System options that can trigger external programs

Login events

The following identification and authentication events apply to all modules and can be accessed from the Configure event (ITSM) module or Manage the system > Policies > Login options :

Table 1. Login events that launch interface programs

Option	Description
USER IDENTIFY SUCCESS	A user is successfully identified by Bravura Security Fabric .
USER IDENTIFY FAILURE	A user could not be identified by Bravura Security Fabric .
FEDIDP IDENTIFY SUCCESS	A federated login attempt had its SAML request successfully parsed by Bravura Security Fabric .
FEDIDP IDENTIFY FAILURE	A federated login attempt SAML request could not be parsed by Bravura Security Fabric .
AUTH MODULE FAILURE	A user fails authentication for a module configured as part of an authentication chain.
AUTH CHAIN SUCCESS	An authentication chain step successfully authenticates a user.
AUTH CHAIN FAILURE	A user fails an authentication chain step.
USER LOGIN CHANGED	The user was successfully changed to another profile via an authentication chain.
IDAPI LOGIN FAILURE	A script fails to authenticate via API Service (`idapi`).
IDAPI LOGIN SUCCESS	A script successfully authenticates via API Service.
USER LOGIN SUCCESS	A user is successfully authenticated by Bravura Security Fabric .
USER LOGIN FAILURE	A user fails authentication.
USER LOGIN LOCKOUT	Too many invalid login attempts to the end module causes the account to be locked out.
FEDIDP AUTH SUCCESS	A user attempting federated login was successfully authenticated, and the outgoing SAML assertion was successfully signed and issued.
FEDIDP AUTH FAILURE	A user attempting federated login was successfully authenticated, but the outgoing SAML assertion could not be signed and issued.
FEDIDP SSO SESSION CREATE	A single sign-on session was successfully initiated as part of a federated login.
FEDIDP SSO SESSION DESTROY	A single sign-on session was successfully terminated.
FEDSP SAMLAUTH ISSUED	A SAML authentication request has been submitted by Bravura Security Fabric to an external identity provider.
FEDSP SAMLAUTH ASR SUCCESS	A SAML assertion from a trusted identity provider was successfully received and parsed.
FEDSP SAMLAUTH ASR FAILURE	A SAML assertion from a trusted identity provider could not be parsed.

IP lockout events

The following IP lockout options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Policies > Options.

Table 2. IP lockout events that launch interface programs

Option	Description
REMOTE IP LOCKED	Program to execute when an IP address is locked out.
REMOTE IP UNLOCKED	Program to execute when an IP address is unlocked.

User class cache events

The following user class options are triggered by the Manage the system (PSA) module, API Service, or directly by running the loaduccache program. They can be accessed from Manage the system > Maintenance > System variables or Manage the system > Policies > Options:

Table 3. User class cache events that launch interface programs

Option	Description
LOADUCCACHE FINISH	The loaduccache program finishes loading caches.
LOADUCCACHE START	The loaduccache program starts to load caches.
USERCLASS CACHE FAILURE	A userclass fails to be cached.
USERCLASS CACHE INVALIDATE SUCCESS	A userclass’ cache is explicitly invalidated.
USERCLASS CACHE SUCCESS	A userclass is successfully cached.
USERCLASS POLICY CACHE FAILURE	A userclass policy fails to be cached.
USERCLASS POLICY CACHE INVALIDATE SUCCESS	A userclass policy’s cache is explicitly invalidated
USERCLASS POLICY CACHE SUCCESS	A userclass policy is successfully cached.

Import rule events

The following options can be accessed from Manage the system > Maintenance > System variables , Manage the system > Resources> Options, or from the Import rules tab in Manage the system > Privileged access > Options:

Table 4. Import rule events that launch interface programs

Option	Description
IMPORT RULE TRIAL RUN BEGIN	An import rule trial starts.
IMPORT RULE TRIAL RUN END	An import rule trial ends.

Managed group events

The following Bravura Security Fabric options apply to all modules and can be accessed from Manage the system > Maintenance > System variables or Manage the system > Resources> Options:

Table 5. Managed group events that launch interface programs

Option	Description
KEEP INVALID MGROUP INVALIDATED	A managed group disappears from the target system.
KEEP INVALID MGROUP RESTORED	A managed group is restored on the target system.
KEEP INVALID MGROUP UNMANAGED	Bravura Security Fabric automatically stops managing a managed group.

RBAC events

The following RBAC options apply to all modules and can be accessed from Manage the system > Maintenance > System variables or Manage the system > Resources> Options:

Table 6. Role-based access control events that launch interface programs

Option	Description
RBAC ENFORCEMENT LIST BEGIN	The listing of role enforcement violations begins.
RBAC ENFORCEMENT LIST END	The listing of role enforcement violations ends.
RBAC ENFORCEMENT SUBMIT	The role enforcement requests are submitted to request workflow.
ROLE ENTITLEMENT ADD	A product administrator successfully adds an entitlement to a role.
ROLE ENTITLEMENT DELETE	A product administrator successfully removes an entitlement from a role.

Workflow general events

The following general workflow options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Workflow > Options > General:

Table 7. Workflow general events that launch interface programs

Option	Description
APPROVED EXCEPTION ADD FAILURE	An exception to a SoD rule fails to be added to the database.
APPROVED EXCEPTION ADD SUCCESS	An exception to a SoD rule is successfully added to the database.
APPROVED EXCEPTION DEL FAILURE	An exception to a SoD rule fails to be deleted from the database.
APPROVED EXCEPTION DEL SUCCESS	An exception to a SoD rule is successfully deleted from the database.
EXCEPTION DEFICIT PRIVILEGE ADD	A role-enforcement deficit exception is approved.
EXCEPTION DEFICIT PRIVILEGE DEL	A role-enforcement deficit exception is deleted.
EXCEPTION SURPLUS PRIVILEGE ADD	A role-enforcement surplus exception is approved.
EXCEPTION SURPLUS PRIVILEGE DEL	A role-enforcement surplus exception is deleted.
GROUP CREATE FAILURE	A group fails to be created.
GROUP CREATE SUCCESS	A group is created.
GROUP DELETE FAILURE	A group fails to be deleted.
GROUP DELETE SUCCESS	A group is deleted.
GROUP GROUPADD SUCCESS	A group has been successfully added to another group
GROUP GROUPADD FAILURE	A group has failed to be added to another group.
GROUP GROUPDELETE SUCCESS	A group has been successfully removed from another group.
GROUP GROUPDELETE FAILURE	A group has failed to be removed from another group.
GROUP OWNER ADD SUCCESS	A user is successfully made an owner of a group.
GROUP OWNER DELETE SUCCESS	A user’s ownership of a group is revoked.
IDACCESS TOO MANY GROUPS	A network resource plugin returns a number of groups greater than or equal to the value of the IDACCESS GROUPS THRESHOLD setting.
IMPLEMENTER POPULATED	Implementers are assigned to a resource.
NR CREATE FAILURE	Program to execute when a network resource failed to be created.
NR CREATE SUCCESS	Program to execute when a network resource is successfully created
NR DELETE FAILURE	Program to execute when a network resource failed to be deleted.
NR DELETE SUCCESS	Program to execute when a network resource is successfully deleted.
NR MOVE FAILURE	Program to execute when a network resource failed to be moved.
NR MOVE SUCCESS	Program to execute when a network resource is successfully moved.
NR UPDATE FAILURE	Program to execute when a network resource failed to be updated.
NR UPDATE SUCCESS	Program to execute when a network resource is successfully updated.
OBJECT RELATION ADD FAILURE	Program to execute when a relationship between two objects fails to be established.
OBJECT RELATION ADD SUCCESS	Program to execute when a relationship between two objects is established.
OBJECT RELATION DEL FAILURE	Program to execute when a relationship between two objects fails to be removed.
OBJECT RELATION DEL SUCCESS	Program to execute when a relationship between two objects is removed.
PREQUEST USED	A pre-defined request is used.
REMOVE ROLE FAILURE	A role fails to be removed from a user.
REMOVE ROLE SUCCESS	A role is successfully removed from a user.
USER CREATE FAILURE	An account fails to be created.
USER CREATE SUCCESS	An account is successfully created.
USER DELETE FAILURE	An account fails to be deleted
USER DELETE SUCCESS	An account is successfully deleted.
USER DISABLE FAILURE	An account fails to be disabled.
USER DISABLE SUCCESS	An account is successfully disabled.
USER ENABLE FAILURE	An account fails to be enabled.
USER ENABLE SUCCESS	An account is successfully enabled
USER GROUPADD FAILURE	A user fails to be made a member of a group.
USER GROUP ADD SUCCESS	A user is successfully made a member of a group.
USER GROUPDELETE FAILURE	A user fails to be removed from a group.
USER GROUPDELETE SUCCESS	A user is successfully removed from a group.
USER MOVECTX FAILURE	An account fails to be moved to another context.
USER MOVECTX SUCCESS	An account is successfully moved to another context.
USER UPDATE FAILURE	An account fails to be updated.
USER UPDATE SUCCESS	An account is successfully updated.
WF MODELAFTER USED	A request has been submitted using profile comparison.
WF MODELAFTER VIEW	A model user has been selected for profile comparison.
WF REQUEST ACTION FINALIZED	Some actions in a request have been finalized.
WF REQUEST COMPLETED	A request has been completed. No more actions are to be taken.
WF REQUEST DECIDED	A request has been fully decided. All actions have been approved, denied, or canceled.
WF REQUEST ONHOLD	A request has been put on hold.
WF REQUEST POSTED	A request has been posted to workflow.
WF REQUEST POST FAILURE	A request has failed to be posted to workflow.

Table 8. Workflow manager service (idwfm) events that launch interface programs

Option	Description
IDWFM EVENT ABORT	Workflow Manager Service aborts a workflow event.
IDWFM EVENT EMAIL MISSING	Workflow Manager Service detects the email address is missing for the email recipient.
IDWFM EVENT FAILURE	Workflow Manager Service fails to execute a workflow event.
IDWFM EVENT RETRY	Workflow Manager Service retries a workflow event.
IDWFM EVENT START	Workflow Manager Service starts a workflow event.
IDWFM EVENT SUCCESS	Workflow Manager Service succeeds in executing a workflow event.

Workflow OrgChart events

The following workflow certification options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Workflow > Options > OrgChart:

Table 9. Workflow OrgChart events that launch interface programs

Option	Description
ORG ROUND CANCEL	An org building round was canceled.
ORG ROUND FINISH	An org building round finished.
ORG ROUND START	An org building round starts.
ORG SEGMENT CANCEL	An org building round segment was canceled.
ORG SEGMENT FINISH	An org building round segment finished.
ORG SEGMENT START	An org building round segment starts.
USER TRANSFER FAILURE	A subordinate failed to be transferred to another manager.
USER TRANSFER PULL FAILURE	A transfer initiated by a new manager fails.
USER TRANSFER PULL SUCCESS	A transfer initiated by a new manager succeeds.
USER TRANSFER SUCCESS	A subordinate is successfully transferred to another manager.

Workflow automation events

The following workflow options can be accessed from Manage the system > Workflow > Options > Automation or Manage the system > Maintenance > System variables :

Table 10. Automated workflow events that launch interface programs

Option	Description
ACCOUNT GROUP CHANGES	The auto discovery process discovers that groups have been added to or removed from a target system since the previous auto discovery run.
AUTO ASSIGNMENT INVALID CACHE	The automatic assignment calculation was skipped due to an invalid cache of the dynamic members.
AUTO ASSIGNMENT INVALID CONFIG	The automatic assignment calculation was skipped due to an invalid configuration of the dynamic members.
OOB REQ GROUPJOIN FAILURE	An attempt to submit an automated workflow request to add a user or a group to a group, where the request is to undo or redo an out-of-band change, failed.
OOB REQ GROUPJOIN SUCCESS	An automated workflow request to add a user or a group to a group, where the request is to undo or redo an out-of-band change, failed.
OOB REQ GROUPLEAVE FAILURE	An attempt to submit an automated workflow request to remove a user or a group from a group, where the request is to undo or redo an out-of-band change, failed.
OOB REQ GROUPLEAVE SUCCESS	An automated workflow request to remove a user or a group from a group, where the request is to undo or redo an out-of-band change, failed.

Inventory events

The following inventory options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Inventory > Options :

Option	Description
INVOBJ STATE CHANGE	The state of an inventory item has been changed.

Database replication events

The following database replication options can be accessed by navigating to Manage the system > Maintenance > System variables or Manage the system > Maintenance > Options :

Table 12. Database replication events that launch interface programs

Option	Description
DB COMMIT RESUME	Database commits have been resumed on this node after a DB COMMIT SUSPEND event. Either the queue limit has been adjusted, space has been freed on the disk, or activity on the server has slowed to allow the queue to flush. This event is preconfigured to run pxnull with the configuration file pxnull-replication.cfg.
DB COMMIT SUSPEND	A server has failed to send data to another server too many times, causing the send queue to be full. Database commits have been suspended on this node. This event is preconfigured to run pxnull with the configuration file pxnull-replication.cfg .
DB FAILED PROC RECORDED	A server has failed to insert data into the sending queue, or has failed to run procedures from the receive queue during replication. This event is preconfigured to run pxnull with the configuration file pxnull-replication.cfg .
DB QUEUE INSERT FAILURE	Data could not be inserted into the send queue or receive queue of a remote replication node. This event is preconfigured to run pxnull with the configuration file pxnull-replication.cfg .
DB REPLICATION CONN FAILURE	A local replication node lost connectivity to a remote server during a periodic check of availability. The system retries connecting to the disconnected node once every 30 seconds. This exit trap will run once every 10 minutes. This event is preconfigured to run pxnull with the configuration file pxnull-replication.cfg .
DB REPLICATION CONN RESTORED	A replication node successfully connects to a remote server that it had previously failed to contact. This event is preconfigured to run pxnull with the configuration file pxnull-replication.cfg .
DB REPLICATION TRANS FAILURE	The database service on a replication node failed to transmit data to a connected remote node. The transmission will be retried. This event is preconfigured to run pxnull with the configuration file pxnull-replication.cfg .
DB REPLICATION QUEUE DELAY PAST THRESHOLD	The queue delay of receive queues is larger than the value of DB REPLICATION QUEUE DELAY THRESHOLD.
DB REPLICATION WATERMARK WARN	The amount of data in a replication queue (to the local database or associated with a remote node) has passed a threshold. The threshold is set by Warn when percentage of maximum queue size used is, in terms of percent of disk or MB, on the Manage the system > Maintenance > Database replication menu. This event is preconfigured to run pxnull with the configuration file pxnull-replication.cfg.

File replication events

The following file replication options can be accessed by navigating to Manage the system > Maintenance > System variables or Manage the system > Maintenance > Options :

Table 13. File replication events that launch interface programs

Option	Description
FILE REPLICATION FAILURE	An error occurs during the file replication process.

Connector events

The following replication options can be accessed by navigating to Manage the system > Maintenance > System variables or Maintenance > Connector behavior > Options:

Table 14. Connector behavior events that launch interface programs

Option	Description
AGENT TIME OUT	The Bravura Security Fabric stops a connector running after the amount of time set by a target system’s Connector timeout setting.

Discovery service events

The following Discovery service options can be accessed by clicking Manage the system > Maintenance > System variables or Manage the system > Maintenance > Options :

Table 15. Discovery service events that launch interface programs

Option	Description
IDDISCOVER BATCH COMMITTED	Program to execute after discovery data is committed to staging tables.
IDDISCOVER OBJATTRMERGE PRE	Program to execute before staged target system object attributes are merged into the database.
IDDISCOVER OBJMERGE PRE	Program to execute before staged target system objects are merged into the database.
IDDISCOVER OBJRELMERGE PRE	Program to execute before staged target system object relations are merged into the database.

Password Manager service events

The following Password Manager service options can be accessed by clicking Manage the system > Maintenance > System variables or Maintenance > Services > Password Manager service :

Table 16. Password Manager service (IDPM) events that launch interface programs

Option	Description
IDPM FIND USER FAILURE	The Password Manager service attempts to check a password against password strength rules, and does not find the user in the Bravura Security Fabric database.
IDPM GROUP FAILURE	The Password Manager service attempts to synchronize a group of passwords for a user, and fails on at least one of the passwords after the specified sequence of retries.
IDPM GROUP FIRST TRY DONE	All password operations in a request have been attempted once.
IDPM GROUP NOOP	Transparent synchronization request is received for a user that does not have any other accounts to synchronize.
IDPM GROUP SUCCESS	Every password is synchronized for a user by the Bravura Security Fabric interceptor service.
IDPM REQUEUE	A single password change fails, and is queued for retries on the Bravura Security Fabric server.
IDPM SINGLE FAILURE	The Password Manager service attempts to change a single password for a user, and fails after the specified sequence of retries.
IDPM SINGLE SUCCESS	A single password is changed for a user by the Password Manager service.
IDPM STRENGTH FAILURE	The Password Manager service rejects a user’s password, because it failed at least one password policy rule. This exit point is useful for automatically sending the user a reminder describing the password policy. Known issue: Microsoft Domain Controllers trigger the Password Check notification twice when the password check fails, causing the PPCK event to trigger twice, as well as any scripting attached to this exit point. If any email is configured for this exit point, it will also be sent twice, unless the script is customized to ignore the second quick-fire event for the same account.
IDPM STRENGTH SUCCESS	A password strength check is successful.

Transaction Monitor Service events

The following Transaction Monitor Service (IDTM) options can be accessed by clicking Manage the system > Maintenance > System variables or Manage the system > Maintenance > Services > Transaction Monitor Service:

Table 17. Transaction Monitor Service events that launch interface programs

Option	Description
IDTM GROUP FAILURE	One or more actions in a workflow request fails.
IDTM GROUP SUCCESS	All actions in a workflow request succeed.
IDTM SINGLE FAILURE	An action fails on a target system.
IDTM SINGLE SUCCESS	An action succeeds on a target system.

Module and app events

Browse the OrgChart module events

The following Browse the OrgChart (IDO) module options can be accessed from Manage the system > Maintenance > System variables or < Manage the system > Modules > Browse the OrgChart (IDO) :

Table 18. Browse the OrgChart (IDO) module events that launch interface programs

Option	Description
IDO ATTACH SUBORDINATE	A user attaches a subordinate in an organization chart when using the Browse the OrgChart module.
IDO DETACH SUBORDINATE	A user detaches a subordinate in an organization chart when using the Browse the OrgChart module..
IDO TRANSFER SUBORDINATE	A user transfers a subordinate in an organization chart when using the Browse the OrgChart module..
IDO TRANSFER SUBORDINATE	A user transfers a subordinate from another manager in an organization chart when using the Browse the OrgChart module..

Manage certification process module events

The following certification options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Manage certification process (CERT):

Table 19. Manage certification process (CERT) events that launch interface programs

Option	Description
CERT REMOVE USER SUCCESS	A user is successfully removed during an access certification campaign.
CERT SIGN OFF	An access certification campaign completes.
CERT START ROUND FAILURE	An access certification campaign fails to start.
CERT START ROUND SUCCESS	An access certification campaign starts successfully.

View and update profile module events

The following View and update profile (IDR) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > View and update profile (IDR):

Option	Description
USER ATTR CHANGED	A user successfully changes an attribute.

Update security questions module events

The following Update security questions (PSQ) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Update security questions (PSQ) :

Table 21. Update security questions (PSQ) module events that launch interface programs

Option	Description
PSQ ADD FAILURE	A user tries to add one or more new question/answer pairs, but fails for some reason.
PSQ ADD SUCCESS	A user defines one or more new question / answer pairs, then submits the changes for the question set.
PSQ DELETE SUCCESS	A user deletes one or more existing question / answer pairs, then submits the changes for the question set.
PSQ DONE	A user successfully completes the minimum number of questions and answers as specified for each question set.
PSQ NOT DONE	A user fails to complete the minimum number of questions and answers as specified for each question set.
PSQ UPDATE FAILURE	A user tries to change one or more existing question / answer pairs, but fails for some reason.
PSQ UPDATE SUCCESS	A user changes one or more existing question / answer pairs, then submits the changes for the question set.

Attach other accounts module events

The following Attach other accounts (PSL) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Attach other accounts (PSL) :

Table 22. Attach other accounts (PSL) module events that launch interface programs

Option	Description
PSL DELETE FAILURE	A user tries to delete a login ID from their profile, but fails for some reason.
PSL DELETE SUCCESS	A user deletes a login ID for themselves on some system – showing that they now have a standard-name login account on that system.
PSL DONE	A user successfully attaches the minimum number of accounts specified by the PSL MIN ACCOUNTS option.
PSL DUPLICATE ALIAS	An advanced mode user tries to attach an alternate login ID that has already been assigned, and so is denied the ID.
PSL NOT DONE	A user fails to attach the minimum number of accounts specified by the PSL MIN ACCOUNTS option.
PSL UPDATE FAILURE	A user tries to change an account in their profile, but fails for some reason.
PSL UPDATE SUCCESS	A user changes an alternate login ID for themselves on at least one system.
PSL VERIFY FAILURE	A user tries to modify an ID in their profile (add, update or delete), but fails because the password provided for the login on that system could not be verified.
PSL VERIFY LOCKOUT	A user gives an invalid password too many times for an alternate login ID and is now locked out of Bravura Security Fabric .

User notifications module events

The following User notifications (PSN) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > User notifications (PSN) :

Option	Description
AUP DONE	A user accepts an acceptable use policy.
AUP NOT DONE	A user declines an acceptable use policy.

Change passwords module events

The following Change passwords (PSS) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Change passwords (PSS) :

Table 24. Change passwords (PSS) module events that launch interface programs

Option	Description
PSS CGI PLUGIN RUN	The S CHANGE EXT or S STATUS EXT external HTML plugin is run.
PSS RESET FAILURE	Bravura Security Fabric fails to change at least one password for a user in the Change passwords .
PSS RESET START	An authorized user requests one or more password changes on their own account.
PSS RESET SUCCESS	Bravura Security Fabric successfully changes a set of passwords for a user in the Change passwords .

Federation / Web Single Sign-on events that launch interface programs

The following Federation / Web Single Sign-On options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Federation / Web Single Sign-on :

Table 25. Federation / Web Single Sign-On events

Option	Description
FEDIDP IDENTIFY SUCCESS	The SamlRequest web parameter, passed during federated login, is successfully parsed by Bravura Security Fabric . This event contains the following data: The SAML request issuer. The sp_folder used by the request. Remote IP address details.
FEDIDP IDENTIFY FAILURE	The SamlRequest web parameter, passed during federated login, could not be parsed by Bravura Security Fabric . This can occur if the SamlRequest or RelayState web parameters passed by the service provider are empty or invalid. This event contains the following data: The sp_folder used by the request.
FEDIDP AUTH SUCCESS	The SAML response assertion is successfully signed and generated by the fedidp_response plugin, following a successful federated authentication. This event contains the following data: The user’s profile ID. The sp_folder used by the request. Which authentication chain was used. The initiator of the request, either _IDP_LOGIN_ or the SP name.
FEDIDP AUTH FAILURE	The SAML response assertion could not be successfully signed or generated by fedidp_response. The most common causes of this include: The Bravura Security Fabric ’s configuration for that service provider is invalid. The service provider’s template file in <Instance>\idp\<SP folder> is invalid. The user is prohibited from accessing the service provider. The fedidp_response plugin failed to respond. The SAML signing certificate is invalid. This event contains the following data: The user’s profile ID. The sp_folder used by the request. Which authentication chain was used. The initiator of the request, either _IDP_LOGIN_ or the SP name. The reason for failure, one of: Authentication failure. Sp_access violation. Assertion construction. Assertion signing.
FEDIDP SSO SESSION CREATE	This event is triggered when a new single sign-on session is created by fedidp-assert following a successful federated login. The event contains the following data: The generated SSO session ID. The time and date the session was created. The ID of the web cookie created for this session. The full chain used to authenticate this user. The IP address from which the request originated The initiator of the request, either _IDP_LOGIN_ or the SP name.
FEDIDP SSO SESSION DESTROY	An SSO session is terminated, and the session data is removed from the database. The event contains the following data: The affected session ID The time and date of termination The session key for the affected session The IP address from which the request originated.

Requests app events

The following Requests app options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Requests:

Table 26. Requests app events that launch interface programs

Option	Description
IDP ABSTAIN FAILURE	An authorizer fails to abstain from request review.
IDP ABSTAIN SUCCESS	An authorizer succeeds in abstaining from request review.
IDP APPROVE FAILURE	An authorizer’s attempt to approve a request fails.
IDP APPROVE SUCCESS	An authorizer’s attempt to approve a request succeeds.
IDP REJECT FAILURE	An authorizer’s attempt to deny a request fails.
IDP REJECT SUCCESS	An authorizer’s attempt to deny a request succeeds.
IDS DELETE FAILURE	A user’s attempt to delete their request fails.
IDS DELETE SUCCESS	A user’s attempt to delete their request succeeds.

Unlock accounts module events

The following Unlock accounts (PSK) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Unlock accounts (PSK):

Table 27. Unlock accounts (PSK) module events that launch interface programs

Option	Description
PSK UNLOCK FAILURE	An authorized user has failed to unlock one or more of the accounts that they own.
PSK UNLOCK START	An authorized user attempts to unlock one or more accounts that they own.
PSK UNLOCK SUCCESS	An authorized user successfully unlocks all selected accounts that they own.

Password synchronization registration module events

The following Password synchronization registration (PSR) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Password synchronization registration (PSR):

Table 28. Password synchronization registration (PSR) module events that launch interface programs

Option	Description
PSR CANCELLATION SUCCESS	A user disables transparent password synchronization for themselves.
PSR REGISTRATION FAILURE	A user tries to register for transparent password synchronization, but fails for some reason.
PSR REGISTRATION SUCCESS	A user registers for transparent password synchronization.

Manage tokens module events

The following Manage tokens (PSP) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Manage tokens (PSP) :

Table 29. Manage tokens (PSP) module events that launch interface programs

Option	Description
PSP CLEAR PIN FAILURE	A user fails to clear the PIN associated with a SecurID token on the RSA Authentication Manager database.
PSP CLEAR PIN SUCCESS	A user clears the PIN associated with a SecurID token on the RSA Authentication Manager database.
PSP DISABLE FAILURE	A user tries to disable a token, but fails for some reason.
PSP DISABLE SUCCESS	A user successfully disables a SecurID token.
PSP EMERGENCY OFF FAILURE	A user fails to disable emergency access mode for a token.
PSP EMERGENCY OFF SUCCESS	A user disables emergency access mode for a token.
PSP EMERGENCY ON FAILURE	A user fails to activate emergency access mode.
PSP EMERGENCY ON SUCCESS	A user successfully sets a token to emergency access mode, and receives some emergency access numbers.
PSP ENABLE FAILURE	A user tries to (re)enables a token, but fails for some reason.
PSP ENABLE SUCCESS	A user successfully (re)enables a SecurID token.
PSP RESYNCHRONIZE FAILURE	A user fails to resynchronize a token with the RSA Authentication Manager.
PSP RESYNCHRONIZE SUCCESS	A user resynchronizes a token with the RSA Authentication Manager.
PSP SETPIN FAILURE	A user fails to set a new PIN for a SecurID token on the RSA Authentication Manager database.
PSP SETPIN SUCCESS	A user sets a new PIN for a SecurID token on the RSA Authentication Manager database.

Help users module events

The following Help users (IDA) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Help users (IDA):

Table 30. Help users (IDA) module events that launch interface programs

Option	Description
ADMIN AUTH USR FAILURE	A help desk user fails to correctly answer authentication questions on behalf of a caller.
ADMIN AUTH USR SUCCESS	A help desk user correctly answers authentication questions on behalf of a caller, or bypasses the security questions.
ADMIN CGI PLUGIN RUN	The external HTML plugin, specified by A RESET EXT, is run.
ADMIN DELALIAS FAILURE	A help desk user fails to delete a user’s account.
ADMIN DE ALIAS SUCCESS	A help desk user successfully deletes a user’s account.
ADMIN DISABLE USER	A help desk user disables a user’s login ID.
ADMIN DUPLICATE ALIAS	A help desk user tries to attach an account for a user when the account is already in use.
ADMIN ENABLE USER	A help desk user enables a user’s login ID
ADMIN QAADD FAILURE	A help desk user tries to add one or more new question/answer pairs for a user, but fails for some reason.
ADMIN QAADD SUCCESS	A help desk user defines one or more new question/answer pairs for a user, then submits the changes for the question set.
ADMIN QADELETE SUCCESS	A help desk user deletes one or more existing question/answer pairs for a user, then submits the changes for the question set.
ADMIN QAUPDATE FAILURE	A help desk user tries to change one or more existing question/answer pairs for a user, but fails for some reason.
ADMIN QAUPDATE SUCCESS	A help desk user changes one or more existing question/answer pairs for a user, then submits the changes for the question set.
ADMIN RESET FAILURE	A help desk user with the ”change password” privilege fails to change a user’s password.
ADMIN RESET START	A help desk user with the ”change password” privilege starts to change a user’s password.
ADMIN RESET SUCCESS	A help desk user with the ”change password” privilege successfully changes a user’s password.
ADMIN SEARCH FAILURE	A caller account is not found in a search using the Help users .
ADMIN SEARCH SUCCESS	A caller account is successfully found in a search using the Help users .
ADMIN UNLOCK FAILURE	A help desk user fails to unlock a user.
ADMIN UNLOCK START	A help desk user starts to unlock a user.
ADMIN UNLOCK SUCCESS	A help desk user successfully unlocks a user.
ADMIN UNLOCK USER	A user unlocks another user.
ADMIN UPDALIAS FAILURE	A help desk user fails to update a user’s accounts.
ADMIN UPDALIAS SUCCESS	A help desk user successfully updates a user’s accounts.

Manage the OrgChart module events

The following Manage the OrgChart (IDG) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Manage the OrgChart (IDG) :

Table 31. Manage the OrgChart (IDG) module events that launch interface programs

Option	Description
IDG ATTACH SUBORDINATE	A user attaches a subordinate in an organization chart when using the Manage the OrgChart module.
IDG DETACH SUBORDINATE	A user detaches a subordinate in an organization chart when using the Manage the OrgChart module.
IDG TRANSFER SUBORDINATE	A user transfers a subordinate in an organization chart when using the Manage the OrgChart module.
IDG TRANSFER SUBORDINATE PULL	A user transfers a subordinate from another manager in an organization chart when using the Manage the OrgChart module.

Manage the system module events

The following Manage the system (PSA) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Manage the system (PSA) :

Table 32. Manage the system (PSA) module events that launch interface programs

Option	Description
ADMIN DISABLE SUCCESS	A product administrator successfully disables another product administrator’s user ID.
ADMIN ENABLE SUCCESS	A product administrator successfully enables another product administrator’s user ID.
ADMIN UNLOCK ADMIN	A product administrator unlocks another product administrator.
RESOURCE AUTHORIZER ADD	An authorizer is added to a resource.
RESOURCE AUTHORIZER DEL	An authorizer is removed from a resource.
RESOURCE IMPLEMENTER ADD	An implementer is added to a resource.
RESOURCE IMPLEMENTER DEL	An implementer is removed from a resource.

Digital ID events

The following Digital ID (DID) module options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Digital ID (DID):

Table 33. Digital ID events

Option	Description
DID REGISTER FAILURE	A digital ID fails to register.
DID REGISTER SUCCESS	A digital ID is successfully registered.
DID SEND SUCCESS	A digital ID is successfully uploaded.
DID UPDATE SUCCESS	A digital ID is successfully updated (after a password change using the Lotus Notes client).

Privileged access app events

The following Privileged access app options can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Privileged access:

Table 34. Privileged access app events that launch interface programs

Option	Description
IDARCHIVE MANAGEMENT GUARD EXCEEDED	The maximum number of discovered systems to onboard or offboard in single auto discovery run, as defined by IDARCHIVE MANAGEMENT GUARD, has been exceeded.
PAMLWS CONFLICT DETECTED	A system's UUID cannot be changed due to a conflict with an existing UUID.
PAM CHECKIN FAILURE	A generic access check-in has failed.
PAM CHECKIN OPERATION FAILURE	An operation ran as part of a generic access check-in has failed. This event is pre-configured to run pxnull with the configuration file pxnull-pam-cico.cfg.
PAM CHECKIN OPERATION SUCCESS	An operation ran as part of a generic access check-in is successful.
PAM CHECKIN PARTIAL	A generic access check-in is only partially successful.
PAM CHECKIN SUCCESS	A generic access check-in is successful.
PAM CHECKOUT EXPIRY	A generic access check-out expires.
PAM CHECKOUT FAILURE	A generic access check-out has failed.
PAM CHECKOUT LIMIT REACHED	The check-out limit is exceeded for generic access check-outs.
PAM CHECKOUT OPERATION FAILURE	An operation ran as part of a generic access check-out has failed.
PAM CHECKOUT OPERATION SUCCESS	An operation ran as part of a generic access check-out is successful.
PAM CHECKOUT PARTIAL	A generic access check-out is only partially successful.
PAM CHECKOUT SUCCESS	A generic access check-out is successful.
PAM CONFLICTED PASSWORDS UPDATED	Conflicting passwords are discovered and updated.
PSW MSP CHANGE	A managed system policy was directly modified by a product administrator.
RES GSET CHECKIN GRP NOT FOUND	A group cannot be located during a group-set check-in.
RES GSET CHECKIN GRP NO SUCH MEMBER	An account is not a member of a group during a group-set check-in.
RES GSET CHECKIN RETRY FAILURE	An overdue temporary group membership fails to be removed after exhausting all retries.
RES GSET CHECKIN RETRY SUCCESS	An overdue temporary group membership is successfully removed after subsequent retries.
RES PAMLWS OGRUA	The local workstation service detects an out-of-band group membership addition.

Session Monitor app events

The following Session monitor app events can launch interface programs and can be accessed from Manage the system > Maintenance > System variables or Manage the system > Modules > Session monitor:

Table 35. Session monitor app (SMON) events that launch interface programs

Option	Description
SMON ADMIN SESS TERM	An administrator terminates the session recording
SMON ADMIN SESS TERM REQ	An administrator terminates the session recording request.
SMON EVT PARSE ERR	A damaged or unparsable event is received.
SMON PKG DOWNLOAD	A recorded session package is downloading.
SMON PKG FAILED	An error occurs in generating the recorded session package.
SMON PKG REQ	Starting the recorded session package request.
SMON PKG SUCCESS	A recorded session package is successfully generated.
SMON SEARCH	Starting the recorded session search.
SMON SESSION END	A session recording ends.
SMON SESSION START	A session recording starts.

Privileged access management events

The following options can be accessed from:

The Configure event (ITSM) module
or
Manage the system > Privileged access > Options
or
Manage the system > Privileged access > Managed system policies <managed system policy> > Options .

Managed system policy exit points do not override global settings and vice versa; however, in the case where an exit point is configured to run the same program from both locations, only one instance of the program is run.

The system always defaults to request access events before generic events are fired. For example, PAM CHECKOUT EXPIRY will not fire if RES CHECKOUT EXPIRY has been triggered. Events defined for "Account access request", "Account set access request" and "Group set access request" will always fire instead of generic events.

The following settings relate to general privileged access management events and can be set in the Managed system policies tab:

Table 36. Privileged managed systems policies events that launch interface programs

Option	Description
RES ADD WSTN FAILURE	A system fails to be added to the list of managed systems.
RES ADD WSTN SUCCESS	A system is successfully added to the list of managed systems.
RES DEL GROUP FAILURE	A policy fails to be removed from the list of managed system policies.
RES DEL GROUP SUCCESS	A policy is removed from the list of managed system policies.
RES DEL WSTN FAILURE	A managed system fails to be removed from the list of managed systems. The trap is triggered when: A system (push, local service, or user managed) is successfully deleted from the list of managed systems. The Automatically create a Privileged Access Manager managed system option is unchecked on the Target system information page for a push mode managed system. The push mode managed system is deleted from the list of target systems.
RES DEL WSTN SUCCESS	A system is removed from the list of managed systems.
RES GROUP WSTN FAILURE	A system fails to be added to a managed system policy.
RES GROUP WSTN SUCCESS	A system was successfully added to a managed system policy. The exit point is triggered when: A managed system is manually added to a managed system policy. A managed system can be added to a policy from either the Managed systems menu or the Managed system policies menu. The exit point is triggered in both scenarios. A local service mode system successfully adds itself as a managed system. A PSLang expression or plugin is used to add a managed system to a managed system policy.
RES ID CONFLICT	Local service mode managed systems with conflicting system identifiers are detected. The Privileged Access Manager Local Workstation Service (`hipamlws`) on the affected system will be shut down.
RES REINSTALL	A local service is reinstalled.
RES UNGROUP WSTN FAILURE	A managed system is successfully removed from a managed system policy. The trap is not triggered when a managed system is deleted from the list of managed systems, even though that also removes the system from all the policies it belongs to.
RES UNGROUP WSTN SUCCESS	The configuration settings of a managed system fail to be updated from the Request privileged access (PSW) module.
RES UPDATE WSTN FAILURE	A managed system fails to be removed from a managed system policy.
RES UPDATE WSTN SUCCESS	The configuration settings of a managed system are successfully updated from the Request privileged access (PSW) module.

Password randomization events that launch interface programs

The following settings relate to password randomization events and can be set in the Password randomization tab:

Table 37. Password randomization events that launch interface programs

Option	Description
PAMSA ORCHESTRATION END FAILURE	Subscriber orchestration is completed with failures. This trap is used for the Bravura Privilege Pattern .
PAMSA ORCHESTRATION START SUCCESS	Subscriber orchestration is completed successfully. This trap is used for the Bravura Privilege Pattern .
PAMSA SUBSCRIBER NOTIF FAILURE	Subscriber notification plugin requests password randomization to be blocked. This trap is used for the Bravura Privilege Pattern .
RES CONFIRM PASSWORD FAILURE	A managed system fails to change the password for the managed user.
RES CONFIRM PASSWORD SUCCESS	A managed system successfully changes the password for the managed user.
RES DEL WSPW FAILURE	A user fails to be removed from the list of managed system users.
RES DEL WSPW SUCCESS	A user is removed from the list of managed system users. The trap is triggered when an account is deleted from a list of managed accounts. The trap is not triggered when a managed system policy is deleted, even though the policy contains managed accounts and those accounts are deleted as well.
RES PASSWORD PUSHED	A password on a managed account is changed on a push-mode managed system.
RES PASSWORD SYNCHRONIZATION FAILURE	A password fails to be synchronized based on the synchronization scope of the managed system policy. If the synchronization scope is set to “Synchronize all accounts in policy”, then this triggers when at least one account in the policy fails to synchronize. If the synchronization scope is set to “Synchronize accounts with same ID”, then it triggers once for each unique account ID when at least one of the managed systems with that account ID fails to randomize. This event also triggers action for all subsequent retries to update the password until all passwords in a group are synchronized again. Data provided here include the ResGroup, accountid (if synchronization scope is set to “Synchronize accounts with same ID"), password used, and when the synchronization was attempted. To learn which accounts failed to be reset, use the RES CONFIRM PASSWORD FAILURE event action.
RES PASSWORD SYNCHRONIZATION SUCCESS	A password is successfully synchronized on all managed systems in a managed systems policy. Data provided here include the ResGroup, accountid (if synchronization scope is set to “Synchronize accounts with same ID"), password used, and when the synchronization was attempted.
RES RESET PASSWORD FAILURE	A product administrator fails to override a managed system password.
RES RESET PASSWORD SUCCESS	A product administrator overrides a managed system password.
RES WRITE PASSWORD FAILURE	A managed system user password fails to be committed to the database
RES WRITE PASSWORD SUCCESS	A managed system user password is committed to the database.
SERVER INFO FAILURE	A Transaction Monitor Service (`idtm`) server information operation fails. This trap is used for the Bravura Privilege Pattern .
SERVER INFO SUCCESS	An Transaction Monitor Service (`idtm`) server information operation succeeds. This trap is used for the Bravura Privilege Pattern .
UPDATE RESOURCE FAILURE	An Transaction Monitor Service (`idtm`) server update resource operation fails. This trap is used for the Bravura Privilege Pattern .
UPDATE RESOURCE SUCCESS	An Transaction Monitor Service (`idtm`) server update resource operation succeeds. This trap is used for the Bravura Privilege Pattern .

Account access request events that launch interface programs

The following settings relate to account access request events and can be set in the Account access request tab:

Table 38. Account access request events that launch interface programs

Option	Description
RES ACCESS REVOCATION CHECKIN	Program to execute when an account access check-in action has failed.
RES CHECKIN FAILURE	A password check-in action has failed.
RES CHECKIN SUCCESS	A password check-in action is successful.
RES CHECK OUT EXPIRY	A checked out password expires.
RES CHECKOUT FAILURE	A password check-out action has failed.
RES CHECKOUT LIMIT REACHED	The check-out limit is exceeded.
RES CHECKOUT SUCCESS	A password check-out action is successful. Information passed to this exit trap includes the status of all requests on the password.
RES REQUEST PASSWORD FAILURE	<idarchive> fails to generate a random password.
RES REQUEST PASSWORD SUCCESS	<idarchive> generates a random password.
RES VIEW PASSWORD	A product administrator requests access to a privileged account on a managed system.
RES VIEW PASSWORD HIS	A product administrator requests to access privileged account access history on a managed system. The trap is triggered when a user views the access history of a managed account. The account can viewed from either the Managed system policies or Managed systems menus. Viewing a privileged account’s access history from either location triggers the exit trap.

Account set events that launch interface programs

The following settings relate to account set requests and can be set in the Account set access request tab:

Table 39. Account set events that launch interface programs

Option	Description
RES MAQ ACCESS REVOCATION CHECKIN	An account set access is checked in by another user.
RES MAQ CHECKIN FAILURE	An account set access check-in has failed.
RES MAQ CHECKIN SUCCESS	An account set access check-in is successful.
RES MAQ CHECKOUT EXPIRY	A checked out account set access expires.
RES MAQ CHECKOUT FAILURE	A checked out account set access has failed.
RES MAQ CHECKOUT LIMIT REACHED	An account set access check-out limit has exceeded.
RES MAQ CHECKOUT PARTIAL	An account set access check-out is partially successful.
RES MAQ CHECKOUT SUCCESS	An account set access check-out is successful.

Group set request events that launch interface programs

The following settings relate to group set requests and can be set in the Group set access request tab:

Table 40. Group set request events that launch interface programs

Option	Description
RES GSET ACCESS REVOCATION CHECKIN	A group set access check-in action has failed.
RES GSET CHECKIN FAILURE	A group set check-in action has failed.
RES GSET CHECKIN PARTIAL	A group set check-in action is partially successful.
RES GSET CHECKIN SUCCESS	A group set check-in action is successful.
RES GSET CHECKOUT EXPIRY	A checked out group set request expires.
RES GSET CHECKOUT FAILURE	A group set check-out action has failed.
RES GSET CHECKOUT LIMIT REACHED	A group set check-out limit has been exceeded.
RES GSET CHECKOUT PARTIAL	A group set check-out action is partially successful.
RES GSET CHECKOUT SUCCESS	A group set check-out action is successful.

In this section: