Skip to main content

Controlling attribute priority

When auto discovery is run, if target systems are configured to list attributes, account attributes are loaded into the Bravura Security Fabric database.

You can set up an attribute priority scheme, so that when attributes from more that one target system are mapped to the same profile and request attribute, the differences can be reconciled as part of the loading process. To illustrate with an example, assume you have:

  • A Windows Server 2016 target system (WIN) and an LDAP target system (LDAP).

  • Both have their “description” attribute mapped to the profile and request attribute “DESC”.

  • There is a user JDOE with an account on both the WIN and LDAP target systems.

  • JDOE’s W2K8 description attribute = ”userjohndoe”.

  • JDOE’s LDAP description attribute = ”LDAP userjohndoe”.

If the attribute priority scheme prioritizes WIN over LDAP, then during auto discovery the attribute will be updated with the value userjohndo ; if LDAP has the higher priority, the value will be LDAPuserjohndoe .

You can define profile and request attribute priority at three levels of granularity: all attributes, per attribute, and one-time override.

all attributes

Target systems with mapped attributes are listed in a priority sequence. All profile and request attributes take their definitions from the highest priority target system with an equivalently mapped attribute.

You set the priority for all attributes on the Manage the system > Workflow > Profile and request attributes > Attribute priority page.

per attribute

Target systems with mapped attributes are prioritized for this specific profile and request attribute. This attribute takes its definition from the target system with the highest priority. This takes precedence over the “all attribute” priority sequence. Other attributes not defined at the per attribute level still follow the “all attribute” priority sequence, unless overridden by a one-time override.

You set the priority per attribute on the attribute’s Priority tab.

one-time override

An additional field can be used to give priority to a target system only when the definition of the mapped attribute on that target system is changed. This is primarily intended for use in situations where you want to preserve a particular priority sequence, but allow for a one-time override.

For example, a target system that is the authoritative source for a particular attribute is known to contain incorrect information, and the group responsible for managing the target system will not or cannot make the required data changes for some time. You can use the Override on change field to give higher priority to another target system, then update the attribute value on that target system to the correct value. That value will now be applied to the attribute for that user in Bravura Security Fabric , and the original priority sequence will remain intact.

Note that the value that is applied to the attribute on Bravura Security Fabric will be overwritten by the next auto discovery process. The value is not persistent.

One-time overrides take precedence over per-attribute and all-attribute overrides.

You set the Override on change option on the attribute’s Priority tab.

All three priority methods can be used together to define an attribute priority scheme that suits your particular needs. You can set up a default priority scheme that applies to all the profile and request attributes and which will work for most of them, then create specific priority sequences for the profile and request attributes that need to be treated differently.

Setting up an attribute priority sequence for all profile and request attributes

To define a general attribute priority sequence order for all profile and request attributes:

  1. Click Manage the system > Workflow > Profile and request attributes > Attribute priority.

  2. If required, search to narrow the list of target systems.

  3. Drag and drop one of the double direction arrows in the ID field to change the attribute groups’ order in the list.

  4. Click Update at the bottom of the form.

If target systems are not included in the attribute priority list, their priority will be based on their physical sequence in the database, after any target systems included in the list.

Note

If you modify the attribute reconciliation order, user attribute values will not be reloaded unless a user’s profile has been updated since the last time attributes were listed. To ensure that all user attribute values are loaded:

  1. Navigate to the configuration page for each affected target.

  2. Locate the List attributes setting.

  3. Click Generate full list.

Once auto discovery runs, the user profile attributes are updated.

3757.png

Setting up an attribute priority sequence for a specific profile and request attribute

To define the target system priority sequence for a specific profile and request attribute:

  1. Click Manage the system > Workflow > Profile and request attributes > Profile and request attributes.

  2. Select the attribute you want to set the priority for.

  3. Select the Priority tab.

    Bravura Security Fabric lists the mapped attributes and their target systems.

  4. Enter priority values for the mapped account attributes. A larger value indicates a higher priority.

    A default value of 50 is assigned to changes made to attribute values from within Bravura Security Fabric . This value is controlled by the ATTR PRIORITY IDSYNCH field (Manage the system > Workflow > Profile and request attributes > Attribute logic).

  5. Click Update.

3759.png

Click below to view a demonstration of configuring an EMPLOYEE-NUMBER profile and request attribute so the value of the employeeNumber account attribute from Active Directory takes priority over other mapped target account attribute values.

Setting up a one-time override

To define a one-time override for a specific profile and request attribute:

  1. Click Manage the system > Workflow > Profile and request attributes > Profile and request attributes.

  2. Select the attribute for which you want to set the override.

  3. Select the Priority tab.

    Bravura Security Fabric lists the mapped attributes and their target systems.

  4. Ensure that the priority sequence has been set for the mapped attributes.

  5. Select the Override on change checkbox for the appropriate account attribute.

    When the value for the mapped account attribute changes, it will override the defined priority sequence, and its value will be applied to the profile and request attribute.

  6. Click Update.

In this section: