Configuring automatic group assignment
The automatic assignment engine can automatically add users that are members of a user class to a managed group.
Note
You cannot enable role enforcement and automatic assignment at the same time for managed groups.
To set automatic assignment options for managed groups:
Navigate to the Managed group information page .
Select the Assignment tab.
Select or create to define membership criteria.
Click Recalculate to calculate the membership cache.
In a replicated environment, cache recalculation can only be performed on the instance which runs
psupdate.Select the Enabled checkbox.
Additional options are displayed.
Set options described in the table below to suit your needs.
Click Update.
Option | Description |
|---|---|
Automatically add users that satisfy the membership criteria | Select this to allow the automatic assignment program, |
Automatically remove users that no longer satisfy the membership criteria | Select this to allow the automatic assignment program, |
Automatically remove child groups | Select this if you want to remove all child groups from the managed group. Child groups do not have to be managed in order for them to be removed. You may want to enable this option if you would like Bravura Security Fabric to have complete control over who has the rights and privileges of the managed group. Users who have membership to the child groups inherit the rights and privileges of the parent group, but the automatic assignment program, |
Ignore submission limit during auto discovery | Select this if you want this automatic assignment to exceed the maximum allowed number of request submissions. This setting overrides the global submission limit set by AUTO ASSIGNMENT MAXSUBMIT DEFAULT (Manage the system > Workflow > Options > Automation) . |
Submit no requests if there are more than this many operations detected in a single run | Set a limit if you do not want |
Generating an assignment deficit or surplus report
To generate a simple report of users that have a deficit or surplus for a managed group assignment, click the Deficit or Surplus sub-tabs. Bravura Security Fabric does not issue requests when you run this report. You can search for users that may be in deficit or surplus on these pages.
Only direct group memberships are counted when calculating deficits and surpluses.
To see a more detailed report, run the report.
To issue the requests, run the autores program.
Remove orphaned group memberships
To allow for greater control of group memberships you may also want to remove orphaned accounts from the group. An orphaned group account is an account that is currently not associated to an existing profile.
To configure the automatic removal of orphaned accounts:
Click Manage the system > Workflow > Options > Automation .
Enable AUTO ASSIGNMENT GROUP DELETE ORPHAN ACCOUNT.
Type the name of a valid profile ID in the AUTO ASSIGNMENT GROUP DELETE ORPHAN ACCOUNT RECIPIENT field.
Click Update.
During the scheduled psupdate job, requests will be generated to remove orphaned accounts discovered. Testing user classes
You can verify that the user class defined will produce the correct list of users that will be automatically assigned this resource.
To test the user class defined:
Navigate to the Assignment page General tab.
Click the Test... button.
Type the User ID of the user to evaluate, then click Test.
The Test button evaluates all criteria defined for the user class, not just the criteria selected.
Bravura Security Fabric displays the test results, specifying whether the user satisfied the criteria for the user class.
To list members of the user class:
Navigate to the Assignment page General tab
Click the Test... button.
Click List.
The list of members is displayed. If no members are listed, then there are no users matching the criteria for the specified participant.