Group sets
The Privileged access app allows you to request temporary membership of privileged groups, known as group sets, on managed systems for yourself or other users. Group sets can be organized to serve a specific purpose, such as running a program or accessing a folder on a system.
If approved, you can check out the requested group set, which will allow you to login to a specified program or access a system via a remote desktop connection.
When you check in, or a certain time expires, your access is revoked. You can check out the privileged access only once for every approved request. In some cases you may be pre-approved to check-out privileged access.
Requesting group set access
Unless you have pre-approval to check out a group set, you must submit a request to be approved. If you are pre-approved, you can skip to Pre-approved access .
To request permission to check out a group set:
Click Group sets under the PRIVILEGED ACCESS heading to see available group sets.
Alternatively, you can click Recent to see group sets you have recently requested access too.
Select a group set from the Results panel.
Select the group set you want to view details about, or to request check out. Depending on the configuration, you may be able to view access status details and check-out details. Various options may be available in the Actions panel, such as:
Request check-out if access can be requested
View request if there is an existing request awaiting approval
Check out if there is an existing approved request for this group set
Configured disclosure plugins if you already have this group set checked out
Click Request check-out from the Actions panel to open the request details form.
Enter request details:
Enter Requester notes to be displayed to the authorizers.
Enter notification details if needed.
Specify the period that you want the access to be available for check-out.
Select the Start time and End time.
or
Click the Calculate end time using check-out duration check box, select a duration unit and type the number of days, hours or minutes.
The duration is affected by the configured maximum and minimum check-out intervals. It must start later than the current time.
Note
If your permissions only permit check-outs to be pre-approved, you can only pre-approve check-outs for yourself.
If no drop-down menu appears for the recipient, then the user has no applicable accounts on the managed system to request group set access for.
Click the Submit button at the bottom of the request details form.
The Privileged access app displays a summary of the request.
Group inclusion rules and any changes on pre-existing groups in the group set will be evaluated once the request has been submitted.
Bravura Security Fabric issues the request and notifies appropriate authorizers.
If you are assigned as an authorizer capable of approving group set access check-out requests, the request may be automatically approved, depending on which managed systems you are assigned.
Checking out group set access
Once you have approval to access a group set, you can check out the group set, as long as the number of allowable concurrent check-outs has not been exceeded.
Requested and approved access
To check out a group set after your request is approved:
Click Ready to check out under the REQUESTS heading.
Alternatively, click the Your privileged access request has been approved link on the main menu.
Select the group set if necessary from the Results panel.
Click Check out.
Bravura Security Fabric records that you have checked out the group set.
By default, any of the groups in the group set that fail to have membership applied to it will be ignored. You can configure this behavior to rollback previous changes or abort any remaining changes in the event of a failure.
You may need to click Refresh
during the Checking out phase to get the current check-out status. You can also click the view icon 
under the View details section to view the group membership result.
The amount of time it takes to check out a group set depends on the type of managed system used to request group set access. Check-out of group sets created in a push-mode managed system policy should occur immediately. However, check-out of group sets created in a local service mode managed system policy will not be performed until the next time the Privileged Access Manager Local Workstation Service (hipamlws) polls the Bravura Privilege server.
If none of the groups in the group set are successful in having group membership added to it, the check-out will not continue. You will then need to check out at a later time.
If the group set has already been checked out by another user and the check-out limit has been reached, Bravura Security Fabric notifies you by email when the access is available for check out again.
Alternatively, if you already have approved access, you can also:
Search for the group set you want to check out under the PRIVILEGED ACCESS heading.
Select the group set you want to check out.
Click Check out.
Pre-approved access
To check-out pre-approved access to a group set:
Click Group sets under the PRIVILEGED ACCESS heading from the Filter panel.
Select a group set from the Results panel.
Click Check out in the Actions panel to open the check-out details form.
If you want notification sent to an address other than the one shown, change the value in Send emails to this address with information about the request.
Click the Check out button.
Using group sets
Once you have checked out, you can use the available access disclosure plugins to access the group set within the time given.
Your access is revoked when the checkout time expires, you are inactive for too long, or you check in.
For information about each access disclosure plugin see Access disclosure plugins .
Checking in group set access
To check on the expiry time and check in a group set:
Click Mine under the CHECK-OUTS heading in the Filter panel.
Select a group set from the Results panel.
The Privileged access app displays details and available controls in the Actions panel. You can also click the view icon
under the View details section to view details about a group set’s members and status.Click Check in when you no longer need access to the group set. If you need to access the group set again, you must submit another request.
Your group sets can also be checked in by searching and selecting each checked out group set under the PRIVILEGED ACCESS heading.
Use case: Request group set access
The following example shows a typical scenario, where a regular user requires temporary access to the accounting folder on the network to complete a job function.
To request permission to check out the accounting read only group set:
From the main menu, click Privileged access. The Privileged access app will open.
Click Group sets under the PRIVILEGED ACCESS heading to see available group sets.
Select the group set with the description "Provides read only access to the accounting network folder" from the Results panel.
Click Request check-out from the Actions panel to open the request details form.
Enter Requester notes for the request:
Select the Calculate end time using check-out duration checkbox and choose a 4 hour check-out duration.
Leave all other settings as default.
Click the Submit button at the bottom of the request details form.
The Privileged access app displays a summary of the request.
Bravura Security Fabric issues the request and notifies appropriate authorizers.
Once the request has been approved, you can check out the group set, as long as the number of allowable concurrent check-outs has not been exceeded.
To check out a group set:
Click Ready to check out under the REQUESTS heading.
Select the group set if necessary from the Results panel.
Click Check out.
Bravura Security Fabric records that you have checked out the group set.
In this example, once you have checked out the group set you will have read only access to the accounting folder on the network. This will be enough for the user to help the accounting department for the few hours required.
The users access will be revoked in 4 hours.