Skip to main content

Examples

Add role membership attributes to workflow

Administrators can add attribute fields to gather additional information about role membership. End users can add or update the attribute values by requesting a change in role membership. The following procedure describes how to update role membership attribute values using the standard Change role membership request. It assumes that roles have been defined and assigned to an end user.

Add role membership attributes

To add role membership attributes:

  1. As a product administrator , click Manage the system > Resources > Resource attributes.

    res-attributes

  2. Click Add new…

    res-attr-role

  3. Enter values as follows:

    ID: ROLE_ATTR1

    Description: Role reason

    Type: String

    Minimum required number of values: 0

  4. Click Add.

  5. Click Add new… to add another attribute.

  6. Enter values as follows:

    ID: ROLE_ATTR2

    Description: Role date

    Type: Date/time

    Minimum required number of values: 0

  7. Click Add.

There are now two attributes that can be added to the role membership request page.

Set attribute access controls

To set access controls for the new attribute, add it to an attribute group:

  1. As a product administrator , click Manage the system > Resources > Resource attribute groups.

    resource-attribute-groups-SUI

  2. Click Add new…

  3. Enter the following values:

    ID: ROLE_ATTR_GROUP

    Description: Role attributes

    Resource type: Role memberships

    role-attributes

  4. Click Add.

  5. Click the Access control tab.

  6. Select the checkboxes to allow the ALLUSERS group read and write permission.

    role-acl

  7. Click the Members tab.

  8. Click Select…

  9. Select the checkboxes for ROLE_ATTR1 and ROLE_ATTR2, then click Select.

    role-group-members

Add attributes to the pre-defined request

To add the role membership attributes to the Update role membership request:

  1. As a product administrator , click Manage the system > Workflow > Pre-defined requests.

  2. Select the built-in _UPDATE_ROLES_ request.

    roles-request

  3. Select the Attributes tab.

  4. Click Select…

  5. Select the checkbox for the ROLE_ATTR_GROUP, then click Select.

    roles-attr

Update role attributes

To update role attributes as an end user:

  1. Under the My profile section, click View and update profile to see the Profile information and entitlements page.

  2. Click Change role membership in the requests section.

    Bravura Security Fabric displays the request wizard.

    roles-wizard-attributes

  3. Enter values for the attributes.

  4. Click Submit.

    Relevant authorizers are notified to review the request if necessary.

    Attribute values are displayed on the request details page.

    role-attr-details

Search for resources based on attributes

Some organizations have very large numbers of resources, such as target systems and managed groups. It can be difficult to find groups of resources, or resources that match specific criteria; for example, you might want to find all target systems at the organization’s New York location.

If you require each target system to set a Location resource attribute, then this attribute is available for use with the advanced search engine to find all target systems with Location set to New York. You can narrow the search results further by using additional attributes.

Use resource attributes to control plugin behavior

You can use plugins throughout Bravura Security Fabric to implement business logic, and in some cases this requires associating configuration data with resources; for example, when configuring managed group s to require serial authorization instead of having a single authorizer.

Instead of using an external CSV file to store configuration data, you can use resource attributes and associated API functions. You can configure resource attributes as required values when creating new resources, instead of having to update an external file in order for the business logic to function properly.

Use a group entitlement attribute

You can apply the built-in ENTITLEMENT_EXPIRY_DATE attribute to members of a managed group.

When the expiry date arrives, an email can be sent to prompt the removal of that user from the group.

Add a resource attribute group to allow users to update the entitlement attribute

  1. Click Manage the system > Resources > Resource attribute groups.

  2. Click Add new…

  3. Enter the following information:

    ID: Group_entitlements_attrs

    Description: Group entitlement attributes

    Resource type: Account group memberships

  4. Click Add.

  5. Click the Access control tab.

  6. Select ”Allow read” and ”Allow write” for ALLUSERS.

  7. Click Update.

  8. Click the Members tab.

  9. Click Select…

  10. Select ”ENTITLEMENT_EXPIRY_DATE”.

  11. Click Select .

  12. Click the Display criteria tab.

  13. Ensure the Display type is set to ”Main”.

In this section: