Bravura Safe User Management (2025+)

Connector name	`agtbsafe25-user`
Connector type	Python script, `agtbsafe25-user.py` and a scripted platform definition file, `agtbsafe25-user.con`, that associates the script with the Python connector (`agtpython`) to access Bravura Safe User Management (2025+).
Type (UI field value)	Bravura Safe User Management (2025+)
Connector status / support	Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security.
Installation / setup	It also has an `agtbsafe25_user_requirements.txt` file that is used to install the Python requirements for this connector. To install the Python packages required by the `agtbsafe-user25` connector, run the following command from a command prompt: `py -m pip install -r agtbsafe25_user_requirements.txt`
Upgrade notes	Added in Connector Pack 4.8 The Bravura Safe User Management (2025+) connector should be used for the latest Bravura Safe servers from 2025 and later. The Bravura Safe User Management connector is for targeting Bravura Safe servers that were created before 2025.

Bravura Security Fabric utilizes the agtpython connector to be able to list users from an organization or team from Bravura Safe and to be able to reset their master passwords.

The following Bravura Security Fabric operations are supported by the Bravura Safe User Management (2025+)connector:

get server information
add user to group
delete user from group
List:
- accounts
- attributes
- groups
- members

For a full list and explanation of each connector operation, see Connector operations.

The Bravura Safe (2025+) connector can be used to manage the Bravura Safe credentials from collections for the users within an organization or team from Bravura Safe .

Preparation

Before you can target Bravura Safe User Management (2025+), you must:

Set up Bravura Safe

See Bravura Safe Documentation to learn how to set up a Bravura Safe instance, team, and users.

Recommended Bravura Safe permission sets

The following are the recommended sets of permissions for the Bravura Safe User Management (2025+) administrator.

Bravura Safe User Management target administrator:

User type: Custom
Admin Permissions:
- Manage users
Access Control:
- The option for "This user can access only the selected collections" may be selected and set with no collections specified.

This will allow to list for all types of users (users, administrator, owners, etc).

Note

Bravura Safe users who have been invited to Bravura Safe but are not yet confirmed will not be listed using the Bravura Safe User Management (2025+) connector.

Set up target system administrators

The Bravura Safe User Management (2025+) target system requires two administrative credentials that are previously configured on the Bravura Safe instance.

To configure the first target administrator:

Log in to Bravura Safe via the web interface and open your Team.
Click Teams, then Manage.
Invite a new user:
1. Click Invite User.
2. Enter the email address for a user that will be used as the administrator.
3. Set the User type to Custom.
4. Set the specific permissions as noted above for the recommended permissions.
5. Click Save.
6. Complete the process to onboard the user.

Alternatively, edit the permissions for a current user by clicking on their email address and modifying for the above set of recommended permissions.

The email address and master password set for this user will be used for the system credentials for the Bravura Safe target system.

To configure the second target administrator:

Log in to Bravura Safe via the web interface.
Click the drop-down for Teams.
Choose the team name that is used for the Bravura Safe User Management (2025+) target system.
Click the Settings.tab for the team.
Click View API key.
Enter the current user’s master password to confirm identity.
This will then display values for client_id and client_secret.
These values will be used for the administrator credentials for the Bravura Safe User Management (2025+) target system.

Install the Bravura Safe CLI

The Bravura Safe CLI is required for use with the Bravura Safe (2025+) and Bravura Safe User Management (2025+) connectors.

To install the Bravura Safe CLI and set the PATH:

Download the Bravura Safe CLI from here:
https://github.com/Bravura-Security/bravura-safe_clients/releases
Locate bsafe.exe for Bravura Safe 2025.1.0.
Create a directory on the Bravura Security Fabric server and copy bsafe.exe to this directory.
The Bravura Safe CLI may, for example, be located here: c:\bsafe\bsafe.exe.
Modify the system PATH on the Bravura Security Fabric instance server to add the directory, for example: c:\bsafe.

The session is retained and reused for the Bravura Safe connection using the Bravura Safe CLI when the connection has been successfully established.

There may, however, be times when you need to re-establish the session for some scenarios. This could be the case where:

The Server address is changed.
The system PATH is updated to another value.
Troubleshooting other connection issues to Bravura Safe that make use of the Bravura Safe CLI.

The Bravura Safe CLI runs as the SYSTEM account and stores the session data in a JSON data file. To remove the current session data:

Locate the directory that SYSTEM is using for the Bravura Safe CLI.
This may be, for example, here for the psadmin account's directory:
C:\Users\psadmin\AppData\Roaming\Bravura Safe CLI
Within the Bravura Safe CLI directory, there will be the following JSON file: data.json.
Either rename or remove the data.json file.

Targeting Bravura Safe User Management (2025+)

For each Bravura Safe system, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):

Type is Bravura Safe User Management (2025+)
Address uses options described in the table below:

Options marked with a are required.

Option	Description
Script file:	The hard-coded script file that is used by the Bravura Safe User Management connector (`agtbsafe25-user.con`). (key: script)
Bravura Safe Server:	The domain name URL for the Bravura Safe instance. (key: server)
Organization name:	The organization or team name within the Bravura Safe instance that will be used to target. (key: organizationName)
Default Access Level:	The access permissions to set for a user when adding users to a collection. Default is "Can view". Other options are "Can edit", "Can view, except passwords", and "Can edit, except passwords". (key: defaultAccessLevel)

The full list of target parameters is explained in Target System Options .

It is recommended that the Can view access permission be left as the default for the Default Access Level target system address option. This is to ensure that the users are able to see the Bravura Safe item in the collection and copy out the secret value, but they are unable to change any of the settings directly in Bravura Safe. This also ensure that the value for the custom attribute within their Bravura Safe item may also not be able to be modified.

Setting the administrator credentials

The Bravura Safe User Management (2025+) target system requires two administrative credentials, as outlined in Set up target system administrators.

The first administrator and password are set to the email address and master password of the administrative user that was previously onboarded. The System password option must be checked.

The second administrator and password are set to the values for client_id for the administrator id and client_secret for the administrator password for the API key on the Bravura Safe instance.

Handling account attributes

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select Bravura Safe User Management (2025+) from the Manage the system > Resources > Account attributes > Target system type menu.

In this section: