Skip to main content

Example: Update group attributes

Group owners can use the Groups app to update the group description and other attributes configured by product administrators.

In this example, we add a resource attribute that can be updated by group owners using the standard _GROUP_UPDATE_ATTRS (Update attributes) pre-defined request. We map the resource attribute to an Active Directory group attribute, so that updating the attribute in Bravura Security Fabric also updates the group in Active Directory.

Assumptions

This example assumes:

  • Bravura Workforce Pattern is installed.

  • The "AD" Active Directory target system is configured as a source of profiles.

  • Group owners in AD are configured as group managers in Bravura Identity .

Click below to view a demonstration of this example.

Add a resource attribute

To add a resource attribute:

  1. Log in to the Bravura Security Fabric Front-end (PSF) as superuser .

  2. Click Manage the system > Resources > Resource attributes.

    lab-groups-resource-attr

  3. Click Add new…

  4. Enter values as follows:

    • ID SECURITY_LEVEL

    • Description Group security level

    • Type String

    • Minimum required number of values 0

    • Maximum allowed number of values 1

    lab-groups-attr-create

  5. Click Add.

  6. Click the Restricted values tab and add the following:

    1. Actual value 1 and Displayed value Security Level 1 , then click More.

    2. Actual value 2 and Displayed value Security Level 2 , then click More again.

    3. Actual value 3 and Displayed value Security Level 3 .

      res-attr-restricted

    4. Click Update.

Set attribute access controls

To set access controls for the new attribute, add it to an attribute group:

  1. Click Manage the system > Resources > Resource attribute groups.

    resource-attribute-groups

  2. Select GROUP_INFO_UPDATE.

    This is a built-in resource attribute group that is included in the _GROUP_UPDATE_ATTRS pre-defined request. Attributes that are members of this group can be updated by group owners.

    group-info-update

  3. Click the Members tab.

    group-info-update-members

  4. Click Select… .

  5. Select the checkbox for the SECURITY_LEVEL attribute you added above, then click Select.

    group-info-update-members2

  6. Click the Display criteria tab.

  7. Set the Display type to "Main".

    This will display the Group security level field on the main page of the Update attributes pre-defined request.

  8. Click Update.

Now the SECURITY_LEVEL attribute will be available for editing by group owners.

Map SECURITY_LEVEL attribute to an Active Directory group attribute

We will now map this resource attribute to the Active Directory "info" group attribute. The "info" group attribute displays in the "notes" field in Active Directory Users and Computers (ADUC). This way, when we view a group via ADUC, we can read the notes and see what security level the group is.

  1. Click Manage the system > Resources > Group attributes > Target system.

  2. Select the Corporate AD target.

  3. Click Add new… .

  4. Enter the following information:

    • ID info

    • Map group attribute to resource attribute SECURITY_LEVEL

    • Load attribute values from target system selected

    • Populate mapped resource attribute with values from target system selected

  5. Leave all other settings as default.

    map-group-attribute

  6. Click Add.

  7. Click Yes to retrieve a full attribute list during the next auto discovery.

  8. Execute auto discovery for the AD target system.

Update group attributes

To update group attributes as a group owner:

  1. Log in to the Front-end (PSF) as an end user who is a group owner.

  2. From the self-service main menu, click Groups.

    This displays My groups.

  3. Select the IT-MANAGERS group from the Results panel.

    lab-groups-attr-it

  4. Click Update attributes.

    Notice the Group description is already filled in. This is because the Active Directory description attribute is mapped to the GROUP_NAME attribute when Bravura Workforce Pattern is installed and the attribute contained a value. The List group attributes option must also be selected on the Active Directory target.

    However, the info attribute does not contain any values at this point in time so no data is shown.

  5. Select "Security Level 3" for the Group security level.

    lab-update-group-attributes

  6. Click Submit.

  7. Click the View request link at the top of the page to view the request status.

  8. In the right Actions panel , select the Request ID link and display Operations and Authorizers.

    Note that with the current configuration, you would also need to approve the request as the group owner, but since we are using the owner of the group to make the request, it is auto-approved.

    lab-groups-attr-success

    If the value in the Results column of the Resources to be updated table is "Success" then you know the task has been completed properly.

    You can confirm the request was successful by viewing the properties of the IT-MANAGERS group directly in Active Directory Users and Computers.

    lab-groups-attr-aduc

    The info attribute was updated for the IT-MANAGERS group and the specified value of [Security Level] "3" now appears in the Notes field.

In this section: