Setting up network resources
This section shows you how to set up network resources for management via Bravura Identity .
All shared resources to which users are going to request access must be correctly configured on the target system. Bravura Identity ’s ability to successfully control access to the resources depends heavily on how the resources are configured on the target system.
Some thought must be given to planning how many groups need to be created and what resources they will have permission to access, so that adding/removing a user’s membership in a group provides them with the exact access to network resources that they need. To provide access to resources on a resource by resource basis, you need to create a group for each resource.
In general, you must do the following:
Create groups with appropriate permissions to control access to the resources that are going to be managed by Bravura Identity .
Ensure that each group has an owner (recommended).
Bravura Identity can use group owners as authorizers for requests to join the group. See Groups for more information.
Ensure that all resources to be managed have the correct groups assigned to them.
The nrcifs program, shipped with Connector Pack in the agent directory, binds Bravura Identity to a specific resource whose access is mediated by membership in an Active Directory group. Before Bravura Identity can administer user access to resources you must configure the resources in the domain. This section details how to configure:
The following instructions are for Active Directory running on Windows Server 2012. Details may vary depending on your version of the software.
Shares/folders
To set up shares/folders in your Active Directory domain:
Configure the groups that will be granted access to the share; ensure that each group has a description and an owner.
Using :
Right-click the group, then select Properties.
The window appears.
Click the General tab. If required, type a Description that will be displayed to users.
Click the Managed By tab. If required, click Change, then type the name of the user you want to designate as the group owner, then click OK to return to the Managed By tab.
Alternatively, you can type the name of a group. See Groups as owners for special considerations.
Click OK to close the window.
Set up shared folder permissions to restrict the folder’s availability over the network.
Using Windows Explorer:
Right-click the folder you want to share, then select Properties.
The <folder> Properties window appears.
Click the Sharing tab, and click Advanced Sharing....
Check Share this folder.
Click Permissions.
The window appears.
Select the Everyone group and click Remove (recommended).
Click Add, type the user ID of the target system administrator, then click OK to return to the permissions window.
Set the permissions for the target system administrator to Full Control.
Click Add, type the name of the groups you configured in step 1, then click OK to return to the permissions window.
Set the permissions for each of the groups you added to Full Control.
Click OK to close the window.
Click OK to close the window.
Click OK to close the window.
Configure the NTFS permissions for the folder object and any subfolders that are not set up to inherit from the folder.
Using Windows Explorer:
Right-click the folder, then select Properties.
The window appears.
Click the Security tab.
The tab displays a list of users and groups who have permissions assigned to them for the folder object.
Verify that the target system administrator has permissions to the folder either explicitly or through group membership; for example, ensure that the Administrators group is listed.
This allows subfolders to viewed properly in Bravura Identity . You only need to perform this step on the parent folder.
Click Edit....
Click Add....
Type the name of the groups you configured in step 1, then click OK.
Set the permissions for each group.
Be careful about which groups you grant full control over folders. Members of these groups will be able to change the folder permissions. As a general rule, only allow Administrators full control.
Remove the default "Users" group.
Click OK to close the window.
The share is now available to be managed by Bravura Identity .
Publishing shares
If you want to use the listadresources program to list the share, you must publish the share in the directory. To do this:
Open .
Right-click the location in which you want to publish the share, then select New >Shared Folder.
Type the name of the share and the network path.
Click OK.
See the listadresources usage information .
Printers
In order to manage printers as network resources in Bravura Security Fabric, the server to which the printer is attached must be a member of the domain.
To set up printers in your Active Directory domain:
Configure the groups that will be granted access to the printer; ensure that each group has a description and an owner.
Using :
Right-click the group, then select Properties.
The window appears.
Click the General tab. If required, type a Description that will be displayed to users.
Click the Managed By tab. If required, click Change, then type the name of the user you want to designate as the group owner, then click OK to return to the Managed By tab.
Alternatively, you can type the name of a group. See Groups as owners for special considerations.
Click OK to close the window.
Ensure that the printer Bravura Identity will manage is listed in the directory.
Using Printers and Faxes on the server where the printer is attached:
Right-click the printer, then select Printer properties.
Click the Sharing tab, and ensure that the Share this printer and List in the directory options are selected.
Click OK.
Add the group so that it has permissions to the printer:
Using Devices and Printers on the server where the printer is attached:
Right-click the printer, then select Printer properties.
The <printer> Properties window appears.
Select the Security tab, then click Add.
Type the name of the groups you configured step 1, then click OK.
Set the permissions for each group. For example allow the group to print.
Click OK to close the <printer> Properties window.
The printer is now available to be managed by Bravura Identity .
Mail distribution lists
To set up mail distribution lists in your Active Directory domain, using the Exchange Management Console:
Launch the Exchange Management Console.
