Skip to main content

Attaching authorizers to managed system policies

Assign Authorizers to a managed systems policy to allow users to:

  • Request privileged access

  • Search recorded session data

  • Download recorded session data

  • View recorded session data

  • Extend a check-out

Users must be loaded into the Bravura Security Fabric database before you can define them as authorizers.

You must assign enough authorizers to meet the minimum number of authorizers requirement. If you do not do this, requests involving the resource are automatically denied unless authorizers are assigned by a workflow plug-in.

The managed accounts will not be available for check-out if insufficient authorizers are assigned to the managed system policy .

Configuring phased authorization

If phased authorization is enabled, click the Authorization tab, then:

  • Click Add new… if you want to add a phase.

  • To change the order of phases, change the numbers in the Authorization phase column and click Update.

  • Select a phase to define authorizers and settings.

Parallel Authorization

A parallel authorization process is one where multiple authorizers are invited to comment concurrently – i.e., the identity management system does not wait for one authorizer to respond before inviting the next.

Parallel authorization has the advantage of completing more quickly, as the time required to finish an authorization process is the single longest response time, rather than the sum of all response times.

Click below to view a demonstration of creating a LINUX-APPROVERS user class to be used as a secondary set of authorizers for parallel authorization.

Click below to view a demonstration including the following steps:

  • Enabling parallel authorization in Bravura Privilege

  • Configuring parallel authorization for a managed system policy

  • Adding rules to the authorization extdb table to include a secondary authorizer user class

  • Modifying rule actions in the team management extdb table

  • Requesting to check out an account, viewing authorizers and approving the request

Setting the number of required approvals

To set authorization thresholds for a managed system policy:

  1. Navigate to the Managed system policy information page .

  2. Select the Authorizers tab.

  3. Select the appropriate sub-link:

    • Access to managed systems

    • Search recorded sessions

    • Download recorded sessions

    • View recorded sessions

    • Extend a check-out

    Select a phase if phased authorization is enabled.

  4. Type a value for the:

    • Minimum number of authorizers – A value of 0 means requests for the resource are auto-approved.

      The default value is set by the MIN AUTHORIZERS policy.

    • Number of denials before a change request is terminated – A resource request is canceled when this number of authorizers deny it, as long as the Minimum number of authorizers has not been reached.

      The default value is set by the MAX REJECTIONS policy.

  5. Click Update.

Assigning static authorizers

Caution

Ensure that you do not select a managed account when creating an authorizer. Managed accounts should not be used for any other purpose in Bravura Security Fabric .

To assign a static authorizer to a managed system policy:

  1. Navigate to the Managed system policy information page .

  2. Select the Authorizers tab.

  3. Select the appropriate sub-link:

    • Access to managed systems

    • Search recorded sessions

    • Download recorded sessions

    • View recorded sessions

    • Extend a check-out

    Select a phase if phased authorization is enabled.

  4. Click Select… at the bottom of the Authorizers table.

  5. Search for, or enable the checkboxes next to the authorizers that you want to assign.

  6. Click Select at the bottom of the page.

  7. Click Update.

Removing an authorizer from a managed system policy automatically denies any pending account check-out requests for the policy assigned to the authorizer.

Policies assigned to a predefined authorizer are also listed on the Authorizer Information page.

Assigning authorizers by user class

To assign authorizers to a managed system policy based on user class:

  1. Navigate to the Managed system policy information page .

  2. Select the Authorizers tab.

  3. Select the appropriate sub-link:

    • Access to managed systems

    • Search recorded sessions

    • Download recorded sessions

    • View recorded sessions

    • Extend a check-out

  4. To define membership criteria:

    • Select existing user classes: Click Select… and enable the checkboxes for the user classes you want to add, then click Select.

    • Create new user classes: Click plus icon Add new… . See Adding user classes for full details on how to create a new user class.

  5. Configure Participant mapping for each user class that you add.

    Select and create user classes until you have defined membership.

  6. If your membership criteria includes multiple user classes, define whether users are required to match All of the user classes or Any of the user classes .

Removing users from membership

To remove users from membership, you can:

  1. Edit user classes to change the participants.

  2. Delete user classes from the membership criteria.

    1. Navigate to the membership criteria page where user classes are listed.

    2. Enable the checkbox next to the user classes you want to delete.

  3. Click Delete.

In this section: