Skip to main content

Attribute groups

An attribute group is a named collection of profile and request attributes. Bravura Security Fabric uses attribute groups to determine:

  • Who can see or edit certain attribute values (access controls).

  • How attributes are displayed to users.

Access controls

You assign permissions to user groups to control their members’ read and write access to attribute groups, and therefore the attributes within each group. An individual user’s access is determined by his or her membership in one or more user groups.

The following user groups exist by default:

  • allauthorizers– All users designated as authorizers of requests.

  • allimplementers– All users designated as implementers of requests.

  • allrecipients– All recipients of access change requests.

  • allrequesters– All requesters of access change requests.

  • allself– Restricts all users to have access to only their attributes.

  • msp_report_users– Product administrators who can generate and view managed system policy reports.

For example, you may want to allow some authorizers to enter confidential, required information such as users’ salaries or Social Security Numbers without allowing requesters to see them.

Attribute display

You can have groups of related attributes display:

  • For certain request operations; for example, create user, access account, or add user to a group.

  • On the main page or any number of sub-pages on the request form

    This is useful to avoid exposing users to hundreds of profile and request attributes on one page.

You can also determine the relative order in which the attributes appear within the group.

In some cases, you may not want the attributes to display at all. The attribute values are still available to the system, including interface programs and plugins; for example, you may use a plugin to set default values rather than have users fill them in.

Enforcing validation

Normally, if a value is required, Bravura Security Fabric stops a request from proceeding if the user has not entered a correctly formatted value. You can turn off validation for an attribute or attribute group if an incorrectly entered value should not block a request. This can be useful, for example, if a user needs to create or update their profile but does not have complete information.

In this section: