Tracking and propagating attribute changes
Changes to profile and request attribute values can be tracked. You can configure the idtrack program to execute a variety of provisioning actions automatically. A common use case is to track changes to a profile and request attribute to synchronize attributes on target systems.
To configure idtrack to synchronize profile and request attributes:
Determine which attributes are authoritative and what changes should occur based on changes to authoritative attributes.
Configure profile and request attributes to be tracked and set the Track changes to this attribute option.
Configure attribute propagation by:
Configuring attribute logic.
or,
Writing an
idtrack.pslscript.
Configuring automatic attribute propagation
To set up profile and request attribute logic settings for automatic propagation:
Click Manage the system > Workflow > Options > Automation .
Enable ATTR AUTO PROPAGATE EXECUTE to automatically execute the propagation of changes to profile and request attributes to account attributes on subordinate systems.
Set the ATTR AUTO PROPAGATE REQUESTER field to a valid Bravura Security Fabric user. This is the user that will submit change requests to the Bravura Security Fabric workflow system.
Enable ATTR AUTO PROPAGATE WRITE to automatically write the propagation of changes to profile and request attributes to a work file. You can set this one alone to make changes manually, or combined with ATTR AUTO PROPAGATE EXECUTE for logging purposes.
Set the ATTR AUTO PROPAGATE THRESHOLD to control the number of requests to be submitted due to changes to profile attributes, unless overridden on the command line. If the threshold is exceeded, no requests will be submitted automatically by
idtrack. Bravura Security Fabric sends an email to the product administrator (defined by RECIPIENT EMAIL) who can decide whether to runidtrackmanually to submit those requests.
Example: Tracking and propagating changes
For the following example, it is assumed there are three target systems:
Active Directory with a target ID of “AD”
LDAP server with a target ID of “LDAP”
SQL hosted application with a target ID of “SQL”
In addition, these Workflow > Options > Automation options are also set:
ATTR AUTO PROPAGATE EXECUTE to “On”
ATTR AUTO PROPAGATE REQUESTER to a valid profile ID
Profile and request attributes can be authoritative so that when a profile and request attribute changes during auto discovery, the new value is automatically propagated to account attributes. The most common way that a profile and request attribute value is changed during auto discovery is when it is mapped to an overridden account attribute with the Load attribute values from target system option checked.
The other common way that profile and request attribute values are set or changed is when a requester creates a request interactively using the View and update profile (IDR) module. The idtrack program is not executed in this situation.
Preparation:
Override the AD target system description attribute.
Map to the DESC profile and request attribute.
Override the SQL target system description attribute.
Map to the DESC profile and request attribute.
Override the LDAP target system description attribute.
Map to the DESC profile and request attribute.
Check Load attribute values from target system.
This sets the DESC profile and request attribute value to the value of the LDAP description account attribute.
Track changes to the DESC profile and request attribute.
Changes to this profile and request attribute value will cause
idtrackto automatically propagate changes to all mapped account attributes.
Scripting attribute propagation
Scripted attribute propagation is not as simple to set up as automatic propagation, but is more flexible. A tracked change can be a triggering event to perform any provisioning operation allowed via the API.
See Automated User Administration for more information about idtrack scripting and automated user administration.