Skip to main content

Handling account attributes

This section describes the attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior in LDAP Directory Service. For information about the native LDAP Directory Service attributes managed by Bravura Security Fabric , consult your LDAP Directory Service documentation.

  • _firstpartofcn The pseudo-attribute _firstpartofcn determines the new user’s common name (cn) in LDAP.

  • _groups A multi-valued pseudo-attribute that determines a user’s group membership. The attribute value is the group’s DN (Distinguished Name).

    By default, Bravura Security Fabric uses the group’s uniqueMember attribute as the attribute that holds its members. You can specify an alternate value in the LDAP attribute script file.

  • manager By default, this is mapped to the ORGCHART_MANAGER profile attribute.

    Bravura Security Fabric can use this account attribute to build and maintain the OrgChart.

Learn more about writing an LDAP attribute script file.

Allowing users to specify the container DN

You can configure Bravura Security Fabric to use a profile/request attribute to prompt users for the destination container when creating or moving accounts on a target system that supports contexts.

When the Profile/request attribute to use as the container DN option is configured on the Target system information page, users can:

  • Set the destination container when creating new accounts.

    Users do this by setting the profile/request attribute value in the request form. By default, Bravura Security Fabric creates new accounts in the same container as the template. Without the profile/request attribute, you may need to set up identical templates for each container.

    If enabled when setting the target system address, Bravura Security Fabric can also create a container if a non-existing one is specified.

  • Move existing accounts on the target system to a different container.

    Users do this by setting the To container value – which is actually the profile/request attribute, but with a different name – on the move accounts page. Bravura Security Fabric only displays the move operation (the Move button) for users with accounts that can be moved between containers.

To allow users to select a container for a create account or move context operation:

  1. Add a profile attribute to provide a place to prompt the user for this information. To learn how to do this, see Profile and request attributes .

    It is recommended that you configure the profile attribute to have a set of restricted values, so that the requester or product administrator can select from a drop-down list.

  2. Ensure that you set read/write permissions for the profile attribute.

    To learn how to do this, see Attribute groups .

  3. Provide a group of users the "Move user from one context to another" rule.

    To learn how to do this, see Access to user profiles .

  4. Update the Target system information page by typing the name of the profile attribute in the Profile/request attribute to use as the container DN field.

    This allows Bravura Security Fabric to use the profile attribute for this purpose.

In this section: