Configuring batch notifications

Batch notifications can be triggered at certain times, or directly by an administrator. Multiple users whose passwords are about to expire or who have not complied with some requirement can be sent batch reminders, by email or some other method, advising them what to do.

No additional software installation is required for batch notification.

Click below to view a demonstration of setting up a batch notification to automatically provide users who have had their passwords reset by a member of the support desk with an opportunity to leave feedback.

Example: Warning users to register security questions

The following example shows you how to set up a batch notification to disable users’ profiles if they ignore two warnings to register their security questions:

Click Manage the system > Policies > User notifications > Batch notifications .
Click Add new ….
Type the notification ID and Description. The notification ID can only contain ASCII characters.
Set the notification Severity to Warning.
Set the Plugin to run to determine compliance to Security questions registration.
Select the radio button for Maximum number of messages to send per user and type 2 in the adjacent field.
Set the Plugin to run when reminder limit is exceeded to Disable profile.
Click Add.
Configure plugin options.
For this example, only the plugin responsible for delivering the reminders requires configuration.
1. Click the configure icon next to the Plugin to run to deliver compliance reminder field.
2. Enter the required subject and message details. These plugins also use settings defined in the Manage the system > Workflow > Email configuration menu.
3. Click Update.
Schedule the notification:
1. Click the Schedule tab.
2. Configure scheduling options.
  See Scheduling batch notifications for detail.
3. Click Add.
Test the notification:
1. While still on the Schedule tab of the batch notification, click Run now at the bottom of the page.
  You may wish to set the Maximum number of messages to send per run option on the General tab to 1, or another low number, so that you are not sending a large number of emails while testing.
2. Open your mail server or the location where emails are being sent and view the contents of the warning messages.
  You should see that there is a message in your inbox.

Example: Configuring batch notification for password expiry

This example shows you how to set up a warning-level password expiry notification.

Requirements

This example assumes that:

Bravura Security Fabric and Connector Pack is installed.
An Active Directory target system is added as a source of profiles.
Password expiry detection is configured.

Set up a batch notification

To set up a warning-level password expiry notification:

Log in to Bravura Security Fabric as superuser.
Click Manage the system > Policies > User notifications > Batch notifications .
Click Add new …
Type:
- ID PASSWORDEXPIRY
- Description Notification of pending password expiry
The notification ID can only contain ASCII characters.
Set the notification Severity to Warning.
Set the Plugin to run to determine compliance to Password expiry.
Select the radio button for Maximum number of messages to send per user and type 2 in the adjacent field.
Click Add.
Bravura Security Fabric warns you that the compliance plugin requires configuration.
Click the configure icon next to the Plugin to determine compliance field.
Configure parameters for password expiry:
- Set the required Number of days before expiry that the user will be notified to 10,5,3,2,1 .
- In the Only calculate password expiry for accounts on these target systems field, select the Active Directory system set up in Example: Detect soon-to-expire passwords.
Click Update.
Navigate to the Batch notification information page for the PASSWORDEXPIRY notification.
You can click the General tab or use the breadcrumb links.
Configure the plugin responsible for delivering reminders.
1. Click the configure icon next to the Plugin to run to deliver compliance reminder field.
2. Enter the following:
  Mail subject Your password will expire in %DAYS% days.
  Mail message
```
Dear %USERNAME%,
Your password will expire in %DAYS% days.
Please visit the link below to change your password.
http://bravura-pass.example.com
Sincerely, Support Desk Manager
```
Click Update.
Navigate to the Batch notification information page for the PASSWORDEXPIRY notification.
You can click the General tab or use the breadcrumb links.
Schedule the notification:
1. Click the Schedule tab.
2. Next to Days to run this job, select Only on weekdays.
3. Enter 13:00 in the Time to run field.
4. Click Add.

You have now configured Bravura Security Fabric to notify users that their password will expire on Active Directory in 10, 5, 3, 2 and 1 days.

Configuration detail

To configure batch notifications:

Click Manage the system > Policies > User notifications > Batch notifications .
Click Add new….
Type the notification ID and Description. The notification ID can only contain ASCII characters.
Set the notification Severity :
- Info
  The notification is informational. The user may be requested to take action, but if he does not respond, no further action is taken.
- Warning
  The notification is a warning. An action is requested but not forced at the current time. If the user does not comply after a certain number of warnings, Bravura Security Fabric can take another action.
Determine the compliance event to trigger a notification by choosing the Plugin to run to determine compliance:
- Password expiry
  Users’ passwords are about to expire.
- Security questions registration
  Users have not registered their security question profiles.
- Query USERSTAT tag
  A user information query evaluates a particular value; for example, the value exists, is true, or is less than some other value. Users who do not match the condition are notified. There are several built-in USERSTAT tags.
- Accounts attachment
  Users do not own enough accounts, as defined by the PSL MIN ACCOUNTS system variable.
  or
  Users do not have an account on a target system which has the Users must have accounts option enabled.
- Mobile enrollment
  Users have not enrolled a mobile device.
Determine the Maximum number of messages to send per run to limit how many messages are sent out per batch run. When used together with Time interval after sending a message during which no further messages should be sent to the same user, the users that are notified in the first batch can be bypassed in the next batch. As a result, a batch notification can be sent to all users in batches, rather than all at once.
Select the radio button for:
- Maximum number of messages to send per user and type the number of messages to send
- Unlimited reminders to keep sending reminders until the user is compliant
- No reminders to disable the notification
Set the Time interval after sending a message during which no further messages should be sent to the same user.
Enter a number and choose an interval. For example, if this is set to 10 minutes and the plugin is run twice within 8 minutes, then any users who receive the first notification will not receive it a second time.
If you defined a Maximum number of messages to send per user for a warning-level notification, determine the action to take for non-compliant users by choosing the Plugin to run when reminder limit is exceeded:
- Set USERSTAT tag
  Set a USERSTAT tag for a non-compliant user, and optionally deletes the tag when compliance is reached.
- Global email plugin
  Sends an email to the user via the plugin specified by the GLOBAL MAIL PLUGIN system variable.
- Disable profile
  Disable the Bravura Security Fabric profile of the particular user, and optionally re-enables the user when compliance is reached.
If you want to stop reminders from being sent on certain dates, type them in the No reminders on these dates field.
Type the dates one line at at time, in the format MM-DD or YYYY-MM-DD.
Click Add.

You can now:

Configure settings for the compliance, reminder, and action plugins by clicking the configure icon next to the plugin name. Settings for built-in programs are explained in the following sections.
Schedule batch notifications .
Test batch notifications using the ntftrigger program.
Set pre-conditions for evaluating a notification for a user.

USERSTAT built-in tags

Tag	Description	Example
LASTPSL	The last time the user used the Attach other accounts module. The time used is the authentication time of the session.	2021-10-28 14:40:16 (UTC-06:00)
LASTSKIN	The last skin the user used.	default
LASTLANG	The last language the user used.	en-us
LASTPWCHGMODULE	The last module used to reset the user's password.	pss,ida,idpm
PSLDONE	The user has satisfied mandatory account requirements. This is defined by the per target system setting Users must have accounts, and the global system variable PSL_MIN_ACCOUNTS. The allowed value true is set by `psdonechk` or when the user or a help desk user uses the Attach other accounts module.	true
PSQDONE	The user has satisfied the security question requirement. The allowed value true is set by `psdonechk` or when the user or a help desk user uses the Update security questions module.	true

Batch notification compliance plugins

Compliance plugins evaluate the attributes of a particular user and determine whether that user is compliant with the notification rule. Unlike plugins for web notifications, compliance plugins for batch notifications do not determine the text of the message to be delivered.

No configuration is required for the Security questions registration plugin for batch notifications.

Configure built-in plugins for batch notifications by clicking the configure icon next to the plugin field.

Built-in plugins available for the Plugin to run to generate a list of non-compliant users require the following parameters:

Option	Description
Password expiry options
Number of days before expiry that the user will be notified	Use comma-delimited values to set multiple notifications
Only calculate password expiry for accounts on these target systems	Select the target systems on which account password expiry will be calculated. By default it calculates on all target systems listed.
If password on these target systems are set to not expire, do not send notifications	Select the target systems for which you do not want to send notification if the account has ”Password never expires” enabled.
Exclude these targets from calculating password expiry	Select the target systems to exclude from notifications. This option can not be configured at the same time with Only calculate password expiry for accounts on these target systems.
Query USERSTAT tag options
Tag	The name of the USERSTAT tag value to check.
Comparison	Select the comparison rule to determine that the tag value Must or Must not: be equal to be less than be greater than equal
Value	Type the value used to evaluate the tag,and select the value type.

There are several built-in USERSTAT tags.

Batch notification reminder plugins

Reminder plugins are responsible for delivering the notification in the recipients’ chosen language. Configure built-in plugins for batch notifications by clicking the configure icon next to the plugin field.

Built-in plugins available for the Plugin to run to deliver compliance reminder require the following parameters:

Option	Description
Mail subject	The message subject line can contain user-specific macros and M4 macros without embedded HTML.
Mail message	The message content can be up to 2000 characters long and can contain user-specific variables, as listed in Adding user-specific variables in notification messages You can use m4 tag names to define more complex notification messages that use HTML code to enhance the presentation. See Email notification .

These plugins also use settings defined in the Manage the system > Workflow > Email configuration menu. See Email notification .

Email recipients cannot see other recipients. Mail is sent with bcc to each recipient.

Batch notification action plugins

An action plugin runs when a user has received the maximum number of notifications for a specific rule. It is responsible for taking extra action in the event of continued non-compliance. Configure built-in plugins for batch notifications by clicking the configure icon next to the plugin field.

No configuration is required for the Disable profile plugin for batch notifications.

Built-in plugins available for the Plugin to run when reminder limit is exceeded require the following parameters:

Option	Description
Send email options
Mail subject	The message subject line can contain m4 maros without embedded HTML.
Mail message	The message content can contain user-specific variables, as listed in Adding user-specific variables in notification messages . You can use m4 tag names to define more complex notification messages that use HTML code to enhance the presentation.
Set USERSTAT tag options
Tag	This is the field name in the USERSTAT table. If the field does not exist, the plugin creates it.
Value	Set the field value for this user.

There are several built-in USERSTAT tags.

Scheduling batch notifications

Once you have added a batch notification, you must schedule it. To do this:

On the Batch notification information page for a notification, click the Schedule tab.
Configure Schedule settings as listed in the table below.
If JavaScript is enabled, options are shown or hidden depending on the Repeat type.
Click Add or Update.

The scheduled job can also be viewed and modified in the Manage the system > Maintenance > Scheduled jobs menu. Bravura Security Fabric automatically adds the prefix _NFY_ to all scheduled notification jobs to distinguish them from other scheduled jobs.

Table 1. Batch notification scheduled job settings

Option	Description
Enabled	Use this to turn on the scheduled job.
Run this job on this Bravura Security Fabric server	Select this radio button if you want the job to run on the current server
Run this job on all Bravura Security Fabric servers	Select this radio button if you have multiple Bravura Security Fabric servers and want the job to run on all servers.
Repeat type	Select the frequency of the scheduled job using the drop-down list. Depending on the repeat type, set scheduling options: Run once – you must select a Date and time to run this job. Click the Date and time to run field to choose the date and hour. To edit the minutes enter a time in the HH:MM format. Daily – you must select which Days to run this job by selecting either Every day or Only on weekends . Enter a Time to run in HH:MM format. Select a Job time range (see below). Weekly – you must Choose the days of the week to perform this task. Enter a Time to run in HH:MM format. Select a Job time range (see below). Monthly – you must Choose the days of the month to perform this task . All are selected by default. Enter a Time to run in HH:MM format. Select a Job time range (See below). Quarterly - you must select a Period mode, Period start date and time , Last day of the month, and/or specify the month/week/day and Time to run. There are no required options, but it won't be scheduled for a time period if none are chosen. Semi-annually - you must select a Period mode, Period start date and time , Last day of the month , and/or specify the month/week/day and Time to run . There are no required options, but it won't be scheduled for a time period if none are chosen. Annually - you must select a Period mode, Period start date and time, Last day of the month, and/or specify the month/week/day and Time to run. There are no required options, but it won't be scheduled for a time period if none are chosen. Note: The default Time to run is set by Manage the system > Modules > Options > DEFAULT SCHEDULE TIME.
Job time range	Specify if you want your job to always run, to run for a specific length of time, or for a specific number of iterations by selecting one of the following from the drop-down list: Always run – Scheduled job always runs as specified. From specified start date to end date – Click the date/time fields to select a date and hour for the Start date and End date . To edit the minutes enter a time in the HH:MM format. For number of iterations from specified start date – Click the date/time field to choose a date and hour for the Start date. To edit the minutes enter a time in the HH:MM format. Specify a Number of iterations to run. Your job will only run for the number of iterations you enter here.

Testing batch notifications

Bravura Security Fabric uses the ntftrigger program to communicate with the Notification Service and send out notifications. Scheduling a batch notification creates a scheduled job to run ntftrigger . You can use this program to test notifications rather than wait for the scheduled time.

To test batch notifications, on the Batch notification information page for a notification, click the Schedule tab, then select Run now.

Alternatively, type on the command line, in the util directory:

ntftrigger.exe -runbatch -notifyid <notification ID> -increment P

See usage information forntftrigger for further details.

Restarting batch notifications

To clear records of notifications sent for a particular batch notification, click Restart at the bottom of the Batch notification information page.

You may want to do this, for example, if you change the maximum number of messages to send or other configuration settings.

In this section: