About managed groups
On almost every system, users’ access privileges are determined by their membership in groups. These groups may have different names on different types of systems, for example, roles, activity groups, or job codes. In all cases, groups are collections of user rights that have a name and are assigned to one or more users as a unit.
Email distribution groups, such as those on Microsoft’s Active Directory, can also be managed by Bravura Security Fabric.
Some target systems support the concept of group owners. A group owner is a user who is responsible for the management of a group and who can directly modify the list of group members and (possibly) group owners. For example, Active Directory supports group owners but refers to owners as “managers”.
To determine whether a particular target system supports group management operations, refer to the Connector Pack Documentation.
Managed vs. unmanaged groups
A managed group is a group of accounts defined on a target system, such as AD or LDAP, whose membership is monitored and managed in Bravura Security Fabric . On some target systems, this can include groups inside groups. An unmanaged group is simply a group whose membership is not monitored and managed in Bravura Security Fabric .
During auto discovery, Bravura Security Fabric lists all available groups from supported target systems, then loads the group information into its database. By default, Bravura Security Fabric only lists group membership for managed groups. This option can be modified on the Target system information page.
When a group is managed:
Users can submit requests to join or leave the group.
The group can be included in roles, so that when a requester selects a role, the request automatically includes group membership.
Group owners and authorizers can manage membership and ownership.
The group can be included in segregation of duties (SoD) rules so that users’ membership can be examined when identifying possible access conflicts.
The group can be included in certification campaigns so that users’ memberships can be reviewed.
The group’s membership can be used to segment users into user classes.
Nested groups
Some target systems support the concept of a nested group . A nested group is a group that is a member of another group. For example, in Active Directory you can add a group as a member of another group. The nested group then inherits the rights of the parent group .
Bravura Security Fabric also calls these groups parent groups and child groups . If an account is a member of a child group, they have what is called indirect membership to the parent group.
Unless otherwise stated, if the target system supports the concept of nested groups , ”group membership” in Bravura Security Fabric refers to both direct and indirect group membership.
Depending on the target system’s options, it is possible to automatically list all the members of a child group if the parent group is managed. However, the child group must be managed before Bravura Security Fabric can control who can have membership.
To view group membership details, including listing direct and indirect members, you can run the groups report. From the main menu click Manage reports > Reports > Roles and groups > Groups.