Planning target systems
Use the following questions to help you determine your target system configuration:
How should Bravura Security Fabric determine user profile IDs?
Select a system or set of systems to designate as your profile ID source. This system or set of systems should contain a login ID for all (or most) of the Bravura Security Fabric users in your organization. Designate a system that uses the most common or standardized naming convention if possible.
You can configure Bravura Security Fabric to list email addresses from some systems (Active Directory), and they can be used to generate profile IDs. Alternatively, you can configure Bravura Security Fabric to interface with an existing user profile database or meta directory, instead of listing login IDs or email addresses from a target system.
Are login IDs standardized in your organization?
Does user John Smith log in with JOHNS on all of his systems? And, is the login ID JOHNS used only by John Smith on all systems?
If some or all of your target systems use standard IDs, you can configure Bravura Security Fabric to automatically associate accounts on these systems with a profile ID.
You must also decide if you want users to be able to attach login IDs that are associated with another user’s profile, if they know the correct password.
If any of your target systems do not use standard IDs:
Users must be able to attach non-associated IDs using the Attach other accounts (PSL) module.
or
Help desk users must be able to assign or unassign IDs using the Help users (IDA) module.
or
You must map login IDs to profile IDs in a text file.
Are login IDs on your target system case-sensitive?
Does your system differentiate between the login ID neild and NeilD? You must configure Bravura Security Fabric to match the behavior of your system.
Should Bravura Security Fabric discover accounts on your target system automatically?
Most of the Bravura Security Fabric connectors support auto discovery. They can connect to target systems and collect an inventory of login IDs. Auto discovery is normally performed nightly. It is highly recommended that you enable auto discovery to keep the information in the Bravura Security Fabric database current.
If auto discovery is not supported on your system or if you will not configure Bravura Security Fabric to discover accounts automatically, you must manually provide an inventory of login IDs. This is usually done using a batch process on the target system.
Should users be able to change or verify passwords on your target system using Bravura Security Fabric ?
When adding a new target system, the change password and verify password capabilities are enabled by default. You can disable one or both of these capabilities if:
The functionality is not supported on your particular target system; for example, password verifications are possible, but administrative resets are not.
You do not want users to have access to the capability; for example, the system is not a trusted system nor an authoritative system and therefore password verifications should not be allowed.
If password changes are enabled, you must determine if the target should be displayed on the help desk Change passwords screen or the self-service Change passwords screen. You must also determine if the target should be added to the authentication priority list .
You may also want to set an connector execution sequence to improve performance.
Do targets need to be grouped to apply differing password policies, synchronization rules, or help desk access rights?
Bravura Pass can apply global password strength rules, and synchronize a user’s password across all targets. You may want to set up target system groups; for example, if subsets of targets have incompatible password strength rules, or if you want a user’s passwords to vary on two or more targets. You may also want to group targets if you want to restrict access rights of groups of help desk users.
Does your target system incorporate a password expiry policy?
Bravura Security Fabric supports listing users with soon-to-expire passwords from several target systems (Active Directory, Microsoft Windows NT). If your target system incorporates a password expiry policy, and if listing soon-to-expire users is supported on that system, you should determine whether or not you are going to implement expiry notification .
If your target system does not have a native password expiry policy, you should determine whether or not Bravura Security Fabric is going to track password history and force users to change their passwords. You can configure Bravura Security Fabric to force users to change their passwords by modifying the Bravura Security Fabric password pollicy.
Is your target system composed of multiple servers?
Some target systems are actually composed of multiple servers. These include:
Multiple Active Directory domain controllers that comprise one domain or more (a forest)
An NIS master server and multiple NIS secondary servers that make up an NIS domain
Operating system, DBMS, and application target systems that function as a single logical application system
Bravura Pass supports these systems using the concept of a sub-host . A sub-host is one of multiple target systems on which Bravura Pass can manage passwords that together form a single larger target system. See Target systems composed of multiple servers for details.
Do other users have administrative access to the target systems? Are there other unmanaged means of access?
Each administrated target system should be assessed for prior access, to ensure that any previous administrative access has been restricted before creating target systems and managed systems:
Examine any non-standard administrative accounts previously created. For example: Active Directory, Windows NT, Unix, SQL Server, Oracle.
Restrict administrative group access. For example, Active Directory, Unix.
Remove or revoke Unix SSH authorized remote access.
Remove sudo access to Unix/Linux accounts.
Note
This is a list of examples; it is not a complete list.