Skip to main content

Using group owners as authorizers

Rather than assigning authorizers manually, you can configure Bravura Security Fabric to automatically add group owners as authorizers. Bravura Security Fabric determines group owners using:

  • The idtrack utility. This program can detect:

    • The group owner

      Group owners can be either a single user or a group. If a group owner is a group, and the group owner is assigned as an authorizer, then all its members and its child group’s members will be added as group authorizers.

    • The users added to and removed from the group

    • Which accounts were added and deleted

    • Which groups have been added and deleted

  • The network resource management plugin. This plugin determines group owners by examining the group’s configuration on the target system.

  • The group owners selection plugin. This plugin is used in addition to the resource management plugin. It can:

    • Replace the assigned owners.

    • Add additional owners.

    • Set owners for resources that have no owners assigned.

Before you begin:

  • Ensure that the Minimum number of authorizers is greater than 0.

  • Ensure that all potential group owners have email addresses.

  • Set the Managed group/Network resource target type for the target system on which the group resides.

    This setting determines the network resource management plugin to run. See Target system options for details.

To configure Bravura Security Fabric to automatically add group owners as authorizers:

  1. Navigate to the Managed group information page .

  2. Enable the Automatically add group owners as authorizers checkbox.

  3. Update other group options as required .

  4. Click Manage if the group is not already managed; otherwise, click Update.

Group owner selection using a plugin

Generally, Bravura Security Fabric determines the owners of a particular group by examining the group’s configuration on the target system. This is done in real time using a network resource program such as nrcifs .

You can also write a group owner selection plugin to do the following:

  • Replace the assigned owners returned by nrcifs .

  • Add additional owners for the user to select.

  • Set owners for resources that have no owners assigned.

Any owner returned by the plugin will have the same requirements of an authorizer. If the owner is new, Bravura Security Fabric adds the owner as a static authorizers and maps him to the Bravura Security Fabric object.

Note

Do not specify a user that is already a owner of a group. This will create duplicate owner entries for the group.

Group owners are not necessarily the users who will authorize requests for a group. The IDSYNCH AUTH CRITERIA MOD PLUGIN may be configured to alter the list of authorizers at the time that the Workflow Manager Service processes a request.

To use a group owner selection plugin:

  1. Click Workflow > Options > Plugins .

  2. Type the name of the plugin program or PSLang script in the IDACCESS OWNERS PLUGIN field.

  3. Click Update.

There are no shipped plugins to use with this plugin point. A sample script, idaccessauthmod.psl, is included in the samples\ directory.

Write a custom group owner selection plugin

Requirements

See Writing plugins for general requirements.

Execution points

The plugin is run by View and update profile (IDR) module when users view resource details or submit requests to modify group memberships in Bravura Security Fabric .

Input

Input passed to the plugin is as follows:

"" "" = {
  "requester" = "<profile ID>" # The profile ID for the person submitting the request.
         
  "resourceid" = "<resource ID>" # The resource ID of the resource being viewed.
  "resourceunc" = "<network path>" # The UNC network path that is the groups are a part of.
  "group" "<long ID of the group>" = {
    "desc" = "<group desc>" # Description of the group
    "hassubgroups" = "<true|false>" # Indicates if the group has members that are groups.
    "member" = "<true|false>"  # Indicates the recipient's current membership status.
         
    "owners" "" = { # Existing owners
      "owner" = "<profile ID>" # 0 or more
    }
    "perm" "" = { # Permissions of the group for the resource selected.
      "read" = "true" # present if the group has read permission to the resource.
      "write" = "true" # present if the group has write permission to the resource.
    }
  } # 0 or more
  "recipient" "<profile ID>" = {  # The recipient of the request.
    "account" = "<account ID>" # The account ID that the groups could effect.
  }
}

The following is an example of the input sent to the plugin program:

"" "" = {
  "requester" = "CLARKDAV"
  "resourceid" = "PUB"
  "resourceunc" = "\\\\ADSRV1\\PUB\\LEGAL"
  "group" "CN=Management,OU=Groups,OU=IDM,DC=example,DC=local" = {
    "desc" = ""
    "hassubgroups" = "true"
    "member" = "false"
    "owners" "" = {
      "owner" = "BanksH"
    }
    "perm" "" = {
      "read" = "true"
    }
  }
  "group" "CN=Sales,OU=Groups,OU=IDM,DC=example,DC=local" = {
    "desc" = ""
    "hassubgroups" = "false"
    "member" = "false"
    "owners" "" = {
    }
    "perm" "" = {
      "read" = "true"
    }
  }
  "recipient" "CLARKDAV" = {
    "account" = "ClarkDav"
  }
}

Output

With the addition of extra or replacement owners, the output should mirror the input to the plugin. The plugin output only affects the owners assigned to the respective group.

Output passed from the plugin is as follows:

"" "" = {
  "errmsg" = "<message>" # Error message returned by the plugin
  "retval" = "0"  # Mandatory; zero is success and non-zero is failure.
  "group" "<long ID of the group>" = {
    "desc" = "<group desc>" # Description of the group
    "hassubgroups" = "<true|false>" # Indicates if the group has members that are groups.
    "member" = "<true|false>"  # Indicates the recipient's current membership status.
    "owners" "" = { #  KVGroup that overrides the list of owners for the group
         
      "owner" = "<profile ID>"   # Each owner is listed once.
    }
    "perm" "" = { # Permissions of the group for the resource selected.
      "read" = "true" # present if the group has read permission to the resource.
      "write" = "true" # present if the group has write permission to the resource.
    }
  } # A group for each one sent on input.
}

The following is an example of the expected output:

"" "" = {
  "errmsg" = ""
  "retval" = "0"  # Success
  "group" "CN=Management,OU=Groups,OU=IDM,DC=example,DC=local" = {
    "desc" = ""
    "hassubgroups" = "true"
    "member" = "false"
    "owners" "" = {
      "owner" = "BanksH"
      "owner" = "SMITHBO"
    }
    "perm" "" = {
      "read" = "true"
    }
  }
  "group" "CN=Sales,OU=Groups,OU=IDM,DC=example,DC=local" = {
    "desc" = ""
    "hassubgroups" = "false"
    "member" = "false"
    "owners" "" = {
      "owner" = "SMITHBO"
    }
    "perm" "" = {
      "read" = "true"
    }
  }
}
In this section: