Skip to main content

Propagating changes with idtrack

This section shows you how to configure idtrack to propagate tracked changes using settings in the Manage the system (PSA) module and a PSLang script.

The idtrack program is part of Bravura Security Fabric ’s automated user administration system that tracks changes to users, user attributes, and user group memberships on target systems and propagates those changes to other target systems.

You must write an idtrack.psl script to propagate changes to accounts, group memberships, or account attributes.

You can propagate profile and request attribute changes to target systems:

  • Automatically, with no scripting required

  • By writing an idtrack.psl script to make the changes

    This may be required for more complex cases, or for more flexibility.

For automatic profile and request attribute propagation, the idtrack program can operate in:

  • Execute mode – idtrack is executed to propagate changes whenever auto discovery is executed.

  • Write mode – idtrack writes changes to a work file, which you can use manually with iddriver to make changes. Use write mode to perform dry runs of user attribute propagation, testing, troubleshooting or for performing one time manual user attribute propagation.

Under normal circumstances, you should set up automatic propagation to run in execute mode to propagate user attribute changes and write an idtrack.psl script to propagate account, group membership, and account attribute changes.

If the idtrack.psl script contains a syntax error, then idtrack.exe returns an error code during auto discovery, and a notification email is sent to the Bravura Security Fabric administrator.

You set up static authorization for automatic or scripted attribute propagation by assigning authorizers at the target system level. You can also determine authorization dynamically with an IDSYNCH AUTH CRITERIA MOD plugin program .

During automated provisioning, the View and update profile (IDR) module and web module plugins are bypassed. The Workflow Manager Service (idwfm) plugins are still called; specifically the ATTR VALIDATION, IDSYNCH AUTH CRITERIA MOD PLUGIN, and IDWFM REQUEST REWRITE PLUGIN.

Diff sets

Before idtrack can take actions based on changes, the changes have to be tracked. This function is performed by iddiscover automatically during auto discovery.

Changes on target systems are tracked using diff sets that are identified by a globally unique identifier (GUID). A new diff set is created every time auto discovery is executed and at least one tracking option is activated.

Set the KEEP DIFF DAYS variable in Maintenance > Options if you want to limit the number of diff sets stored in the database. By default Bravura Security Fabric keeps them forever.

Requirements

  • Each system on which idtrack operates must be configured as a target system.

  • At least one tracking option must be enabled.

  • The idtrack.psl script, if required, must be located in the \<instance>\script\ directory.

Usage
idtrack -difflist <N> |[ -diffset <guid>|latest -threshold <N>]

Option

Description

-difflist

List the <N> newest diff sets. If N= 0 , list all available.

-diffset

Run with specified or latest diff set.

-threshold <N>

Do not submit any request if number of requests to be submitted exceeds <N>. If N= 0 , no threshold. Using this option overrides the ATTR AUTO PROPAGATE THRESHOLD setting.

Examples

  1. To list the five newest diff sets:

    idtrack -difflist 5

  2. To list all available diff sets:

    idtrack -difflist 0

  3. To run idtrack with the latest diff set:

    idtrack -diffset latest

  4. To run idtrack with a specific diff set:

    idtrack -diffset "<guid>"

The following sections describe use cases and script functions for propagating attributes, groups, or accounts.

In this section: