Account Sets
Bravura Privilege allows you to request temporary privileged access to account sets, for yourself or other users. The account set may include accounts on different systems; however, they must belong to the same managed system policy. If approved, you can check out the requested privileged access. On account sets, privileged access can mean:
Access to the ID and password of an administrative account
Connection via remote desktop connection
The ability to run commands on multiple systems and accounts
Some other means
When you check in, or a certain time expires, your access is revoked. You can check out the privileged access only once for every approved request. In some cases you may be pre-approved to check out privileged access.
Requesting account set access
Account set check-outs are governed by the same access controls as single account access. Unless you have pre-approval, you must submit a request and receive approval before you can check out account set access.
When submitting a request, you can:
Create an account set
In this process you create the account set first, which you can use again later, or modify, and share with others.
Request access to a pre-defined account set
Pre-defined account sets are available if you created one earlier, or another user has created and shared one with you.
If you are pre-approved, you can skip to Pre-approved access .
Creating an account set
To create an account set:
From the main menu , click Privileged access.
Click Accounts under the PRIVILEGED ACCESS heading to see available accounts.
From the Results panel, select the checkboxes for the accounts you want to use.
The Privileged access app displays the Create account set action in the Actions panel if all accounts selected can be grouped as an account set.
Click Create account set.
Enter a description for the account set.
Click Submit.
Bravura Security Fabric saves the selected accounts as an account set that you can request access to.
Requesting access to an account set
To request access to a previously-created account set:
Click Account sets under the PRIVILEGED ACCESS heading to see available account sets.
Alternatively, you can click Recent to see account sets you have recently requested access too.
Select an account set from the Results panel.
Select the account set you want to view details about, or to request check out. Depending on the configuration, you may be able to view access status details and check-out details. Various options may be available in the Actions panel, such as:
Request check-out if account set access can be requested
View request if there is an existing request awaiting approval
Check out if there is an existing approved request for this account set
View accounts in set and/or Run command if you already have this account set checked out
Delete account set if you have permission to delete account sets
Click Request check-out in the Actions panel to open the request details form.
Enter request details:
Enter Requester notes to be displayed to the authorizers.
Enter notification details if needed.
If the request is for another user, click the search icon
under Recipient to search for the recipient’s ID.Specify the period that you want the access to be available for check-out.
Select the Start time and End time.
or
Click the Calculate end time using check-out duration check box, select a duration unit and type the number of days, hours or minutes.
The duration is affected by the configured maximum and minimum check-out intervals. It must start later than the current time.
If the selected accounts support command execution:
Select Can only execute the specified command if you want to restrict the command to be run with this request. Once the request has been approved, the command cannot be edited.
Enter the command you want to run in Account set commands or search available commands. This is an optional field.
Commands can also be specified after checking out the account set. See Running commands .
There is a 450 character limit for commands.
Enter values for other request attribute fields as required.
Click the Submit button at the bottom of the request details form.
Bravura Security Fabric issues the request, notifies appropriate authorizers, and displays a summary of the request.
Deleting account sets
You can delete account sets you have created. If granted the Modify all account sets in this policy, you can also delete any account set belonging to that policy. To delete an account set:
Click Account sets under the PRIVILEGED ACCESS heading to see available account sets.
Select one or more account sets from the Results panel.
Click Delete account set in the Actions panel.
Confirm the deletion.
Checking out account set access
Once you have approval you can check out the account set, as long as the number of allowable simultaneous check-outs has not been exceeded.
Requested and approved access
To check out the account set:
Click Ready to check out under the REQUESTS heading.
Alternatively, click the Your privileged access request has been approved link on the main menu.
Select the account set from the Results panel if necessary.
Click Check out in the Actions panel.
If an account set access has already been checked out and the check-out limit has been reached, Bravura Security Fabric notifies you when the access is available for check-out again. Bravura Security Fabric may also block the account set check-out if one of the individual accounts has reached its check-out limit.
After you click Check out, a filter for the account set is saved under the CHECK-OUTS heading in the Filter panel.
Alternatively, if you already have approved access, you can also:
Search for the account set you want to check out under the PRIVILEGED ACCESS heading.
Select the account set you want to check out.
Click Check out.
Pre-approved access
To check-out pre-approved access to an account set:
Click Account sets under the PRIVILEGED ACCESS heading to see available accounts.
Select an account set from the Results panel.
Click Check out in the Actions panel to the right to open the check-out details form.
If you want notification sent to an address other than the one shown, change the value in Send emails to this address with information about the request.
Click the Check out button.
Using account set access
Once you have checked out the account set, you can use the available controls to access the privileged accounts within the time given. You can access individual accounts within an account set using the same access disclosure plugins that are available in a single-account check-out.
To obtain access to a particular account:
From the CHECK-OUTS heading in the Filter panel, click the link for the account set you want to access.
The individual accounts attached to the account set will be displayed in the Results panel.
Select an account from the Results panel.
The Privileged access app displays available access disclosure plugins in the Actions panel to the right.
For information about each access disclosure plugin see Access disclosure plugins .
Running commands
In addition to the single account controls, you may have an option to execute commands on multiple accounts if your administrator configures the Run commands option.
To run commands that were specified during the check-out request:
From the CHECK-OUTS heading in the Filter panel, click the link for the account set you want to access.
The individual accounts attached to the account set will be displayed in the Results panel.
Select the accounts you want to run the commands on.
The command will be pre-filled. If Can only execute the specified command was selected at request time, you will not be able to modify the command here, otherwise, modify the command if required.
Click >_Run Command.
Click Run.
There is a 450 character limit for commands.
To specify and run commands after checking out the account set:
From the CHECK-OUTS heading in the Filter panel, click the link for the account set you want to access.
The individual accounts attached to the account set will be displayed in the Results panel.
Select the accounts you want to run the commands on.
Click >_Run command.
Specify commands in Command.
Click Run.
Alternatively, you can run commands by selecting the checked out account set from the PRIVILEGED ACCESS heading.
You can also run commands across multiple account sets by selecting more than one checked-out account set and then clicking Run command . In this case, the command will run across all accounts belonging to those account sets.
Saving and loading commands
You can either manually enter commands, or save and load them.
To save commands:
From the CHECK-OUTS heading in the Filter panel, click the link for the account set you want to access.
The individual accounts attached to the account set will be displayed in the Results panel.
Select the accounts you want to run the command on.
Click >_Run commands.
Enter the commands you want to run.
Click Save.
Verify your command in the pop-up.
Enter a command name.
Click Save.
Saved commands can be loaded anywhere a command can be specified. To load a saved command, search for existing commands, and select the desired command.
Viewing command execution status
A COMMANDS category is added to the Filter panel when at least one command execution is attempted.
To view a run commands execution status:
Click the link on the pop-up confirmation message, click Recent from the Filter panel and search for the command under COMMANDS.
Select your command.
Click Command status.
If the commands have been processed, and an output file is save, you can click Download to download the file.
If the commands have not been processed, you can cancel the commands by selecting it and clicking Cancel command.
If the command is in "queued" status you can cancel it before it starts running, Once it starts running you cannot cancel it, even if it is still in the "queued" status; Bravura Security Fabric displays an error message like the one illustrated below.
Setting other options
The following options are only available if your product administrator allowed users to override them:
Delete command output after expiration date – select to remove an output file from the server after it expires. By default, this is selected and files are deleted in 365 days.
Retrieve command output and save on server – select to retrieve and save an output file. By default, this is selected.
The default Connector timeout as defined on the Target system information page is 300 seconds. Update this value if the command you are running will take longer.
Checking in account set access
If you have more than one account set checked out you can view a summary with additional information including the check-out age and time remaining for outstanding check-outs. The summary also displays alerts and warnings of check-out age and time remaining.
To view the current check-out summary for account sets:
Click Mine under CHECK-OUTS from the Filter panel.
Select the account set you want to view from the Results panel.
Bravura Security Fabric displays the details in the Actions panel.
To check on the expiry time and check in an account set:
From the CHECK-OUTS heading in the Filter panel, click the link for the account set you want to access.
The individual accounts attached to the account set will be displayed in the Results panel.
To view the details of the check-out, select an account from the Results panel.
Alternatively, select the account set from Mine.
The Privileged access app displays details and available controls in the Actions panel to the right.
Click Check in account set when you no longer need the account set.
If you need to access the account set again, you must submit another request.
Account sets can also be checked in by searching and selecting the checked out account set under the PRIVILGED ACCESS heading.
Use case: Running a script via an account set
The following use case shows a typical scenario, where a network administrator needs to complete the same task on many servers. The administrator has written a script called maintenance.cmd and stored it in a shared folder on the network. In this scenario the account set already exists because the same accounts are used regularly.
To request access to a previously-created account set:
Click Account sets under the PRIVILEGED ACCESS heading to see available account sets.
Select an account set from the Results panel.
Click Request check-out in the Actions panel to open the request details form.
Enter request details:
Enter Requester notes to be displayed to the authorizers.
Enter notification details if needed.
Specify the period that you want the access to be available for check-out.
Select the Start time and End time.
or
Click the Calculate end time using check-out duration check box, select a duration unit and type the number of days, hours or minutes.
The duration is affected by the configured maximum and minimum check-out intervals. It must start later than the current time. .
Click the Submit button at the bottom of the request details form.
Bravura Security Fabric issues the request, notifies appropriate authorizers, and displays a summary of the request.
Once you have approval you can check out the account set, as long as the number of allowable simultaneous check-outs has not been exceeded.
To check out the account set:
Click Ready to check out under the REQUESTS heading.
After you click Check out, a filter for the account set is saved under the CHECK-OUTS heading in the Filter panel.
To specify and run commands after checking out the account set:
From the CHECK-OUTS heading in the Filter panel, click the link for the account set you want to access.
The individual accounts attached to the account set will be displayed in the Results panel.
Select the accounts you want to run the commands on.
Click >_Run command.
Click the search icon
.
Select the required command. In this case the command is a script.
Click Run.
A COMMANDS category is added to the Filter panel when at least one command execution is attempted.
To view a run commands execution status:
Click the link on the pop-up confirmation message, click Recent from the Filter panel and search for the command under COMMANDS.
Select your command.
Click Command status.
When the command has been processed, and an output file is save and you can click Download to download the file.
To check the account set back in:
Click Mine under CHECK-OUTS from the Filter panel.
Select the account set you want to check-in from the Results panel.
Bravura Security Fabric displays the details in the Actions panel.
Click Check in account set when you no longer need the account set.