Skip to main content

Handling out-of-band changes

Out-of-band changes happen when a user or a group is added to or deleted from a managed group outside of Bravura Security Fabric . Tracking changes to group membership allows Bravura Security Fabric to monitor managed groups for out-of-band additions or deletions, then automatically submit a request undo or redo the change via the workflow system.

When out-of-band settings are first configured, users or groups who are already managed group members are not detected as out-of-band additions.

To act on out-of-band changes to group membership in a managed group:

  1. Navigate to the Managed group information page for the group.

  2. Enable the Track changes checkbox.

  3. From the drop-down list, select an action to:

    • Detect out-of-band additions and automatically generate a workflow request

    • Detect out-of-band deletions and automatically generate a workflow request

    The default behavior is to take no action. Bravura Security Fabric can either submit a request to undo the change, or undo the change then submit a request to redo the change via the Bravura Security Fabric workflow system.

  4. Click Update.

  5. Configure group-level authorization .

  6. Click Manage the system > Workflow > Options > Automation .

  7. Type a profile ID for the OOB REQ GROUP JOIN REQUESTER and OOB REQ GROUP LEAVE REQUESTER.

    This will be the ID of the requester on all automatically-submitted requests to add or remove users or groups from managed groups.

  8. Optional: Configure event actions for out-of-band changes to managed groups. See Workflow automation events for details.

  9. Run auto discovery.

When auto discovery is finished, configuration is complete. Now if any out-of-band changes are made to group membership, then they will be detected the next time auto discovery is run. When an out-of-band addition to the group is detected:

  • A request is generated for the out-of-band user or group or join or leave the group. This request is sent to the group authorizer.

  • An email is sent to the recipient (out-of-band user).

  • An email is sent to the group authorizer.

The content of these email messages can be customized using the following tags:

  • EM_WORKFLOW_REQ_INITIAL_AUTHORIZER_NEEDAUTHOOB_CONTENT_PRIMARY – This is the email body that is sent to the group authorizer when a request is generated to add or remove the out-of-band user or group.

  • EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_ADD_NOTICE

  • EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_ADDBACK_NOTICE

  • EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_DEL_NOTICE

  • EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_DELBACK_NOTICE

  • EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_NESTED_GROUP_ADD_NOTICE

  • EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_NESTED_GROUP_ADDBACK_NOTICE

  • EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_NESTED_GROUP_DEL_NOTICE

  • EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_NESTED_GROUP_DELBACK_NOTICE

See also:

In this section: