Authorization workflow

The Functional.im_policy_authorization component, installed with Bravura Pattern, provides a policy framework to determine authorizers for different types of requests.

When installed, Functional.im_policy_authorization automatically sets the Bravura Security Fabric IDSYNCH AUTH CRITERIA MOD PLUGIN to control\plugin_authmod.py.

The im_policy_authorization table aggregates authorization rules that are set up by components. Product administrators can add new authorization rules and modify existing ones by modifying this table; to add or remove authorizers based on request attributes, requester or recipient information, and operations requested.

The rules set in the im_policy_authorization table override any settings made in the Manage the system (PSA) module.

Key parameters to set in the table include:

The component-based policy approach to authorization workflow supersedes the plugin functionality. You can access the policy via the external data store (extdb) module , rather than needing to edit script files on the Bravura Security Fabric server.

The business logic and all its effects can be analyzed in smaller cross-sections by filtering it with searches down to:

Component details

Every external database table is defined in the model.py script of the functional component, usually installed as a dependency of a scenario component.

The default component's script is component/Default/Functional/im_policy_authorization/model.py , which also imports component/Default/Functional/hid_policy_authmod/model.py .

The table model of im_policy_authorization adds columns to the ones imported from hid_policy_authmod

The names of columns can be found in the _column_order attribute of the policy class (in this case, PolicyAuthorization).

The default data that the component brings to the solution is usually in CSV files provided as part of either a functional, scenario, or pattern component. Component data at component install time can be further modified with differences specific to each environment where the instance is to be installed, in the instance's environment\ directory.

The default policy data is loaded by other components which depend on Functional/im_policy_authorization:

The functional component does not add any policy data of its own; instead it adds two options to the hid_global_configuration table:

The raw data of the policy table at any given point after component install can be found in the instance's db\extdb.db file, which is a sqlite3 database.

For troubleshooting purposes, you can view and search the database directly if needed from the command line or from a sqlite GUI like Sqlite Studio. In everyday use, it is recommended that any changes be applied through the product Manage external data store module .

As detailed in Components for authorization workflow , installing the component sets up authorization rules in the im_policy_authorization table in the external data store (extdb) . Product administrators can add new authorization rules and modify existing ones by modifying this table; to add or remove authorizers based on request attributes, requester or recipient information, and operations requested.

To access the authorization policy, log in as an administrator and navigate to Manage external data store > im_policy_authorization.

The authorization policy is a single SQL table with many columns to provides the "structure" of the policy. Not all columns need to be filled for each rule; they are present in order to provide a large degree of granularity and flexibility to the access approval solution.

This is in support of any combination of use cases in the Bravura Identity life cycle (like Leave of Absence, Rehire or Name change after a marriage). These use cases are brought into the policy by a combination of scenario components.

Each row of the table is a policy "rule", made up of three types of columns:

The policy table acts like a snowball:

You need to make changes only on the instance's primary server in a replicated environment.

Search the policy

In-depth authorization policies can be quite large. You can use the Search field on the top left side of the table view where you can add SQL WHERE clauses to filter the records, for example:

See External Data Store for general information on using the interface.

In this example you will delegate the responsibilities of the Manager of IT to another IT team member. This will allow the team member to approve or deny requests on the manager’s behalf while she is on leave.

This example assumes that:

Click below to view a demonstration showing how you can delegate the responsibilities of a Manager to another team member, allowing the delegate to approve or deny requests on the manager’s behalf while they are on leave.

Request a delegation

You can return to this page to review, update, or cancel delegations. You can update a delegation that you have made while it is pending. You can cancel a delegation that you have made at any time. This applies to delegations of your own authority as well as delegations of other users’ authority that you have made for others.

The Show all icon allows you to see expired delegation requests.

You can also request delegations for:

Respond to the request

When you receive a request for delegation, you will see a Manage delegation link on the main menu the next time you log into Bravura Security Fabric .

To respond to the request:

Test the delegation

To test the delegation, login as Debbie and request to join the IT-DB-READWRITE group. Adam is the authorizer, however, you have delegated this responsibly to Ken which means, you can authorize the request as Ken.

If you view the request details you should see the request requires authorization from Ken as a delegate for Adam.

Deny the request

Cancel the delegation

Sometimes it may be necessary to cancel the delegation before the end date. In this scenario Adam has returned from holidays a week early.

The Scenario.im_corp_delegate_filter_orgchart component provides functionality which filters the list of available users who may be delegated authorization authority based on their level in the OrgChart.

This implements an OrgChart-based filtering of potential delegates. When installed, it allows a primary to delegate only to someone on the same level (same manager) or higher on the OrgChart.

This example assumes that:

Delegate a single request

Login as Debbie to request to join the IT-DB-READWRITE group.

Adam is the authorizer. Login as Adam, then check the request and search for a possible delegate. You will find all the users in the organization are listed.

Install the Scenario.im_corp_delegate_filter_orgchart component

To install the component:

Login as Adam again, then check the request for delegation. When searching for the possible delegate, you will find only his manager and peers are listed.

If you view the request details you should see the request requires authorization from Carlos as a delegate for Adam.

Approve the request

Verify the request is processed

Bravura Security Fabric authorizers have the ability to 'unapprove' privileged access requests if they are originally listed as an authorizer for the request.

Unapproving a request cancels the request. The request is treated as though it was denied. The unapprove action only affects the specific request; user privileges, user access, and other requests are unaffected.

A privileged access check-out request can be unapproved when:

A privileged access check-out request cannot be unapproved when:

A privileged access extension request can be unapproved when:

A privileged access extension request cannot be unapproved when:

If you want to cancel a check-out or extension request that can no longer be unapproved, you must terminate the user’s privileged access instead. To do this, you must provide appropriate users with the ”Check in access” privilege.

A request can be updated and controlled using the WF WIZARD PLUGIN. The plugin can:

This plugin applies only to pre-defined requests. Custom requests or legacy requests do not execute this plugin.

To use this plugin, type the name of the plugin in the WF WIZARD PLUGIN field on the Workflow > Options > Plugins configuration page.

There are no shipped plugins in use with this plugin point.

"" "" = {
        sessionid = <id>;
        extras = { ... }; # Present when run by idwfm
        module = <ajaxsvc|idwfm>; # Program that is running the plugin
         
        wizard "" = {
                prequest "" = { ... }; # Provides the pre-defined request information
        lastRequest "" = { ... }; # Not present on initial load
        attributes "" = { ... }; # Provides recipient attribute information
         
        request "" = { ... }; # Provides request details
        }
} 

"" "" = {
  wizard "" = {
    prequest "" = { ... };  # Optional, omission indicates no changes
    request "" = { ... }; # Optional, omission indicates no changes
  }; # Optional, omission indicates no changes
  changed = <false|true>; # Optional, if false, any changes are ignored.
                          # Default is true
  retval = <N>; # Required, non-zero indicates a plugin failure
} 

You can use a plugin to rewrite custom or legacy requests to dynamically attach or detach resources. This plugin works in a similar way to the operation rewrite plugin . Alternatively use the workflow wizard plugin to rewrite pre-defined requests.

The request rewrite plugin is suited to situations where authorizers need to see the implications of a request, and to audit access changes before and after a request.

The request rewrite plugin allows the attached resources to be mandatory or optional. Optional resources can be unselected by the requester. Mandatory resources remain selected and cannot be removed by the requester.

The request rewrite plugin allows the auto-selection of resources. This auto-selection relies on profile and request attributes.

The request rewrite plugin executes whenever a change to the request is made. These changes can come from profile and request attribute changes, resource selection, or when resources are added or removed by the CGIs. The request rewrite plugin also runs when the Bravura Security Fabric API submits a request to Workflow Manager Service (idwfm).

The following use cases demonstrate how the request rewrite plugin might be used:

These cases require a plugin that can translate a request into 0 or more operations before the request is approved and transferred to the Transaction Monitor Service. The request rewrite plugin is used by the Workflow Manager Service, which is responsible for handling the authorization workflow, and receives feedback from the Transaction Monitor Service.

Once the request is posted, authorizers are attached to authorize the resources of the request. If the plugin modifies the posted request to:

To use this plugin, type the name of the plugin in the IDWFM REQUEST REWRITE PLUGIN field on the Workflow > Options > Plugins configuration page. For Bravura Privilege requests, type the name of the plugin in the PAM IDWFM REQUEST REWRITE PLUGIN field instead.

There are no shipped plugins in use with this plugin point.

"" "" = {
  "module" = "idwfm"
         
  "sessionid" = "<session ID>" # The session ID of the logged in viewer/requester
  "navigation" "" = { ... } # User navigation data
  "firstrun" = "<true|false>" # If this is the first run of the plugin for the request
                              # the value will be true; Otherwise, false.
  "preselect_role" = "1" # Sent to the plugin before users make a role selection
                         # in the CGIs.
  "postselect_role" = "1" # Sent to the plugin after changes to the
                          # roles are made by the CGIs.
  "preselect_template" = "1" # Sent to the plugin before users make a template
                             # selection in the CGIs.
  "postselect_template" = "1" # Sent to the plugin after changes to the
                              # templates have been made by the CGIs.
  "preselect_nosgroup" = "1" # Sent to the plugin before a managed groups selection
                             # displayed by the CGIs.
  "postselect_nosgroup" = "1" # Sent to the plugin after changes to managed
                              # groups have been made by the CGIs.
  "recipient" "user" = { } # Recipient's data if they are an
                           # existing user.
  "model" "user" = {} # Data of the model user used in profile comparison.
  "request" "" = { # Standard request data listing resources
    "resource" "" = {}
  }
  "recipient" "user" = {} # Recipient's data.
  "requester" "user" = {} # Requester's data.
} 

# KVGROUP-V1.1
"" "" = {
  "sessionid" = "Scf7e0618-8b44-4304-aed0-cabd17e45ed2"
  "module" = "idwfm"
  "firstrun" = "false"
  "navigation" "" = {
    "wfpage" = "requestsubmitpredefinedrequest"
    "prequest" = "UPD-SELF-CONTACT"
  }
  "event" = "EVENT_POST_BATCH"
  "request" "" = {
    "requestID" = "5488CCB03DB901864DE53DDB63695AE7"
    "macroStatus" = "U"
    "requester" = "WOOD0000"
    "requesterName" = "Maddox, Woodrow"
    "requesterEmail" = "woodrow.maddox@norse.bravurasecurity.com"
    "recipient" = "WOOD0000"
    "recipientEmail" = "woodrow.maddox@norse.bravurasecurity.com"
    "entryDate" = "1418251465"
    "notes" = ""
    "reason" = ""
    "segment" = ""
    "reservationid" = "00000000-0000-0000-0000-000000000000"
    "autoressig" = ""
    "prequest" = "UPD-SELF-CONTACT"
    "resource" "5488CCB5CEA4B8264491733F52D03D02" = {
      "longIDSet" = "false"
      "itemType" = "accountID"
      "targetid" = "AD"
      "accountID" = "WOOD0000"
      "userid" = "WOOD0000"
      "enact" = "true"
      "pseudoOp" = "false"
      "pseudoTag" = ""
      "pseudoData" = ""
      "finalized" = "false"
      "authtype" = "P"
      "operation" = "UPDT"
      "status" = "O"
      "statusreason" = ""
      "notes" = ""
      "reason" = ""
      "result" = "I"
      "implicit" = "true"
      "groupApproval" = "00000000-0000-0000-0000-000000000000"
      "parentRole" = ""
      "autoselect" = "none"
    }
    "attribute" "EXCHANGE-ALIAS" = {
      "value" "" = {
        "value" = "WOOD0000"
      }
    }
    "attribute" "HOME-COUNTRY" = {
      "value" "" = {
        "value" = "United States"
      }
    }
    "attribute" "PROFILEID" = {
      "value" "" = {
        "value" = "WOOD0000"
      }
    }
    "attribute" "WORKLOC-AD" = {
      "value" "" = {
        "value" = "Building  Floor  Cubicle "
      }
    }
  }
  "recipient" "user" = {
    "id" = "WOOD0000"
    "name" = "Maddox, Woodrow"
  }
  "requester" "user" = {
    "id" = "WOOD0000"
    "name" = "Maddox, Woodrow"
  }
} 

"" "" = {
  "changed" = "true|false" # Indicates whether request has changed.
                 # Default value is true if the key is missing.
  "rerun" = "true|false|auto" # If present in the KVGroup and set to true
         
                   # the script will be rerun.  When set to false, the
                   # script will not be rerun and when set to auto, the
                   # script will be rerun if changes are detected from the
                   # previous run.
  "infomsg" = ""   # Informational message returned, if any.
                   # The value is displayed in the CGIs if this is returned.
  "errmsg" = ""    # Error message returned, if any.
                   # The value is displayed in the CGIs if this is returned.
                   # This represents an error in the request that
                   # the requester needs to correct.
  "retainResources" = "<true|false>" # If true, only resources returned will be added, removed, updated.
                                     # If false, resources not returned will be removed.
  "retval" = "<N>" # Mandatory; zero is success and non-zero is failure
  "password" = "<newpassword>" # This is now obsolete and has been moved to
                               # resource section
  "skip_role" = "1" # If returned when preselect_role is passed in,
                    # role selection will be skipped by the CGIs.
  "skip_template" = "1" # If returned when preselect_template is passed in,
                        # template selection will be skipped by the CGIs.
  "skip_nosgroup" = "1" # If returned when preselect_nosgroup is passed in,
                        # managed group selection will be skipped by the CGIs.
        
  "skip_summary_pdr" = "1" # If set during a pre-defined request,
                           # the final summary page will be skipped by the CGIs.
  # Followed by any number of resource entries.
  # When retainResources is true, resources that are updated, added, or removed
  # are the only that need to be returned.
  # When retainResources is omitted or false, resources that are not returned
  # are considered removed.  All resources will be added or changed on the request.
  "resource" "<resource id from input>|<empty>" = {
    "remove" = "true" # If present in the KVGroup, the resource is removed
                      # from the request.
  } # 0 or more
} 

"" "" = {
  "changed" = "true"
  "infomsg" = ""
  "retval" = "0"
  "resource" "3G34GB22672CDCD574BC4C4295D5983F" = {
    "authorizationsReceived" = "0"
    "authorizationsRequired" = "0"
    "autoselect" = "none"
    "groupApproval" = "49583745-3242-6364-3453-384850692934"
    "implicit" = "false"
    "itemType" = "template"
    "notes" = ""
    "operation" = "ACUA"
    "parentRole" = ""
    "pseudoData" = ""
    "pseudoOp" = "false"
    "pseudoTag" = ""
    "reason" = ""
    "result" = "O"
    "template" = "NORSE_TEMPLATE"
    "targetid" = "NORSE"
  }
  "resource" "" = {
    "itemType" = "groupID"
    "groupApproval" = "49583745-3242-6364-3453-384850692934"
    "operation" = "GRUA"
    "pseudoOp" = "false"
    "accountID" = "cecil.crysta"
    "targetid" = "NORSE"
  }
  "resource" "" = {
    "itemType" = "role"
    "operation" = "RLUA"
    "pseudoOp" = "false"
    "autoselect" = "mandatory"
    "role" = "EXCHANGE_ROLE"
  }
} 

You can control whether authorization details about the request should be displayed to the user viewing the request. By default, all request viewers can view authorization details for all requests. Alternatively you can write a plugin that will mask authorization details for a specific type of viewer (such as recipient), or a specific type of request.

You can also Use user classes instead of using a plugin to hide authorization details to users within a specified user class. See Using user classes with plugin points for details.

The plugin is set by the Workflow > Options> Plugins >AUTHORIZATION DETAIL MASK PLUGIN field.

There are no shipped plugins for use with this plugin point.

    "" "" = {
        "viewer" "user" = {
            "id" = "<Profile ID>"
            "name" = "<Alias>"
            "viewas" "" = "<DMANAGER|WMANAGER|AUTHORIZER|REQUESTER|RECIPIENT|DELEGATE|IMPLEMENTER>"
        }
        "request" ""= {...}
    } 

output AuthMask = {
hideAuthDetails = "<true|false>";
};  

You can use the workflow view modification plugin to modify which operations are visible to viewers of workflow requests in Bravura Security Fabric . This is useful in cases where access changes such as account creation, additions to groups, or role changes are known only at an abstract level. This plugin can be used where:

This is an alternative to mapping several operations to a single request using the operation rewrite plugin. The following use cases demonstrate how the operations view modification plugin might be used:

Use case 1: Showing authorizers only what they are authorizing

Normally, authorizers can see all operations that are part of a request, including those that they are not required to authorize. This may be confusing for an authorizer who only needs to authorize part of a request, and may even lead them to mistakenly deny the request.

The workflow view modification plugin can run to only display operations for which the viewer is the authorizer.

Use case 2: Abstract modifications

The requester wants to remove a user’s “floor fire marshal” role. This entails the user being removed from a distribution list, and from three groups, and restricting their access within the building’s security system.

End users – the requester, recipient and the assigned authorizers – do not understand the list, the groups, or the security system. All they understand or care about is that the user is no longer the floor fire marshal.

The requester changes some attributes on the user’s profile page and submits the request.

Bravura Security Fabric runs the request rewrite plugin to “fan out” the request to include operations affecting the list, the groups and the security system (using an implementer target). It also includes a psuedo operation to “update the user” to remove her from the floor fire marshal role.

The workflow view modification plugin rewrites what the users see so that the request only contains the removal from the role. The plugin can make the real operation details available if the user clicks a Details button where a summary of the request is listed.

The plugin is run by the Requests app whenever a request is viewed on the request details pages.

To use this plugin, type the name of the plugin in the IDSYNCH WORKFLOW MOD VIEW PLUGIN field on the Workflow > Options > Plugins configuration page.

There are no shipped plugins in use with this plugin point. A sample, plugin-wf-modview.psl, is available in the samples\ directory.

"" "" = {
  "module" = "<module>"
         
  "recipient" "user" = { } #Recipient's data if they are an
         
                         # existing user
  "request" "" = { #Standard request data listing resources
    "resource" "" = {}
      }
  "detailResource" = "<itemID>" #If this is present,
                   # the user has just clicked the 'Details' button
                   # next to the resource with the itemID.
                   # The plugin should return only resources
                   # that are considered details of that resource.
  "requester" "user" = {} #Requester's data
         
  "viewer" "user" = {} #Viewer's data
                       # -- requester, recipient, or authorizer
   } 

"" "" = {
 "errmsg" = ""    # error message, if any
 "retval" = "<N>"   # 0 is success, anything else is failure
 "changed" = "(true|false)"  # If this is included and set to false, it
                             # will be assumed that all items will be
                             # visible.
  "resource" "" = {
                   #Followed by any number of resource entries
          "display" = "(true|false)" # If this is present and set to false,
                             # hide the resource.  If the item is not in
                             # the output, it will be displayed.
          "detailsAvailable" = "(true|false)" # If this is present and set to
                             # true, display a button to allow details to
                             # be viewed for this resource. The plugin
                             # determines what resources are considered to
                             # be details of this resource.
    }
  } 

In some organizations the creation of accounts, additions to groups, or role changes are known to users only at an abstract level. Showing what modifications are going to be done is:

Bravura Security Fabric allows you to display pseudo operations that describe what is being done at an abstract level as part of a request. The operations can be searched on and audited, but nothing is actually done by any connector. Pseudo operations simply allow end users to understand what is being requested even if they do not understand the details.

They can be standard operations that contain pseudo data; for example to add a user to a group that doesn’t actually exist on a target system. They can also be completely customized operations; for example, users can request to “update a user” to make them the new “floor fire marshal”.

The request rewrite plugin must be used to generate output for a pseudo operation. That information can then be used to display details of the request to users, and as input for the workflow view modification plugin . The Abstract modifications use case in Modifying how operations are viewed illustrates how pseudo operations are used.

"request" "" = {
     ...
  "resource" "<resource identifier>" = {
    "authorizationsReceived" = "<number of authorizations received>"
    "authorizationsRequired" = "<number of authorizations required>"
    "authorizer" = "<authorizers for this resource>" ⋆
         
    "notes" = ""  # empty - only filled in upon provisioning
    "operation" = "<operation code>"
    "pseudoData" = "<Data for replacement in pseudoTag>"
    "pseudoOp" = "true|false" #Is this a pseudo Operation?
         # If true, this operation is NOT handled by idtm
    "pseudoTag" = "<m4 tag for display in the GUI>"
    "result" = "<status of the resource>"
    "itemType" = "<item type>"
    ...
    }
 } 

    "operation" = "GRUA" #add the user to a group
    "pseudoData" = ""
    "pseudoOp" = "true" #The group does not exist on a target system.
    "pseudoTag" = "" 

    "operation" = "CUST1" #Update the user
    "pseudoData" = "Fire marshal"
    "pseudoOp" = "true" #
    "pseudoTag" = "" 

!!!JOB_SEARCH_OPERATION_OPTIONS
<!-- JOB_SEARCH_OPERATION_OPTIONS -->
<SELECT name="SEARCH_OPERATION">
   <OPTION value="" %NONE_SELECTED%>_BATCHMOD_SELECT_NONE_
   <OPTION value="RLUA" %RLUA_SELECTED%>_BATCHMOD_SELECT_RLUA_
   <OPTION value="ACUA" %ACUA_SELECTED%>_BATCHMOD_SELECT_ACUA_
   <OPTION value="UPDT" %UPDT_SELECTED%>_BATCHMOD_SELECT_UPDT_
   <OPTION value="DELU" %DELU_SELECTED%>_BATCHMOD_SELECT_DELU_
   <OPTION value="TERM" %TERM_SELECTED%>_BATCHMOD_SELECT_TERM_
   <OPTION value="RENU" %RENU_SELECTED%>_BATCHMOD_SELECT_RENU_
   <OPTION value="MVCU" %MVCU_SELECTED%>_BATCHMOD_SELECT_MVCU_
   <OPTION value="ENAU" %ENAU_SELECTED%>_BATCHMOD_SELECT_ENAU_
   <OPTION value="DNAU" %DNAU_SELECTED%>_BATCHMOD_SELECT_DNAU_
   <OPTION value="GRUA" %GRUA_SELECTED%>_BATCHMOD_SELECT_GRUA_
   <OPTION value="GRUD" %GRUD_SELECTED%>_BATCHMOD_SELECT_GRUD_
   <OPTION value="GROA" %GROA_SELECTED%>_BATCHMOD_SELECT_GROA_
   <OPTION value="GROD" %GROD_SELECTED%>_BATCHMOD_SELECT_GROD_
   <OPTION value="CRTG" %CRTG_SELECTED%>_BATCHMOD_SELECT_CRTG_
   <OPTION value="DELG" %DELG_SELECTED%>_BATCHMOD_SELECT_DELG_
   <OPTION value="CUST1" %CUST1_SELECTED%>_BATCHMOD_SELECT_CUST1_
<!--   <OPTION value="CUST2" %CUST2_SELECTED%>_BATCHMOD_SELECT_CUST2_ -->
<!--   <OPTION value="CUST3" %CUST3_SELECTED%>_BATCHMOD_SELECT_CUST3_ -->
</SELECT>
!!!BATCH_LONG_CUSTOM1_ACCT_ROW
<!-- BATCH_LONG_CUSTOM1_ACCT_ROW -->
  <TR>
    TABLE_TDBD
     Available for replacement are:
     HostId(%HOST_ID%) (target ID) ACCT_ID(%ACCT_ID%) (long ID) ACCT_NAME(%ACCT_NAME%) (user fullname)
     SRC_ID(%SRC_ID%) TFR_ID(%TFR_ID%) GROUP_ID(%GROUP_ID%)
     REQ_OPERATIONS(%REQ_OPERATIONS%) PSEUDO_DATA(%PSEUDO_DATA%) PSEUDO_TAG(%PSEUDO_TAG%) %DETAILS_BUTTON%
      &nbsp;
    TABLE_TDE
  </TR>

"language" "EN_US" = {
  "codepage" = "28591"
  "encoding" = "iso-8859-1"
  "version" = "fox 1234"
  "REQACCT_OPERATION_CUST1" "" = {
    "text" = "Cust1 is in the dropdown"
  }
  "REQOPERTYPE_CUST1" "" = {
    "text" = "Cust1 description"
  }
  "WF_REQACCT_DESC_CUSTOM1" "" = {
    "text" = "reqacct custom1 description"
  }
  "CUSTOM_PSEUDO_TAG" "" = {
    "text" = "contents of the tag that is the pseudo data"
  }
  "CUSTOM_TAG_OKAY" "" = {
    "text" = "contents of the OKAY tag that is the pseudo data"
  }
} 

"language" "EN_US" = {
  "codepage" = "28591"
  "encoding" = "iso-8859-1"
  "version" = "fox 1234"
  "_BATCHMOD_REQ_CUSTOM1_ACCT_" "" = {
    "text" = "This introduces custom1 requests (customized)"
  }
  "_BATCHMOD_SELECT_CUST1_" "" = {
    "text" = "Search for cust1 (I'm in the dropdown)"
  }
  "_BATCHMOD_PSEUDO_DATA_" "" = {
    "text" = "Here is the intro to the pseudo data:"
  }
} 

"" "" = {
  "errmsg" = ""
  "retval" = "<N>" # 0 is success, non-0 is failure.
  "resource" "" = {
    ...
   }
} 

To configure general settings related to workflow: