Skip to main content

Configuring role enforcement

The role enforcement engine can identify users who have excessive or insufficient access, and issue workflow requests to correct variances. Global RBAC enforcement options must also be set before settings for individual roles can take effect.

To set RBAC enforcement options for roles:

  1. Navigate to the Role information page .

  2. Select the Role enforcement tab.

  3. Select the Enabled checkbox.

    Bravura Security Fabric displays the resolution settings. The system default is displayed as the “Effective setting”.

    2596.png

    Role enforcement is enabled by default for roles to allow users to request to add any role entitlements they are missing. This can be changed to requesting an exception by disabling role enforcement or changing the Resolution for deficit violation.

  4. If required, select a setting for the Resolution for deficit violation of role members, to determine what action Bravura Security Fabric takes when it discovers users with the role who do not have access to all member resources:

    • Add resource

    • Request exception

    • Inherit enforcement from entitlement

    The ’Inherit enforcement from entitlement’ setting will cause an error if any of the member entitlements are set with ’Use parent role setting’.

  5. Click Update.

Generating a profile statistics report

To generate a simple report of users who have a deficit violation for this role, click Generate. Bravura Security Fabric does not issue violation enforcement requests when you run this report. To see a more detailed report, see the Reports . To list violations and issue enforcement requests, run auto discovery or use the rbacenforce program.

Testing users

To determine whether an individual user has a deficit violation, type the user’s Profile ID and click Test. The user’s RBAC enforcement profile and request attribute must be set to true. Bravura Security Fabric lists:

  • Number of enforced user roles in deficit

  • Number of enforced user roles in deficit with an approved exception

  • Number of enforced user roles in deficit with a request to resolve

  • Number of unenforced user roles in deficit

  • Overall deficits

In this section: