Configuring group-level role enforcement
The role enforcement engine can identify users who have excessive or insufficient access, and issue workflow requests to correct variances.
Note
You cannot enable role enforcement and automatic assignment at the same time for managed groups.
To set RBAC enforcement options for groups:
Navigate to the Managed group information page .
Select the Role enforcement tab.
Select the Enabled checkbox.
If required, select a setting for the Resolution for deficit violation, to determine what action Bravura Security Fabric takes when it discovers users who are not members of this group, when they have a role that requires it:
Add resource
Request exception
Use parent role setting
The default is to take the setting from the group’s parent role. Selecting ’Use parent role setting’ will cause an error if the parent role is configured to ’Inherit enforcement from entitlement’.
If required, select a setting for the Resolution for surplus violation to determine what action Bravura Security Fabric takes when it discovers users who are members of this group, but do not have a role that includes the group:
Remove resource
Request exception
The system default is displayed as the “Effective setting”.
Click Update.
Global RBAC enforcement options must also be set before these settings can take effect.
Generating a profile statistics report
To generate a simple report of users who have a deficit or surplus violation for this group, click Generate. Bravura Security Fabric does not issue violation enforcement requests when you run this report. To see a more detailed report, see Native Reports . To list violations and issue enforcement requests, run auto discovery or use the rbacenforce program.
Testing users
To determine whether an individual user has a deficit or surplus violation, type the user’s Profile ID and click Test. The user’s RBAC enforcement profile and request attribute must be set to true.