Skip to main content

About authorization

How authorizers are assigned

When a request is issued, Bravura Security Fabric notifies authorizers based on the entitlement, or some business logic via a workflow plugin.

Authorizers are notified of their tasks by email. Bravura Security Fabric also displays task links at the top of the main menu to notify the authorizers that they have requests to review.

Delegation and escalation

Bravura Security Fabric users can act on behalf of other users in one of two ways:

  • Delegation – A user can request to delegate all their responsibilities or a single request to another user. A delegation manager can also delegate a user’s responsibilities to a third party.

  • Escalation – When an authorizer fails to act on a workflow request in a timely manner, the request can be escalated to another user higher in the organization.

    If escalation is not configured, the request remains in the pending requests queue until it is approved or denied by one or more authorizers.

When escalation or delegation occurs, the user who takes over will be able to act as the original authorizer, with the same privileges, when dealing with the request.

Delegates are notified of their tasks by email. Bravura Security Fabric also displays task links at the top of the main menu to notify the users that they have requests to review as a delegate.

See:

Automatic approval of requests

Bravura Security Fabric can automatically approve a request if the requester is also an authorizer assigned to the affected resource.

To turn on this option enable IDWFM AUTO APPROVE on the Workflow > Options > General menu. Installing Bravura Pattern sets the value for this option as "enabled".

A request will not be auto-approved if:

  • Authorizers must enter values for required attributes when a request is reviewed.

    Or,

  • More than one authorization is required to approve the request.

Unapproving privileged access requests

Bravura Security Fabric authorizers have the ability to 'unapprove' privileged access requests if they are originally listed as an authorizer for the request.

Unapproving a request cancels the request. The request is treated as though it was denied. The unapprove action only affects the specific request; user privileges, user access, and other requests are unaffected.

A privileged access check-out request can be unapproved when:

  • It has been approved by an authorizer.

  • It is in the ’Pending’ check-out status.

A privileged access check-out request cannot be unapproved when:

  • It is in the status of checking out.

  • The request has been processed.

A privileged access extension request can be unapproved when:

  • It has been approved by an authorizer.

  • The request has been processed.

  • The check-out will still have time remaining once the extension is removed.

A privileged access extension request cannot be unapproved when:

  • The check-out will no longer have time remaining if the extension was removed.

If you want to cancel a check-out or extension request that can no longer be unapproved, you must terminate the user’s privileged access instead. To do this, you must provide appropriate users with the ”Check in access” privilege.

Managing authorization workflow

Authorizers who are granted the role of workflow manager can also cancel any request. This extra option is available to workflow managers on the request authorization pages.

They can also act as implementers, to act or decline manual tasks, and mark the tasks as completed or cannot be completed.

In this section: