Skip to main content

Example: Setting authorization rules via the im_policy_authorization table

As you build your authorization rules for roles, groups, targets, templates and so on, you may want to remove authorization for particular pre-defined requests or other situations. You can do this by setting rules in the im_policy_authorization table. In this example, we will override the entitlement authorization that was set up for the NEW-ENGINEER pre-defined request, and only require that the request be authorized by users within the CONTRACT-HIRE-APPROVAL user class.

Requirements

This use case assumes that:

  • Bravura Security Fabric and Connector Pack are installed.

  • An Active Directory target system is added as a source of profiles.

  • Security questions are set up.

  • A NEW-ENGINEER pre-defined request is set up to create a new user from a role.

  • Authorization for groups has been set up as shown in Example: Configure static authorization .

Click below to view a demonstration:

Add rule to im_policy_authorization table

  1. Log in to the Bravura Security Fabric Front-end (PSF) as superuser.

  2. Click Manage external data store.

  3. Select the im_policy_authorization table.

  4. Click the Edit icon editicon.png next to an empty row.

  5. Add the following rule to the table:

    • StageNumber 1

    • RuleNumber 29

    • SkipRemaining Stage

    • PDRid NEW-ENGINEER

    • ResourcesOnly False

    • Action replace

    • AuthUserclass CONTRACT-HIRE-APPROVAL

    • MinAuthorizers 1

    • AutoReject False

    • Phase 1

    • Authnote Authorization required from users who approve contracts

    Click Done.

  6. Click Update at the bottom of the table once you have added your entry.

    The rule may appear on the second page of the rules table.

    The rule you have just added for the NEW-ENGINEER PDR tells Bravura Security Fabric that when a user submits a request using the NEW-ENGINEER PDR, it needs to replace any authorizers from the template, managed groups, roles...etc. in phase 1 authorization, with members of the CONTRACT-HIRE-APPROVAL user class. The request will only require 1 user to approve the request for phase 1 authorization from the CONTRACT-HIRE-APPROVAL user class before moving to phase 2 authorization logic. Phase 2 authorization will progress requiring ABBYN's approval, as previously set in the product UI.

Modify the CONTRACT-HIRE-APPROVAL user class

Currently, participants for the CONTRACT-HIRE-APPROVAL user class are specified as users whose department is HR-RECRUIT. You will modify the profile attribute value to use HR-ADMIN instead.

  1. Log in to the Bravura Security Fabric Front-end (PSF) as superuser.

  2. Click Manage the system > Policies > User classes .

  3. Search for and select the CONTRACT-HIRE-APPROVAL user class.

  4. Click on the Criteria tab.

  5. Under Participants have profile attributes matching: , select the USERID row.

  6. Change the Value to HR-ADMIN.

    lab-auth-rule-modify-user-class

  7. Click Update.

Test the new authorization

  1. Log in to the Front-end (PSF) as BERNAP.

  2. Click Create a new user profile.

  3. Select the Hire a new engineer pre-defined request.

  4. On the request wizard pages, enter the following information:

    • First name Engineer

    • Last name Authorization

    • Type of user Employee

    • Employee number E1234567

    • Department ENG-PM

    • Mother's maiden name Bravura

  5. After entering the Mother's maiden name on the Personally identifying information page, click Submit to skip the Change role membership page.

  6. View the request details and the authorizers assigned.

    lab-auth-rule-test

    The request will have multiple authorizers:

    • BERNAP and other members of the CONTRACT-HIRE-APPROVAL user class (MERRIJ, BRUCEN, HEATHV, DARAK, KASEYA, SHEBAC, HARRIMO1, ABBYN, TIERRC, TANNES, ELLIOC, JOHNBO, DONNP) are added as authorizers.

    • Phase one authorization is already complete since the system has automatically provided approval for BERNAP's authorization. This is because the product is configured for authorizations to auto-approve for the authorizer if they are also the requester, as BERNAP is. Due to BERNAP's approval, authorization from other members of his user class is no longer needed.

      The rule set in the im_policy_authorization extdb table is only applied to phase one authorization. This means that phase two authorization is still taken from our authorization rules set for templates, groups, roles...etc.

    • We set up the AD_TEMPLATE template account to require authorization from the requester’s direct manager; therefore, ABBYN, as direct manager for BERNAP, is also added for phase two authorization.

  7. Complete the second authorization phase of the AuthorEn request by logging in to Bravura Security Fabric as ABBYN and approving the request.

  8. Review the request and you will see the status of the request should change to "Approved, performing requested operations" and then to "Processed".

    lab-auth-rule-test2

If the approved AuthorEn request shows "Processed" after completing the approval process, then you know you have completed the lab successfully.

In this section: