Static vs dynamic user membership
When specifying user class membership, a decision has to be made whether to assign members statically via the Explicit users tab, and/or dynamically via the "Criteria" tab or statically via the "Explicit users" tab. Data processing speed during discovery and adminstrative effort must be considered when making this decision.
Defining membership criteria according to membership in a specific group or by attribute values can result in more data processing time during discovery, but it can also avoid administrative effort when large numbers of users are involved. This is particularly true if a suitable group already exists or if identification by attribute criteria is feasible (for example, to identify all users that are part of a specific department).
Declaring static "explicit users" is the fastest method from a data-processing perspective, and the least error-prone during initial setup, particularly for small to medium-size organizations where there are a small number of employees responsible for specific tasks. However, explicit user definitions require manual changes whenever staffing or role changes occur. This administrative effort can become significant for larger organizations. Explicit user definitions become more prone to errors as time passes and staffing changes occur.
Many businesses implement a combination of both static explicit user and dynamic criteria-based memberships.
Note
In Bravura Privilege implementations, Bravura Privilege Pattern makes it easier to use team management (which uses dynamic workflow).
Here are pros and cons to be considered for each approach:
Static Explicit user - Pros
Bravura Pass administrator has full control.
Changes made on the "Explicit users" list take effect right away.
No need to create new groups in AD for specific Bravura Security Fabric purposes.
No dependency on the AD integration listing a group without error.
Suitable, and often best practice, as the method for:
smaller Bravura Pass environments.
environments that do not already have security groups configured, or other ways of establishing the access rules required in the Bravura Security Fabric solution.
busy environments with multiple admin teams performing maintenance on targets without communicating changes to other teams, or excessive red tape between Bravura Security Fabric and AD teams.
Static Explicit user - Cons
Bravura Pass administrator must keep up-to-date with employee and role changes, potentially repeating work done in AD.
Explicit user selection must be done one by one from the list of valid Profiles.
this can be a benefit, since if a user is not yet valid (listed from a Source of Profile target), the Bravura Pass administrator will notice during explicit user selection.
Dynamic Criteria - Pros
Recommended when very large groups of users require segregation to achieve particular workflows, or for granting different privileges.
Existing user-grouping structure can be leveraged when it already exists on target systems and it must be used verbatim in Bravura Security Fabric .
Used more often for larger clients and with Bravura Privilege and Bravura Identity product licenses. This option is used less for Bravura Pass clients.
Dynamic Criteria - Cons
Can require data processing resources for both the target and Bravura Security Fabric .
Dependant on Autodiscovery:
Changes made to group membership in AD must wait for a successful autodiscovery to be propagated to Bravura Security Fabric .
Any Autodiscovery listing or object-loading issue becomes a security-configuration issue as well.
Listing too many groups/group members/attributes, as well as calculating userclass membership caches can slow autodiscovery. It is advised to only list data used in the product solution.