Security plugin options

You can set the options listed in the table below on the Manage the system > Security > Options menu.

Table 1. Security options

Option	Description
API ADMIN PLUGIN	Filters API function calls made by API users. This overrides the default API functions that API users are allowed to call. See API administrative privileges .
API ADMIN PLUGIN EXCLUDE	Add a comma-delimited list of users to exclude when running the API ADMIN PLUGIN.
OTP MAXIMUM	Controls the number of last known passwords for an OTP API caller that are still considered valid. The default is set to 0, meaning that the one-time password will be invalidated after its first use.
USER OPERATION FILTER PLUGIN	Control the operations that users can perform. You can also control the operations that users can perform by applying user access rules to user classes. This plugin can be used for more complex requirements. See Operation filtering .

API administrative privileges

You can configure the API ADMIN PLUGIN to choose which API functions can be called for certain API users.

By default, OTP API users are only allowed to call KMKeyGetByAccount, RecoverKeyByAccount, ManagedAccountOverridePassword, and ManagedAccountRandomizePassword API functions, while all other API users are allowed to call all API functions except KMKeyGetByAccount and RecoverKeyByAccount.

This plugin will override the default settings, so if you want to include additional API functions to call and retain the existing ones, you must explicitly include this in the plugin.

To use a plugin to determine access controls for API users:

Click Manage the system > Security > Options .
Type the name of the plugin program in the API ADMIN PLUGIN field.
Optional: In the API ADMIN PLUGIN EXCLUDE field, add a comma-delimited list of users to exclude when running the plugin.
Click Update.

There is no shipped plugin in use with this plugin point.

Write a custom API Admin plugin

Execution points

This plugin is executed any time an API function other than Login, LoginEx, or Logout is called. Refer to the api.pdf for available API functions.

Input

"" "" = {
  "OTP" = "false"
         
  "REST" = "false"
         
  "function" = "UserclassActorGet"
  "sessionid" = "Ibcb3b1a0-9f22-4221-9479-fb7dcb18badf"
  "userid" = "_API_USER"
}

Where:

OTP indicates whether the logged-in user is an OTP user.
REST indicates whether the plugin is being called from classic API or the REST API.
function indicates the API function being called.
sessionid is the current session ID.
userid is the user calling the API function.

Output

The following is an example of the output returned by the plugin

# KVGROUP-V1.0
"" "" = {
  "errmsg" = ""
  "retval" = "0"
  "action" = "allow"
}

Where:

errmsg is used to indicate the error on failure
retval is zero on success or non-zero on failure.
action is ’allow’ on success or ’deny’ on failure.

Operation filtering

Many organizations apply business logic to define what employees are allowed to do; for example, allow only managers to submit requests for disabling user access. Bravura Security Fabric implements the operation filter plugin point to allow you to restrict access to operations based on who the user is.

Note

You can also control the operations that users can perform by applying user access rules to user classes. This plugin can be used for more complex requirements.

To enable the plugin point:

Click Manage the system > Security > Options .
Type the name of the plugin in the USER OPERATION FILTER PLUGIN field.
Click Update at the bottom of the page.

The built-in plugin, userOperationFilter.psl, allows the permitted operations, based on user access rules, to be overridden by a requester. This plugin is not enabled by default. The default behavior is for Bravura Security Fabric to use user access rules to define permitted operations. You can also set a filter plugin to filter the users that a logged-in user can manage.

Write a custom user operation filter plugin

The userOperationFilter.psl plugin script, stored in the \<instance>\plugin\ directory, is written in the PSLang scripting language. You can customize the script to grant requesters additional control, or write a customized script.

Caution

Granting requesters additional control can weaken security. For example, if users are allowed to perform delete operations, they may be able to delete accounts belonging to other users.

Ensure that authorizers are assigned to target systems, and that the target systems require at least one authorizer. If you don’t, users’ requests to disable other user’s accounts are auto-approved, since they are not acting on any template.

Execution points

This plugin is run from the Front-end (PSF), Help users (IDA) module, View and update profile (IDR) module, Browse the OrgChart (IDO) module, Manage the OrgChart (IDG) module.

Options which the user cannot perform will not appear on the menus or request forms. When a recipient is not included in the input, the plugin provides user access rules for any potential user.

If the user is not allowed to perform any options on a request form, a message is displayed: "You cannot manage this user".

Input

Input passed to the plugin is as follows:

  "" "" = {
      "OP_ALLOWED" = "{ ... } # Operation type
        # Can have one or more OP_ALLOWED keys
      "delegId" = "<Profile ID>" # The user receiving delegated access
      "recipient" "user" = { ... } # Recipient's data
        # When the recipient is omitted, then the user access rules are
        # evaluated for any potential user.
      "viewer" "user" = { ... } # Viewer's data
   }

The following is an example of input to the plugin:

"" "" = {
  "OP_ALLOWED" = "NETRES"
  "OP_ALLOWED" = "CREATE"
  "reservationid" = ""
  "recipient" "user" = {
    "id" = "ADAM0000"
    "name" = "Adams, Lane"
  }
  "viewer" "user" = {
    "id" = "ACOS0000"
    "name" = "Alyce G Acosta"
  }
}

Output

The program outputs an operation keyword with a value "ALLOW" for each operation the user is permitted to perform. The user cannot perform any operation that is not explicitly allowed.

The operation keywords are listed in User access rule privileges.

The plugin also outputs the return value (0=success, non-zero=fail) and an error message if the return value if non-zero.

The following is an example output:

"" "" = {
  "NETRES" = "ALLOW"
  "CREATE" = "ALLOW"
  "DELEGATE" = "ALLOW"
  "DELETE" = "ALLOW"
  "DISABLE" = "ALLOW"
  "MANAGEGROUPS" = "ALLOW"
  "MOVECTX" = "ALLOW"
  "RENAME" = "ALLOW"
  "ROLES" = "ALLOW"
  "UPDATE" = "ALLOW"
  "retval" = "0"
  "errmsg" = "Successful"
}

In this section: