Configuring target-system-level authorization
Define authorization information for target systems to:
Set the number of approvals or denials required for requests involving existing accounts or managed groups on the target system.
Assign static authorizers to define who can approve requests based on the target system.
Users must be loaded into the Bravura Security Fabric database before you can define them as authorizers.
You must assign enough authorizers to meet the minimum number of authorizers requirement. If you do not do this, requests involving the resource are automatically denied unless authorizers are assigned by a workflow plug-in.
Target-system-level authorization does not apply to new account requests.
Inherited authorization
If you enable the Default authorization for child resources, including templates and managed groups, will be inherited from the target system option on the page the authorization settings from the target system will be inherited by managed groups and templates.
You can override the configuration at the group and/or template level. See Configuring group-level authorization or Configuring template-level authorization.
Phased authorization
If phased authorization is enabled, navigate to the target system’s page, then:
Click Add new… if you want to add a phase.
To change the order of phases, change the numbers in the Authorization phase column and click Update.
Select a phase to define authorizers and settings.
If an authorizer is configured to be in more than one phase, they must review the request in each phase. You can enable IDWFM AUTH PHASE PROPAGATION (Manage the system > Workflow > Options > General) to allow the authorizer’s response in the first phase in which he appears to be propagated to later phases.
Determining number of required approvals
To set authorization thresholds for a target system:
Navigate to the target system’s page .
Select a phase if phased authorization is enabled.
Type a value for the:
Minimum number of authorizers – A value of 0 means requests for the resource are auto-approved.
The MIN AUTHORIZERS policy sets the default value.
Number of denials before a change request is terminated – A resource request is canceled when this number of authorizers deny it, as long as the Minimum number of authorizers has not been reached.
The MAX REJECTIONS policy sets the default value.
Click Update.
Assigning static authorizers
To assign static authorizers to a target system:
Navigate to the target system’s Authorization page .
Select a phase if phased authorization is enabled.
Click Select... at the bottom of the Authorizers table.
Search for, or enable the checkboxes next to the authorizers you want to assign.
Click Select at the bottom of the page.
Assigning authorizers by user class
To assign authorizers to a target system based on user class:
Navigate to the target system’s page .
Select a phase if phased authorization is enabled.
To define membership criteria:
Select existing user classes: Click Select... and enable the checkboxes for the user classes you want to add, then click Select.
Create new user classes: Click
Add new…. See Adding user classes for full details on how to create a new user class.
Configure Participant mapping for each user class that you add.
Select and create user classes until you have defined membership.
If your membership criteria includes multiple user classes, define whether users are required to match All of the user classes or Any of the user classes.
Removing users from membership
To remove users from membership, you can:
Edit user classes to change the participants.
Delete user classes from the membership criteria.
Navigate to the membership criteria page where user classes are listed.
Enable the checkbox next to the user classes you want to delete.
Click Delete.