Tracking changes to group membership
You can configure Bravura Security Fabric to track changes to group membership in managed groups on Active Directory and LDAP Directory Service target systems.
Set the Track group changes option on the Target system information page so that all groups on the target system are tracked.
When the option is enabled, Bravura Security Fabric compares the new group membership information, extracted from the target system during auto discovery , with data in the Bravura Security Fabric database, and creates a diff set. Bravura Security Fabric can configured to propagate changes on target systems or submit requests via Bravura Security Fabric 's workflow system.
The tracked changes are viewable in reports as part of each user’s profile history.
Bravura Identity can also automate user administration by propagating group memberships on other systems, and submitting requests via Bravura Security Fabric 's authorization workflow system.
Handling out-of-band changes
Out-of-band changes happen when a user or a group is added to or deleted from a managed group outside of Bravura Security Fabric . Tracking changes to group membership allows Bravura Security Fabric to monitor managed groups for out-of-band additions or deletions, then automatically submit a request undo or redo the change via the workflow system.
When out-of-band settings are first configured, users or groups who are already managed group members are not detected as out-of-band additions.
To act on out-of-band changes to group membership in a managed group:
Navigate to the Managed group information page for the group.
Enable the Track changes checkbox.
From the drop-down list, select an action to:
Detect out-of-band additions and automatically generate a workflow request
Detect out-of-band deletions and automatically generate a workflow request
The default behavior is to take no action. Bravura Security Fabric can either submit a request to undo the change, or undo the change then submit a request to redo the change via the Bravura Security Fabric workflow system.
Click Update.
Configure group-level authorization .
Click Manage the system > Workflow > Options > Automation .
Type a profile ID for the OOB REQ GROUP JOIN REQUESTER and OOB REQ GROUP LEAVE REQUESTER.
This will be the ID of the requester on all automatically-submitted requests to add or remove users or groups from managed groups.
Optional: Configure event actions for out-of-band changes to managed groups. See Workflow automation events for details.
Run auto discovery.
When auto discovery is finished, configuration is complete. Now if any out-of-band changes are made to group membership, then they will be detected the next time auto discovery is run. When an out-of-band addition to the group is detected:
A request is generated for the out-of-band user or group or join or leave the group. This request is sent to the group authorizer.
An email is sent to the recipient (out-of-band user).
An email is sent to the group authorizer.
The content of these email messages can be customized using the following tags:
EM_WORKFLOW_REQ_INITIAL_AUTHORIZER_NEEDAUTHOOB_CONTENT_PRIMARY – This is the email body that is sent to the group authorizer when a request is generated to add or remove the out-of-band user or group.
EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_ADD_NOTICE
EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_ADDBACK_NOTICE
EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_DEL_NOTICE
EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_DELBACK_NOTICE
EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_NESTED_GROUP_ADD_NOTICE
EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_NESTED_GROUP_ADDBACK_NOTICE
EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_NESTED_GROUP_DEL_NOTICE
EM_WORKFLOW_REQ_INITIAL_RECIPIENT_OOB_NESTED_GROUP_DELBACK_NOTICE
See also:
See Customizing workflow email using the Manage the system (PSA) module for details on email customization.
See Workflow automation events for details on available event actions for out-of-band changes to managed groups.