Skip to main content

Bravura Safe User Management (2025+)

Connector name

agtbsafe25-user 

Connector type

Python script, agtbsafe25-user.py and a scripted platform definition file, agtbsafe25-user.con, that associates the script with the Python connector (agtpython) to access Bravura Safe User Management (2025+).

Type (UI field value)

Bravura Safe User Management (2025+)

Connector status / support

Bravura Security-Verified

This connector has been tested and is fully supported by Bravura Security.

Installation / setup

It also has an agtbsafe25_user_requirements.txt file that is used to install the Python requirements for this connector. To install the Python packages required by the agtbsafe-user25 connector, run the following command from a command prompt:

py -m pip install -r agtbsafe25_user_requirements.txt 

Upgrade notes

Added in Connector Pack 4.8

The Bravura Safe User Management (2025+) connector should be used for the latest Bravura Safe servers from 2025 and later.

The Bravura Safe User Management connector is for targeting Bravura Safe servers that were created before 2025.

Bravura Security Fabric utilizes the agtpython connector to be able to list users from an organization or team from Bravura Safe and to be able to reset their master passwords.

The following Bravura Security Fabric operations are supported by the Bravura Safe User Management (2025+)connector:

  • get server information

  • add user to group

  • delete user from group

  • List:

    • accounts

    • attributes

    • groups

    • members

For a full list and explanation of each connector operation, see Connector operations.

The Bravura Safe (2025+) connector can be used to manage the Bravura Safe credentials from collections for the users within an organization or team from Bravura Safe .

Preparation

Before you can target Bravura Safe User Management (2025+), you must:

Set up Bravura Safe

See Bravura Safe Documentation to learn how to set up a Bravura Safe instance, team, and users.

Recommended Bravura Safe permission sets

The following are the recommended sets of permissions for the Bravura Safe User Management (2025+) administrator.

Bravura Safe User Management target administrator:

  • User type: Custom

  • Admin Permissions:

    • Manage users

  • Access Control:

    • The option for "This user can access only the selected collections" may be selected and set with no collections specified.

This will allow to list for all types of users (users, administrator, owners, etc).

Note

Bravura Safe users who have been invited to Bravura Safe but are not yet confirmed will not be listed using the Bravura Safe User Management (2025+) connector.

Set up target system administrators

The Bravura Safe User Management (2025+) target system requires two administrative credentials that are previously configured on the Bravura Safe instance.

To configure the first target administrator:

  1. Log in to Bravura Safe via the web interface and open your Team.

  2. Click Teams, then Manage.

  3. Invite a new user:

    1. Click Invite User.

    2. Enter the email address for a user that will be used as the administrator.

    3. Set the User type to Custom.

    4. Set the specific permissions as noted above for the recommended permissions.

    5. Click Save.

    6. Complete the process to onboard the user.

Alternatively, edit the permissions for a current user by clicking on their email address and modifying for the above set of recommended permissions.

The email address and master password set for this user will be used for the system credentials for the Bravura Safe target system.

To configure the second target administrator:

  1. Log in to Bravura Safe via the web interface.

  2. Click the drop-down for Teams.

  3. Choose the team name that is used for the Bravura Safe User Management (2025+) target system.

  4. Click the Settings.tab for the team.

  5. Click View API key.

  6. Enter the current user’s master password to confirm identity.

    This will then display values for client_id and client_secret.

    These values will be used for the administrator credentials for the Bravura Safe User Management (2025+) target system.

Install the Bravura Safe CLI

The Bravura Safe CLI is required for use with the Bravura Safe (2025+) and Bravura Safe User Management (2025+) connectors.

Troubleshooting

File Blocked by Windows Security

When downloading bsafe.exe from GitHub, Windows may mark the file as blocked because it came from another computer. This security feature can prevent the CLI from executing properly.

Symptoms:

  • The connector fails to execute bsafe.exe

  • Access denied or execution errors when running the CLI

  • Windows security warnings about the file

Solution:

  1. Right-click on bsafe.exe and select Properties.

  2. On the General tab, look for a Security section at the bottom that states:

    "This file came from another computer and might be blocked to help protect this computer."

  3. Check the Unblock checkbox next to this message.

  4. Click Apply, then OK.

  5. Verify the file is now unblocked by checking the properties again - the security warning should be gone.

CLI Not Found in PATH

Symptoms:

  • Error [WinError 2] The system cannot find the file specified appears in the logs

  • Objects fail to be listed from the Bravura Safe connector

Solution:

  1. Verify the system PATH environment variable includes the directory containing bsafe.exe (e.g., c:\bsafe).

  2. If the PATH is missing or incorrect, add the directory containing bsafe.exe to the system PATH environment variable (not the user PATH). The method to access environment variables varies by Windows version.

  3. Ensure the path can be accessed by the psadmin account by verifying the file exists and has appropriate permissions.

  4. Restart the Bravura Security Fabric services after updating the PATH. The updated PATH will not be reflected until the services are restarted.

  5. After restarting services, test that the connector can successfully list objects from Bravura Safe.

Alternative Solution (if service restart is not possible):

If restarting services is not an option, you can modify the connector files to use the full path to the Bravura Safe CLI. Note that this change will be overwritten when the connector pack is upgraded and will need to be reapplied.

  1. Locate the following connector files:

    • agtbsafe25-user.py

    • agtbsafe25.py

  2. In each file, find the line:

    CLI_EXE: str = "bsafe"

  3. Change it to use the full path:

    CLI_EXE: str = "c:\\bsafe\\bsafe.exe"

  4. Save the files and test that the connector can successfully list objects from Bravura Safe.

Session Authentication Issues

Symptoms:

  • Repeated authentication prompts

  • Connection failures after initial success

  • Session timeout errors

Solution:

  1. Clear the existing session data as described in the "Clearing Session Data" section above.

  2. Verify the Bravura Safe server address is correct in the connector configuration.

  3. Check that the Bravura Safe server is accessible from the Bravura Security Fabric server.

Targeting Bravura Safe User Management (2025+)

For each Bravura Safe system, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):

  • Type is Bravura Safe User Management (2025+)

  • Address uses options described in the table below:

Options marked with a redstar.png are required.

Option

Description

Script file: redstar.png

The hard-coded script file that is used by the Bravura Safe User Management connector (agtbsafe25-user.con).

(key: script)

Bravura Safe Server: redstar.png

The domain name URL for the Bravura Safe instance.

(key: server)

Organization name: redstar.png

The organization or team name within the Bravura Safe instance that will be used to target.

(key: organizationName)

Default Access Level:

The access permissions to set for a user when adding users to a collection. Default is "Can view". Other options are "Can edit", "Can view, except passwords", and "Can edit, except passwords".

(key: defaultAccessLevel)

The full list of target parameters is explained in Target System Options .

It is recommended that the Can view access permission be left as the default for the Default Access Level target system address option.  This is to ensure that the users are able to see the Bravura Safe item in the collection and copy out the secret value, but they are unable to change any of the settings directly in Bravura Safe.  This also ensure that the value for the custom attribute within their Bravura Safe item may also not be able to be modified.

Setting the administrator credentials

The Bravura Safe User Management (2025+) target system requires two administrative credentials, as outlined in Set up target system administrators.

The first administrator and password are set to the email address and master password of the administrative user that was previously onboarded. The System password option must be checked.

The second administrator and password are set to the values for client_id for the administrator id and client_secret for the administrator password for the API key on the Bravura Safe instance.

Handling account attributes

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select Bravura Safe User Management (2025+) from the Manage the system > Resources > Account attributes > Target system type menu.

In this section: