Skip to main content

Setting authorization rules via the im_policy_authorization table

As detailed in Components for authorization workflow , installing the component sets up authorization rules in the im_policy_authorization table in the external data store (extdb) . Product administrators can add new authorization rules and modify existing ones by modifying this table; to add or remove authorizers based on request attributes, requester or recipient information, and operations requested.

To access the authorization policy, log in as an administrator and navigate to Manage external data store > im_policy_authorization.

The authorization policy is a single SQL table with many columns to provides the "structure" of the policy. Not all columns need to be filled for each rule; they are present in order to provide a large degree of granularity and flexibility to the access approval solution.

This is in support of any combination of use cases in the Bravura Identity life cycle (like Leave of Absence, Rehire or Name change after a marriage). These use cases are brought into the policy by a combination of scenario components.

Each row of the table is a policy "rule", made up of three types of columns:

  • "match" (which determine in which cases, and for which objects the rule will be active)

  • "action" (which determine what action will be done when a rule matches a specific object being

  • "policy-wide" (which are used to determine functional, rule-use and rule-provenience)

The policy table acts like a snowball:

  • Each rule is evaluated in turn, for each Request in the order of 'RuleNumber' for stage 1, then all 'RuleNumbers' for stage 2, and so on.

  • When a rule "matches", its "actions" are added to the snowball.

You need to make changes only on the instance's primary server in a replicated environment.

Search the policy

In-depth authorization policies can be quite large. You can use the Search field on the top left side of the table view where you can add SQL WHERE clauses to filter the records, for example:

  • Only rules that apply to a specific Predefined Request:

    where "PDRId" = 'UPDATE_ACCOUNT'

  • All rules which cause Requesters and Recipients to not be allowed as their own Approvers:

    where "RemoveAuthorizerIf"='is both'

  • All rules which match a Role that contains HR in its ID (like HR_ADMIN):

    where "Role" like '%HR%'

See External Data Store for general information on using the interface.

In this section: