Skip to main content

Product administrators

The tasks that product administrators can perform depend on their administrative privileges.

These privileges control access to the administrative web modules and the Bravura Security Fabric API. Product administrators may or may not have an account on a target system.

Topics in this section show you how to add product administrators using the:

Product administrator types

Product administrators are categorized into the following subtypes:

Console-only user

These product administrators:

  • Do not have any accounts on target systems.

  • Have access to the Manage the system (PSA) module and/or the reports menu.

  • Have administrative privileges that determine which parts of the PSA they can access. If they are granted all administrative privileges, they become superusers.

  • Do not have access to self-service or help desk modules.

Superuser

These product administrators:

  • Are product administrators with all administrative privileges enabled.

  • Have full access to all Bravura Security Fabric administrative functions.

The user that you created during installation (named superuser by default) is a superuser.

Superuser does not have administrative privileges to call an API. This privilege is assigned explicitly to the IDAPI caller product administrator.

Console user with help desk/self-service access

These product administrators:

  • Have at least one account on a target system.

  • Can access the self-service and help desk modules, as determined by the user access rules for their user class.

  • Can access the administrative consoles, as determined by their administrative privileges. Privileges are granted if:

  • They are an administrator (Manage the system > Security > Access to product features > Individual administrators).

  • They are part of an administrator group (Manage the system > Security > Access to product features > Administrator groups).

  • Do not have all administrative privileges.

    If they are granted all administrative privileges, they become superusers and lose access to the self-service and Help users (IDA) modules.

Report reader/creator

These product administrators:

  • Can access the Manage reports (RPT) module to read reports.

  • May be able to create and schedule reports.

  • May also be self-service users.

IDAPI caller

A product administrator who has administrative privileges (IDAPI caller , OTP IDAPI caller , and Guacamole IDAPI caller) to connect to the Bravura Security Fabric API. This product administrator cannot have any other administrative privileges.

Bravura Security Fabric includes these built-in users:

  • _API_USER – An IDAPI caller that is shipped with Bravura Security Fabric . To run an API call requiring extra privileges, add _API_USER to a user class. For example, add _API_USER to the _REPORT_READERS user class to run the run report API.

    This IDAPI caller must be assigned a password before it can be used for remote connections. By default however, shared memory connections to the API do not require a password for _API_USER. If this is the case and _API_USER is not required to use a password, it is recommended that a separate administrator be created with this privilege specifically for remote connections and added to the _EXPLICIT_API_USERS_ user class.

    For request workflow including automated administration, it is recommended that you not use the default _API_USER, and instead create dedicated administrators with appropriate privileges.

  • _API_USER_TPM – An IDAPI caller that is used to provide API access for Phone Password Manager . This IDAPI caller is disabled by default and must be assigned a password and enabled before it can be used.

  • _API_USER_GUACAMOLE – An IDAPI caller that is used to provide API access for Guacamole. This IDAPI caller must be assigned a password before it can be used.

Anonymous user

Bravura Security Fabric includes the built-in _IDMSUITE_USER_ANONYMOUS user that is used to provide anonymous API access for any Ajax plugin endpoint defined in the hid_ajax_routing table. This user is disabled by default.

When this caller is enabled, any Ajax plugin endpoint defined in the hid_ajax_routing table with Authenticated = false will automatically log in as _IDMSUITE_USER_ANONYMOUS and does not require a session to call.

The CIDR for the anonymous user should be respected (via X-Forwarded-For if the TRUSTED_REVERSE_PROXY variable is enabled and not if disabled).

Defining product administrators from the web interface

Individual product administrator privileges can be assigned by navigating to Manage the system > Security > Access to product features > Individual administrators.

Product administrators can be assigned privileges based on an administrator user group. These are accessed by navigating to Manage the system > Security > Access to product features > Administrator groups. By using administrator user groups, you assign privileges based on their user class membership.

You cannot grant any administrative privileges that you do not have.

Individual administrators

To define a product administrator :

  1. Click Manage the system > Security > Access to product features > Individual administrators.

  2. Click Add new… .

  3. In the ID field, do one of the following:

    • Search for, or type the profile ID of an existing user.

      This allows you to grant administrative privileges to a user who may also have access to self-service and help desk menus (depending on user access rules).

    • Type a new profile ID to create a new Bravura Security Fabric user who only performs administrative tasks (console-only access).

      Users created this way are not mapped to accounts on target systems, and cannot access the self-service or help desk menus.

  4. Optional: type the user’s full name in the Name field.

    If the user is an existing user whose full name is stored in Bravura Security Fabric , you do not need to type a full name. The Name value is populated automatically after you submit the form.

  5. Type the product administrator ’s password in the Password and Confirm password fields if you want the user to authenticate using a password stored in Bravura Security Fabric .

    This is only required if the user is not an account-holder; that is, if you are creating a console-only user.

  6. Enable the Password never expires checkbox if you do not want the product administrators password to expire.

    This option applies only to product administrators whose passwords are stored in the Bravura Security Fabric database. It overrides the ADMIN PASSWORD EXPIRE setting, which you can set by clicking Manage the system > Policies > Options.

  7. Assign Allowed privileges by choosing:

    • All privileges to give the user the same access rights as the superuser you created during setup.

    • Selected privileges if you want the user to retain any access to self-service or help desk menus.

    Caution

    If you grant all administrative privileges to an existing user, they lose access to the self-service modules and the Help users (IDA) module.

    You cannot grant any administrative privileges that you do not have.

    The IDAPI caller privilege cannot be combined with any other privileges.

  8. If the IDAPI caller , OTP IDAPI caller , or Guacamole IDAPI caller privilege is selected, you must configure the Allowed network addresses for remote API access field. This is used to specify the IP addresses from which the product administrator is allowed to connect to the Bravura Security Fabric API.

    If Bravura Security Fabric is behind a reverse proxy, you can get the original Client IP from HTTP header X-Forwarded-For by enabling the system variable TRUSTED REVERSE PROXY.

    This field uses Classless Inter-Domain Routing (CIDR).

  9. If the OTP IDAPI caller privilege is selected, you can configure the Number of hours between password randomizations field. By default, the OTP user’s password will randomize on every login.

  10. Click Add at the bottom of the form.

Administrator groups

To define an Administrator group:

  1. Click Manage the system > Security > Access to product features > Administrator groups.

  2. Click Add new… .

  3. Type an ID and Description for the new Administrator group.

  4. Assign Allowed privileges by choosing:

    • All to give the group the same administrative privileges as the superuser you created during setup.

    • Selected privileges if you want users in the group to retain any access to self-service or help desk menus.

    You cannot modify any privileges that you do not have.

  5. Click Add at the bottom of the form.

    Bravura Security Fabric displays the Administrator group information page.

  6. Click the Membership criteria tab to select or create user classes that define group membership.

  7. Define group membership criteria by:

    • Selecting existing user classes:

      1. Click Select… .

      2. If required, click Edit editicon.png for any user classes that need to be modified before you select them.

      3. Enable the checkboxes for the user classes you want to select as membership criteria, then click Select.

    • Creating a new user class:

      • Click plus icon Create a new user class.

      See Adding user classes for details on how to create a new user class.

  8. If you have selected multiple user classes, select whether the participants are required to match All of the user classes or Any of the user classes . The default setting is All of the user classes .

Once you have finished defining membership criteria, you can click the Test tab to test membership of individual product administrators or List members.

Membership of non-built-in user classes can be cached to improve performance. There are options to recalculate or invalidate the cache on the user class configuration page.

Note

In a replicated environment, cache recalculation can only be performed on the instance which runs psupdate.

Example: Create a console-only product administrator

This example shows you how to create a product administrator who has limited access to product features. This will create a profile ID with a password that is verified against the Bravura Security Fabric database only; the user will not have an account on a target system. For a detailed procedure see Defining product administrators from the web interface .

Click below to view a demonstration.

To create a console-only product administrator:

  1. Log in to the Bravura Security Fabric Front-end (PSF) as superuser .

  2. Click Manage the system > Security > Access to product features > Individual administrators.

  3. Click Add new...

  4. Enter the following values:

    ID: admin1

    Name: admin1

    Password / Confirm password: North*1

  5. Select the Password never expires checkbox.

  6. Select All Allowed privileges :

  7. Click Add at the bottom of the page to add the user.

This creates a user who can only perform administrative tasks (console-only access). Because the ID is not mapped to accounts on target systems, the user cannot access the self-service or help desk menus.

Test the administrative privileges

The Show effective privileges function allows you to view the product administrator privileges for any user.

To do this:

  1. Click Manage the system > Security > Access to product features > Show effective privileges.

  2. Type the ID of the User you just created, admin1.

  3. Click Test.

    Bravura Security Fabric displays the results of the test.

You will notice that the privileges listed are the ones setup during the admin1 administrator creation.

Login as the product administrator

Log in to the Front-end (PSF) as admin1 to review the menu options the privileges provide.

You will notice this user has the same administrator menu options as superuser.

Example: Define a product administrator group

This example defines a product administrator group of auditors who have limited access to product features. It shows how to use the built-in REPORT_READERS administrator group, and include users who also have accounts on target systems. For a detailed procedure see Defining product administrators from the web interface .

Requirements

This example assumes that:

  • Bravura Security Fabric and Connector Pack are installed.

  • An Active Directory target system has been configured.

Click below to view a demonstration.

Define the product administrator group

To define a product administrator group:

  1. Log in to the Bravura Security Fabric Front-end (PSF) as superuser .

  2. Click Manage the system > Security > Access to product features > Administrator groups.

  3. Select REPORT_READERS .

  4. Leave the default settings. This group has the following allowed privileges:

    • Manage reports

  5. Click the Membership criteria tab.

    The membership of the REPORT_READERS administrator group is defined by the _REPORT_READERS_ user class.

  6. Click the edit icon editicon.png next to _REPORT_READERS_.

  7. In the user class configuration pop-up window, click the Criteria tab.

  8. In the group memberships table, click Add new…

  9. In the Target system field, enter AD.

  10. Search for and select the AUDIT-GENERAL group.

  11. Click Add.

  12. Click the Test tab and click List to see the users that are now members of the _REPORT_READERS_ user class.

  13. Return to the General tab and next to the option for Membership cache valid click Recalculate.

  14. Close the user class configuration window.

  15. Click the General tab of the REPORT_READERS administrator group.

  16. If the Membership cache valid value is "No", click Recalculate.

  17. Click Update.

This puts members of the AUDIT-GENERAL group in the REPORT_READERS administrator group. These users can perform some administrative tasks, and can also access the self-service menus.

Test the administrative privileges

To test the administrative privileges:

  1. Click Manage the system > Security > Access to product features > Show effective privileges.

  2. In the User field, type the name of a user in the AUDIT-GENERAL group that was added to the _REPORT_READERS_ user class.

  3. Click Test.

    Bravura Security Fabric should list ’Manage reports’ as a privilege for this user.

Login as a REPORT_READERS administrator group member

Log in to the Front-end (PSF) as the named user. You should see that the user now has access to the Manage reports option in the Administrative options section.

Defining product administrators from the command prompt

As an alternative to using the web interface , you can define product administrators from the command prompt using the adm_set program; for example:

adm_set.exe -user SmithJ -acl <ACL list>

You cannot grant any administrative privileges that you do not have.

See adm_set usage information.

Administrative privileges

The following table describes all available administrative privileges. It also includes the internal keyword – used in configuration files, plugin input/output, and by the adm_set program – for each privilege.

Table 1. Administrative privileges

Right

Keyword

Description

General system configuration

Manage resources

resource

The product administrator can manage target systems, auto-discovered objects, and other resources.

Manage policies

policy

The product administrator can manage user classes, segregation of duties (SoD), authentication and identification policies, authentication chains, question sets, import rules, login options.

Manage notifications

mngnotifs

The product administrator can manage notifications and notification-related scheduled jobs.

Configure workflow setup

workflow

The product administrator can configure workflow.

Configure modules

module

The product administrator can modify web modules configuration.

Maintain servers

maintain

The product administrator can manage services, schedule jobs, and configure auto discovery.

Manage reports

runreport

The product administrator can run or schedule reports from the Manage reports app.

Analytics

analytics

The product administrator can run, save or read reports from the Analytics app.

Recompute Analytics cache

recanalyticscasch

The product administrator can update the cached data on dashboards from the Analytics app.

Configure Login Manager

managesso

The product administrator can configure Login Manager.

Manage external data store

extdb

The product administrator can Manage external data store.

Dashboards

View certification dashboard

viewcertdash

The product administrator can use the View dashboards to view the certification dashboard.

View privileged access dashboard

viewpswdash

The product administrator can use the View dashboards to view the privileged access dashboard.

View workflow dashboard

viewworkdash

The product administrator can use the View dashboards to view the workflow dashboard.

View enrollment dashboard

viewpsadash

The product administrator can use the View dashboards to view the enrollment dashboard.

View OrgChart dashboard

vieworgdash

The product administrator can use the View dashboards to view the OrgChart dashboard.

View helpdesk dashboard

viewhelpdeskdash

The product administrator can use the View dashboards to view the help desk dashboard.

Recompute dashboard cache

recdashcache

The product administrator can use the View dashboards to update the cached data on dashboards.

Security administration

Manage security

security

The product administrator can manage User access rules and Options in the Manage the system Security menu.

Manage product administrator

console

The product administrator can create and manage other product administrators.

A product administrator may only manage or create new product administrators with equal or lesser rights assigned to them. A product administrator cannot manage his or her own rights.

Manage user groups

mngacl

The product administrator can manage user access controls in the Manage the system module.

Privileged access management

Create managed system policies

creategroup

The product administrator can create managed system policies in the Manage the system . As owner of the managed system policy, the product administrator has access to the policy but not the passwords managed by the policy - that permission must be specifically assigned via user group access controls.

Manage orphan managed systems

mngorphanres

The product administrator can manage orphaned systems (not a member of a managed system policy) in the Manage the system .

Create managed systems

createres

The product administrator can add a user-managed system in the Manage the system .

Manage managed system policies

groupmgmt

The product administrator can be granted access to modify or remove existing managed system policies in the Manage the system . Access to managed system policies must also be granted in the Manage the system > Security > Privileged access to systems menu. The product administrator cannot update user groups of which they are a member. This right does not give the product administrator access to orphan managed systems, nor access groups of which they are an existing member.

Recover last managed password

recoverpwd

The product administrator can recover the last stored managed password for a managed account, regardless of the state of the target (whether it is managed, unmanaged or remanaged) using the RecoverKeyByAccount function call and OTP caller and LogonEx to connect to the API service.

Access certification

Manage certification process

certify

The product administrator can manage the access certification process, by which one or more reviewers confirm or remove access privileges of users, and remove stale users.

Initiate entitlement certification campaigns

singleusercertify

The product administrator can initiate a access certification process, by which a single reviewer can confirm or remove access privileges of users, and remove stale users.

OrgChart management

Start Org building rounds

createorg

The product administrator can use the Manage the OrgChart to initiate OrgChart building rounds.

Manage the OrgChart

updateorg

The product administrator can use the Manage the OrgChart to manually change the OrgChart structure.

Remote API

IDAPI caller

apicaller

The product administrator can access the API Service (idapi) Login function from the IP addresses specified in the IP address with CIDR bitmask field.

This right can only be combined with other rights by adding an individual administrator with the IDAP caller right to an administrator group with other rights.

OTP IDAPI caller

otpcaller

The product administrator can access the API Service LoginEx function from the IP addresses specified in the IP address with CIDR bitmask field. The LoginEx function gains access to the KMKeyGetByAccount function, which is used to retrieve passwords that Bravura Privilege manages.

This right can only be combined with other rights by adding an individual administrator with the OTP IDAP caller right to an administrator group with other rights.

Guacamole IDAPI caller

guacamolecaller

The product administrator can access the API Service Login function from the IP addresses specified in the IP address with CIDR bitmask field. The Login function gains access to the CheckoutParamsGet and CheckoutStatusGet functions, which is used for a Guacamole gateway to periodically check whether a managed account checkout is still valid during an active Guacamole access disclosure session.

This right can only be combined with other rights by adding an individual administrator with the Guacamole IDAPI caller right to an administrator group with other rights.

Replication

Configure replication

replication

The product administrator can configure database replication (Manage the system > Maintenance > Database replication)

View information

View information:Target systems

viewhost

The product administrator can view additional information about target systems via embedded links.

View information:Managed groups

viewmgrp

The product administrator can view additional information about managed groups via embedded links.

View information:Roles

viewrole

The product administrator can view additional information about roles via embedded links.

View information:Segregation of duties rules

viewsod

The product administrator can view additional information about segregation of duties rules via embedded links.

View information:User classes

viewuc

The product administrator can view additional information about user classes via embedded links.

View information:Accounts

viewacct

The product administrator can view additional information about accounts via embedded links.

View information:Pre-defined requests

viewpdr

The product administrator can view additional information about pre-defined requests via embedded links.

View information:Template accounts

viewtpl

The product administrator can view additional information about template accounts via embedded links.

View information:User notifications

viewntf

The product administrator can view additional information about user notifications via embedded links.

View information:Certification campaigns

viewcert

The product administrator can view additional information about certification campaigns via embedded links.



Testing administrative privileges

The Show effective privileges function allows you to view the product administration privileges for any user. To do this:

  1. Click Manage the system > Security > Access to product features > Show effective privileges.

  2. Search for, or type the ID of the User you want to test.

  3. Click Test.

    Bravura Security Fabric displays the results of the test.

Enabling, disabling and unlocking product administrator profiles

You can enable, disable or unlock the profile of product administrators using the Manage the system (PSA) module. Users with console-only access can only have their profile status updated using the Manage the system (PSA) module.

To enable, disable or unlock a product administrator ’s profile:

  1. Click Manage the system > Security > Access to product features > Individual administrators.

  2. Select the product administrator.

  3. Click Enable, Disable or Unlock.

In this section: