0B to 2GB

    • Unlimited

  • MaxReceiveSize

    • 0B to 2GB

    • Unlimited

These options must be set in the same form and fashion as you would set them using Set-Mailbox from the Exchange Management PowerShell console.

Creating/Moving Exchange mailboxes

You can configure Bravura Security Fabric to use a profile/request attribute to prompt users for the destination mailbox database when creating or moving accounts on a target system that supports contexts.

When the Profile/request attribute to use as the container DN option is configured on the Target system information page (Manage the system >Resources >Target systems) , users can:

  • Set the destination mailbox database when creating new accounts.

    Users do this by setting the profile/request attribute value in the request form. By default, Bravura Security Fabric creates new accounts in the same mailbox database as the template. Without the profile/request attribute, you may need to set up identical templates for each mailbox database.

    If enabled when setting the target system address, Bravura Security Fabric can also create a container if a non-existing one is specified.

  • Move existing accounts on the target system to a different mailbox database.

    Users do this by setting the To container value – which is actually the profile/request attribute, but with a different name – on the move accounts page. Bravura Security Fabric only displays the move operation (the Move button) for users with accounts that can be moved between mailbox databases.

To allow users to select a mailbox database for a create account or move context operation:

  1. Add a profile attribute to provide a place to prompt the user for this information. To learn how to do this, see Profile and request attributes.

    It is recommended that you configure the profile attribute to have a set of restricted values, so that the requester or product administrator can select from a drop-down list.

  2. Ensure that you set read/write permissions for the profile attribute.

    To learn how to do this, see Attribute groups.

  3. Provide a group of users the "Move user from one context to another" rule.

    To learn how to do this, see Access to user profiles.

  4. Update the Target system information page by typing the name of the profile attribute in the Profile/request attribute to use as the container DN field.

    This allows Bravura Security Fabric to use the profile attribute for this purpose.

Targeting specific domain controllers for Exchange connector operations with the DomainController attribute

When performing a create operation the Exchange agent (agtexg2k7 ) will:

  1. Submit Enable-Mailbox to create the mailbox

  2. Submit Get-RemoteMailbox to validate the mailbox exists

If either of the above fails, the request itself will fail. If Get-RemoteMailbox specifically fails, the request will be retried and will then fail Enable-Mailbox as the mailbox is already created.

An example of where Get-RemoteMailbox could fail is if:

  1. The Enable-Mailbox reached DC1 and succeeded.

  2. The Get-RemoteMailbox reached DC2, which had not yet had the new mailbox replicated to it, causing the Get-RemoteMailbox to fail.

Where replication between the DCs is responsive, the polltime target address attribute can be used.

Where replication between the DCs is not responsive the above scenario can be solved with the DomainController account attribute. The DomainController account attribute, when populated with a specific DC, will ensure that all connector operations are sent to that DC avoiding replication related delay issues above.

There are two ways to configure and use the DomainController attribute.

Utilize DomainController attribute via a mapped request attribute

  1. Include a request attribute on your workflow request to define a specific domain controller.

  2. Configure an override of the account attribute DomainController with the settings:

    • Action when creating account set to specified value

    • Action when updating account set to specified value

    • Map account attribute to profile/request attribute =request attribute X above

    • Sequence number for setting attribute -1

Utilize DomainController attribute via hardcoded value:

  1. Configure an override of the account attribute DomainController with the settings:

    • Action when creating account set to specified value

    • Action when updating account set to specified value

    • Sequence number for setting attribute -1

  2. At the bottom of the configurations for this account attribute set:

    • Value type Literal Value

    • Attribute value <the DC you want to create the mailbox for>

Room/Equipment/Shared mailbox types

You can configure the Bravura Security Fabric to allow users to request a mailbox of the following supported types:

  • Regular - UserMailbox

  • Shared - SharedMailbox

  • Room - RoomMailbox

  • Equipment - EquipmentMailbox

The mailbox type is controlled by the Type attribute. When attempting to create any type other than a regular user mailbox, Microsoft requires that the corresponding Active Directory user account is first in a disabled state. You must ensure that the Active Directory template account used for these requests is configured to be disabled, and that the accountDisabled attribute is configured to copy from the template during the create operation.

Archiving mailboxes

You can configure the Bravura Security Fabric to allow users to archive their mailboxes, using the following attributes:

  • Archive - Boolean

    Set to true when archiving a mailbox and false when un-archiving a mailbox.

  • ArchiveDatabase - String

    Name of archive database, used only when Archive is set to true.

This operation is supported only for existing mailboxes, and is not supported when creating a new mailbox.

In this section: