Types of authorization workflow

Two types of authorization are available within Bravura Security Fabric ’s workflow engine:

Static authorization

Requests involving resources (target systems, templates, roles or groups) are routed to pre-defined authorizers mapped directly to the objects.

This type of authorization is static because the list of authorizers is configured in advance. It is generally not used in Bravura Privilege implementations.

Dynamic authorization

Authorizers are determined and assigned at the time the request is submitted, using criteria based on properties of the request (relationship to the recipient, value of a particular request attribute, access requested and so on).

This type of authorization is dynamic because the list of authorizers changes depending on details of the request. Authorization for managed resources is generally determined by configuration at the resource object level.

Static authorization is simple to configure, but requires manual maintenance. In Bravura Identity implementations, it is usually sufficient for small to medium-size organizations, where a small number of employees are responsible for reviewing and authorizing requests to access a resource. In Bravura Privilege implementations, Bravura Privilege Pattern makes it easier to use team management (which uses dynamic workflow).

In large enterprise environments, the selection of resource authorizers is more complex. Static authorization is not feasible; the maintenance required would make it impractical. Dynamic authorization addresses this challenge and also offers more flexibility in how the workflow is configured. Many businesses implement a combination of both static and dynamic authorization. You can apply relational user classes and security rules so that the authorizer is determined by the type of request, the resources associated with the request as well as who is making the request (and for whom).

You can also use plugins to dynamically assign authorizers instead of, or in addition to, static authorizers. In some enterprise environments, the authorization process is serial; for example, the request is first reviewed by the employee’s manager, followed by a security group member or resource owner. The authorization engine is flexible enough to accommodate most authorization scenarios.

Single resource approval

You can configure workflow so that it sends parts of the request for fulfillment as soon as they are approved. This is controlled via the IDP APPROVE SINGLE RESOURCE option at Manage the system > Workflow Options > General. This option is disabled by default.

When enabled, an approved operation is immediately actioned, without waiting for the entire request to be approved; for example, where a request is submitted to add a user to three groups, as soon as group owner one approves their part, the user gets added to group one and that state is reflected on the authorization status page.

Note

This is setting is temporarily disabled if the request is for a group set or account set access. This is to prevent users from gaining access to denied requests of this type if a single resource is approved.

See also: Act on individual entitlements in the end-user documentation.

In this section:

Types of authorization workflow

Single resource approval

Note

Search results