Expand Microsoft Exchange On-Premises on the left hand side.
Expand Recipient Configuration on the left hand side.
Select Distribution Group from the left hand side.
Right click the distribution group and select Properties.
Select the Group Information tab.
Click Add.. .
Search for, and select the user you want to designate as the group owner, then click OK.
Click OK to close the Bravura Identity Properties window.
The distribution groups will propagate to Active Directory and can be managed by Bravura Identity .
Alternatively, you can manage the Exchange distribution groups using the Exchange connector.
Groups as owners
Active Directory allows groups to be managed by other groups. If you configure a group with access to a network resource to be managed by another group, all members of the managing group will become group owners in Bravura Identity .
You can limit the list of group owners presented to users by selecting a managing group that contains fewer members, or use an IDACCESS OWNERS PLUGIN plugin (Manage the system > Workflow > Options > Plugins).
Configuration notes
If a managed group does not have a description entered, then the group name is displayed by default when requesting access to network resources.
listadresources
Use the listadresources program to list network resources (shares, printers, mail distribution lists) in a Microsoft Active Directory domain .
You can then use the resulting output file with the loadnetres program to import the resources into Bravura Security Fabric .
Usage
listadresources -hostid <target ID> -outfile <filename> [-validateperm]
Option | Description |
|---|---|
-hostid <target ID> | The target ID of the Active Directory domain in Bravura Security Fabric. |
-outfile <filename> | The output filename. |
-validateperm | Determines the value of the Users are only allowed to see sub-resources when they read permission for a resource checkbox for a share/folder resource. Including this option sets -validateperm to true. If unspecified, the value is false; the default value is false. |
Output file format
The output file format for listadresources is the same as the input file format for loadnetres.
The file is written in KVGroup format:
"" "" = {
"<resource type>" "<publish name>"= { # required
"Address" = "<UNC path of the resource>" # required for shares and printers
"TargetId" = "<target ID>" # required
"Description" = "<description>" # not required
"ValidatePermissions" = "<true|false>" # not required
}
... # You can specify multiple KVGroups, one for each resource.
}The <resource type> is one of:
F – share/folder resource
M – mail distribution list
P – printer resource
ValidatePermissions determines the value of the Users are only allowed to see sub-resources when they have read permission for a resource checkbox for a share/folder resource. The default is false.
Example
The following is an example of the file format:
# KVGROUP-V1.0
"" "" = {
"F" "share1" = {
"Address" = "\\\\10.0.26.115\\share1"
"Description" = "A shared folder"
"TargetId" = "ADDOM"
}
"M" "AllSalesGroup" = {
"Description" = "Distribution list for sales"
"TargetId" = "ADDOM"
}
"P" "COMPUTERNAME-Printer1" = {
"Address" = "\\\\computername.example.com\\Printer1"
"Description" = "First floor printer"
"TargetId" = "ADDOM"
}
"F" "share2" = {
"Address" = "\\\\10.0.26.115\\share2"
"Description" = "Another shared folder"
"TargetId" = "ADDOM"
"ValidatePermissions" = "true"
}
}loadnetres
Use loadnetres to import information about network resources to Bravura Security Fabric.
This program can use the output file created by listadresources, the diffs of two files, or your own customized file.
loadnetres [<FILE1>] <FILE2>
If <FILE1> is specified, loadnetres compares the two files and adds, removes, or modifies resources as appropriate.
The file is written in KVGroup format:
"" "" = {
"<resource type>" "<publish name>"= { # required
"Address" = "<UNC path of the resource>" # required for shares and printers
"TargetId" = "<target ID>" # required
"Description" = "<description>" # not required
"ValidatePermissions" = "<true|false>" # not required
}
... # You can specify multiple KVGroups, one for each resource.
}The <resource type> is one of:
F – share/folder resource
M – mail distribution list
P – printer resource
ValidatePermissions determines the value of the Users are only allowed to see sub-resources when they have read permission for a resource checkbox for a share/folder resource. The default is false.
The following is an example of the file format:
# KVGROUP-V1.0
"" "" = {
"F" "share1" = {
"Address" = "\\\\10.0.26.115\\share1"
"Description" = "A shared folder"
"TargetId" = "ADDOM"
}
"M" "AllSalesGroup" = {
"Description" = "Distribution list for sales"
"TargetId" = "ADDOM"
}
"P" "COMPUTERNAME-Printer1" = {
"Address" = "\\\\computername.example.com\\Printer1"
"Description" = "First floor printer"
"TargetId" = "ADDOM"
}
"F" "share2" = {
"Address" = "\\\\10.0.26.115\\share2"
"Description" = "Another shared folder"
"TargetId" = "ADDOM"
"ValidatePermissions" = "true"
}
}