Example: Configure phased authorization

You can configure Bravura Security Fabric to subject requests to multiple phases of authorization. This means that even if a request is approved in phase one, it must be reviewed by another set of authorizers, perhaps from another department or level of management. There is no limit to the number of phases.

The WF PHASED AUTH option enables the phased authorization functionality (Manage the system > Workflow > Options > General) .

The Minimum number of authorizers and Number of denials before a change request is terminated settings apply to each individual authorization phase. If an authorizer is configured to be in more than one phase, then he must review the request in each phase. You can enable IDWFM AUTH PHASE PROPAGATION (Workflow > Options > General) to allow the authorizer’s response in the first phase in which he appears to be propagated to later phases.

In this example, you will enable phased authorization, then require new account requests to be approved by a member of a user class, followed by the requester’s direct manager.

Requirements

This use case assumes that:

Bravura Security Fabric and Connector Pack are installed.
An Active Directory target system is added as a source of profiles.

Enable phased authorization

Log in to the Bravura Security Fabric Front-end (PSF) as superuser.
Click Manage the system > Workflow > Options > General.
Enable WF PHASED AUTH.
Click Update.

Assign authorizers to resources

To set up phased authorization for new accounts:

Click Manage the system > Resources > Template accounts.
Select AD_TEMPLATE .
Click the Authorization tab.
Note that the authorization page for resources now lists configured authorization phases. So far, only one phase has been configured.
Select the Authorization phase 1 row.
Set the Minimum number of authorizers to 1 .
Set the Number of denials before a change request is terminated to 1 .
Click Update.
In the user class table, click Select… .
Click the edit icon next to _IT_SECURITY_ .
Bravura Security Fabric displays the User class definition page in a pop-up window.
Check which users are part of this user class by clicking on the Test tab and clicking List .
Close the user class configuration window.
Select the checkbox next to the _IT_SECURITY_ user class and click Select.
Bravura Security Fabric displays an error because you have not mapped the participants in the user class yet.
Under Participant mapping for USERID, select AUTHORIZER .
Click Update.

Add an authorization phase

To add a second authorization phase to enable the direct manager to authorize all requests using the template:

Navigate back to Manage the system > Resources > Template accounts.
Select AD_TEMPLATE.
Click the Authorization tab.
Click Add new… .
A second phase is added to the Authorization table.
Select the second phase row to edit it.
Leave the Minimum number of authorizers as 1.
Leave the Number of denials before a change request is terminated as 1.
In the user classes table at the bottom of the form, click Select… .
Select the checkbox next to the _MANAGER_DIRECT_ user class.
Note
Ensure you select _MANAGER_DIRECT, not _MANAGER_INDIRECT.
Click Select .
Bravura Security Fabric displays an error because you have not mapped the participants in the user class yet.
Under Participant mapping for MANAGER, select AUTHORIZER.
Under Participant mapping for SUBORDINATE, select REQUESTER.
Click Update.
Click the Authorization tab to see the configured phases.
Here, you could re-order phases, by changing the numbers in the Authorization phase column and clicking Update. Leave the order as is for this lab.
You have now set up dynamic phased authorization for requests for new accounts. In the next example, we will use our new phased authorization to approve a request for a new hire.