Rewriting custom requests
You can use a plugin to rewrite custom or legacy requests to dynamically attach or detach resources. This plugin works in a similar way to the operation rewrite plugin . Alternatively use the workflow wizard plugin to rewrite pre-defined requests.
The request rewrite plugin is suited to situations where authorizers need to see the implications of a request, and to audit access changes before and after a request.
The request rewrite plugin allows the attached resources to be mandatory or optional. Optional resources can be unselected by the requester. Mandatory resources remain selected and cannot be removed by the requester.
The request rewrite plugin allows the auto-selection of resources. This auto-selection relies on profile and request attributes.
The request rewrite plugin executes whenever a change to the request is made. These changes can come from profile and request attribute changes, resource selection, or when resources are added or removed by the CGIs. The request rewrite plugin also runs when the Bravura Security Fabric API submits a request to Workflow Manager Service (idwfm).
The following use cases demonstrate how the request rewrite plugin might be used:
Use case 1: Map location and job code changes to account and group changes
A request to change “Job code” or “Location” attributes for an existing user is submitted, either by a requester or the automated user administration system (
idtrack)The company’s business rules state that a change to either of these attributes means that the user’s accounts and group memberships also have to change.
The Workflow Manager Service (
idwfm) calls the request rewrite plugin so that the authorizer can see what the full impact of the request will be. For auditing purposes, the resulting connector operations can be traced back to the original request.Use case 2: Event actions based on new IDTM operations
A single delete operation on a target system that is a source of Profile IDs is converted into disable operations on all accounts owned by the user. The USER DELETE SUCCESS exit trap needs to be configured to update the database with information about the disabled accounts.
If the operation is “fanned out” after authorization by the operation rewrite plugin, the exit trap can only act on the single delete operation.
If the request is converted before authorization by the request rewrite plugin, information about multiple disable account requests can be used by the exit trap.
These cases require a plugin that can translate a request into 0 or more operations before the request is approved and transferred to the Transaction Monitor Service. The request rewrite plugin is used by the Workflow Manager Service, which is responsible for handling the authorization workflow, and receives feedback from the Transaction Monitor Service.
Once the request is posted, authorizers are attached to authorize the resources of the request. If the plugin modifies the posted request to:
Remove resources, the attached authorizers are reviewed. Any authorizers are detached if there are no resources that require their authorization. Bravura Security Fabric sends detached authorizers an email to notify them that their authorization is no longer required.
Add resources, then Bravura Security Fabric determines what authorizers need to be attached to the request for the new resources. Bravura Security Fabric sends newly attached authorizers an email to notify them that their authorization is required for the request.
To use this plugin, type the name of the plugin in the IDWFM REQUEST REWRITE PLUGIN field on the Workflow > Options > Plugins configuration page. For Bravura Privilege requests, type the name of the plugin in the PAM IDWFM REQUEST REWRITE PLUGIN field instead.
There are no shipped plugins in use with this plugin point.
Requirements
See Writing plugins for general requirements.
Execution points
The plugin is run by the Workflow Manager Service:
When a requester updates profile and request attributes
Before requests have been submitted, when requests are created
After requests have been submitted
After the attribute validation plugin has run and before the ID assignment plugin has run
If an authorizer modifies attributes
Input
Input to the plugin includes:
"" "" = {
"module" = "idwfm"
"sessionid" = "<session ID>" # The session ID of the logged in viewer/requester
"navigation" "" = { ... } # User navigation data
"firstrun" = "<true|false>" # If this is the first run of the plugin for the request
# the value will be true; Otherwise, false.
"preselect_role" = "1" # Sent to the plugin before users make a role selection
# in the CGIs.
"postselect_role" = "1" # Sent to the plugin after changes to the
# roles are made by the CGIs.
"preselect_template" = "1" # Sent to the plugin before users make a template
# selection in the CGIs.
"postselect_template" = "1" # Sent to the plugin after changes to the
# templates have been made by the CGIs.
"preselect_nosgroup" = "1" # Sent to the plugin before a managed groups selection
# displayed by the CGIs.
"postselect_nosgroup" = "1" # Sent to the plugin after changes to managed
# groups have been made by the CGIs.
"recipient" "user" = { } # Recipient's data if they are an
# existing user.
"model" "user" = {} # Data of the model user used in profile comparison.
"request" "" = { # Standard request data listing resources
"resource" "" = {}
}
"recipient" "user" = {} # Recipient's data.
"requester" "user" = {} # Requester's data.
} Note
Authorizer-related parameters are place holders for future extension. Do not use them for this plugin.
The request rewrite plugin is launched before parameters such as authorization are committed; for example, when the plugin launches during request submission, it may modify some actions, requiring authorizers to be assigned after it is run.
The following is an example of the input to the request rewrite plugin:
# KVGROUP-V1.1
"" "" = {
"sessionid" = "Scf7e0618-8b44-4304-aed0-cabd17e45ed2"
"module" = "idwfm"
"firstrun" = "false"
"navigation" "" = {
"wfpage" = "requestsubmitpredefinedrequest"
"prequest" = "UPD-SELF-CONTACT"
}
"event" = "EVENT_POST_BATCH"
"request" "" = {
"requestID" = "5488CCB03DB901864DE53DDB63695AE7"
"macroStatus" = "U"
"requester" = "WOOD0000"
"requesterName" = "Maddox, Woodrow"
"requesterEmail" = "woodrow.maddox@norse.bravurasecurity.com"
"recipient" = "WOOD0000"
"recipientEmail" = "woodrow.maddox@norse.bravurasecurity.com"
"entryDate" = "1418251465"
"notes" = ""
"reason" = ""
"segment" = ""
"reservationid" = "00000000-0000-0000-0000-000000000000"
"autoressig" = ""
"prequest" = "UPD-SELF-CONTACT"
"resource" "5488CCB5CEA4B8264491733F52D03D02" = {
"longIDSet" = "false"
"itemType" = "accountID"
"targetid" = "AD"
"accountID" = "WOOD0000"
"userid" = "WOOD0000"
"enact" = "true"
"pseudoOp" = "false"
"pseudoTag" = ""
"pseudoData" = ""
"finalized" = "false"
"authtype" = "P"
"operation" = "UPDT"
"status" = "O"
"statusreason" = ""
"notes" = ""
"reason" = ""
"result" = "I"
"implicit" = "true"
"groupApproval" = "00000000-0000-0000-0000-000000000000"
"parentRole" = ""
"autoselect" = "none"
}
"attribute" "EXCHANGE-ALIAS" = {
"value" "" = {
"value" = "WOOD0000"
}
}
"attribute" "HOME-COUNTRY" = {
"value" "" = {
"value" = "United States"
}
}
"attribute" "PROFILEID" = {
"value" "" = {
"value" = "WOOD0000"
}
}
"attribute" "WORKLOC-AD" = {
"value" "" = {
"value" = "Building Floor Cubicle "
}
}
}
"recipient" "user" = {
"id" = "WOOD0000"
"name" = "Maddox, Woodrow"
}
"requester" "user" = {
"id" = "WOOD0000"
"name" = "Maddox, Woodrow"
}
} Output
The request rewrite plugin returns the following output:
"" "" = {
"changed" = "true|false" # Indicates whether request has changed.
# Default value is true if the key is missing.
"rerun" = "true|false|auto" # If present in the KVGroup and set to true
# the script will be rerun. When set to false, the
# script will not be rerun and when set to auto, the
# script will be rerun if changes are detected from the
# previous run.
"infomsg" = "" # Informational message returned, if any.
# The value is displayed in the CGIs if this is returned.
"errmsg" = "" # Error message returned, if any.
# The value is displayed in the CGIs if this is returned.
# This represents an error in the request that
# the requester needs to correct.
"retainResources" = "<true|false>" # If true, only resources returned will be added, removed, updated.
# If false, resources not returned will be removed.
"retval" = "<N>" # Mandatory; zero is success and non-zero is failure
"password" = "<newpassword>" # This is now obsolete and has been moved to
# resource section
"skip_role" = "1" # If returned when preselect_role is passed in,
# role selection will be skipped by the CGIs.
"skip_template" = "1" # If returned when preselect_template is passed in,
# template selection will be skipped by the CGIs.
"skip_nosgroup" = "1" # If returned when preselect_nosgroup is passed in,
# managed group selection will be skipped by the CGIs.
"skip_summary_pdr" = "1" # If set during a pre-defined request,
# the final summary page will be skipped by the CGIs.
# Followed by any number of resource entries.
# When retainResources is true, resources that are updated, added, or removed
# are the only that need to be returned.
# When retainResources is omitted or false, resources that are not returned
# are considered removed. All resources will be added or changed on the request.
"resource" "<resource id from input>|<empty>" = {
"remove" = "true" # If present in the KVGroup, the resource is removed
# from the request.
} # 0 or more
} The follow are examples of KVGroup plugin output:
To add a group membership add to the request:
"" "" = { "changed" = "true" "infomsg" = "" "retval" = "0" "resource" "4E12EZ11531ABAB574AB4B4295C4872D" = { "authorizationsReceived" = "0" "authorizationsRequired" = "1" "authorizer" = "crysta.soria" "implicit" = "false" "itemType" = "accountID" "notes" = "" "operation" = "UPDT" "parentRole" = "" "pseudoData" = "" "pseudoOp" = "false" "pseudoTag" = "" "reason" = "" "result" = "O" "accountID" = "steve.benes" "targetid" = "NORSE" } "resource" "" = { "accountID" = "steve.benes" "itemType" = "groupID" "operation" = "GRUA" "targetid" = "NORSE" "groupID" = "CN=FIN-AR,OU=resources,OU=staff,DC=norse,DC=bravurasecurity,DC=com" "autoselect" = "true" } }To add a group membership add to the request and retain resources:
"" "" = { "changed" = "true" "infomsg" = "" "retval" = "0" "retainResources" = "true" "resource" "" = { "accountID" = "steve.benes" "itemType" = "groupID" "operation" = "GRUA" "targetid" = "NORSE" "groupID" = "CN=FIN-AR,OU=resources,OU=staff,DC=norse,DC=bravurasecurity,DC=com" "autoselect" = "true" } }To add a group membership add to the request and role:
# KVGROUP-V1.0 "" "" = { "changed" = "true" "infomsg" = "" "retval" = "0" "resource" "3G34GB22672CDCD574BC4C4295D5983F" = { "authorizationsReceived" = "0" "authorizationsRequired" = "0" "autoselect" = "none" "groupApproval" = "00000000-0000-0000-0000-000000000000" "implicit" = "false" "itemType" = "template" "notes" = "" "operation" = "ACUA" "parentRole" = "" "pseudoData" = "" "pseudoOp" = "false" "pseudoTag" = "" "reason" = "" "result" = "O" "template" = "NORSE_TEMPLATE" "targetid" = "NORSE" } "resource" "" = { "itemType" = "groupID" "operation" = "GRUA" "targetid" = "NORSE" "groupID" = "CN=FIN-AR,OU=resources,OU=staff,DC=norse,DC=bravurasecurity,DC=com" "autoselect" = "true" "template" = "NORSE_TEMPLATE" } "resource" "" = { "itemType" = "role" "operation" = "RLUA" "pseudoOp" = "false" "autoselect" = "mandatory" "role" = "EXCHANGE_ROLE" } }To remove a resource and retain resources:
# KVGROUP-V1.0 "" "" = { "changed" = "true" "infomsg" = "" "retval" = "0" "retainResources" = "true" "resource" "3G34GB22672CDCD574BC4C4295D5983F" = { "removed" = "true" } }To set a default password for the resources in the request:
# KVGROUP-V1.0 "" "" = { "changed" = "true" "infomsg" = "" "retval" = "0" "resource" "3G34GB22672CDCD574BC4C4295D5983F" = { "autoselect" = "none" "enact" = "true" "finalized" = "false" "groupApproval" = "00000000-0000-0000-0000-000000000000" "implicit" = "false" "itemType" = "template" "longIDSet" = "false" "itemType" = "template" "notes" = "" "operation" = "ACUA" "parentRole" = "" "password" = "defaultPassword" "pseudoData" = "" "pseudoOp" = "false" "pseudoTag" = "" "reason" = "" "result" = "O" "template" = "NORSE_TEMPLATE" "targetid" = "NORSE" } }Setting the password using the request rewrite plugin causes Bravura Security Fabric to bypass the password entry page in View and update profile (idr) module. This overrides PASSWORD GEN PLUGIN.
The request parameter groupApproval is used to group resource authorization. Each unique groupApproval value represents a group of common resources.
For all request resources, that share the same groupApproval value, the following is true:
If one resource authorization request is denied, then the other resources are denied. The other resources are denied once authorization for the entire request is completed.
If all resources are approved, then the group of resources can be processed.
If the request rewrite plugin omits the groupApproval or clears the value with "00000000-0000-0000-0000-000000000000", any authorization dependency is removed. If a value is set for groupApproval on an added resource, it will require authorization of other resources with the same value in addition to its own authorization.
The following is an output example of rewriting the request so that the group add operation requires the user creation to be approved in tandem:
"" "" = {
"changed" = "true"
"infomsg" = ""
"retval" = "0"
"resource" "3G34GB22672CDCD574BC4C4295D5983F" = {
"authorizationsReceived" = "0"
"authorizationsRequired" = "0"
"autoselect" = "none"
"groupApproval" = "49583745-3242-6364-3453-384850692934"
"implicit" = "false"
"itemType" = "template"
"notes" = ""
"operation" = "ACUA"
"parentRole" = ""
"pseudoData" = ""
"pseudoOp" = "false"
"pseudoTag" = ""
"reason" = ""
"result" = "O"
"template" = "NORSE_TEMPLATE"
"targetid" = "NORSE"
}
"resource" "" = {
"itemType" = "groupID"
"groupApproval" = "49583745-3242-6364-3453-384850692934"
"operation" = "GRUA"
"pseudoOp" = "false"
"accountID" = "cecil.crysta"
"targetid" = "NORSE"
}
"resource" "" = {
"itemType" = "role"
"operation" = "RLUA"
"pseudoOp" = "false"
"autoselect" = "mandatory"
"role" = "EXCHANGE_ROLE"
}
}