Glossary

The process of reviewing reports on user access privileges to systems and data, and removing privileges that are no longer appropriate. Government regulations and security policies often require organizations to complete access certification rounds.

A Bravura Security Fabric option used to allow or deny permission to view or change objects, or to request access changes. They can be applied to all or some user profiles, resources or policies.

A security artifact on an object, such as a network resource, which indicates what kind of rights users or groups of users have to that object. Typically groups of users, often from a directory such as Active Directory, are granted rights such as read and write.

Access disclosure is a process where an authorized user is connected to a privileged account or security group on a target system. There are several ways to do this, the simplest being to display the current value of the privileged account’s password to the user. More secure and convenient mechanisms include launching a remote desktop, SSH or similar session and injecting the current credentials (effectively, single sign-on) or temporarily granting the user’s own, personal account (examples: Active Directory account or SSH public key) elevated security rights on the target system.

Generally refers to an object that establishes a user’s identity or ability to connect to a target system. Accounts are identified by their login IDs on target systems.

Account attributes define user accounts on target systems; for example, most target systems store the "first name” and "last name” of the users on that system. In Active Directory, the attribute that stores the first name is givenName , and the attribute that stores the last name is sn . When you add a target system, there is an option to list account attributes, if supported by the target system.

A set of accounts from one or more managed systems that are used for temporary account access. This allows users to check out multiple accounts in a single operation, run commands or scripts on checked out accounts, and collect program output or log files from multiple systems.

An account has a termination date if logins will not be possible after a given time/date.

A user who can onboard, offboard, and update privileged accounts.

Access Control List

An administrator lockout is a flag set by an administrator to disable logins on an account .

Administrator lockouts normally precede permanent deletion of the account, and provide an opportunity to retrieve data from the account before it is removed.

Note that on some systems and applications, intruder lockouts and administrator lockouts are entangled (they use the same flag). This is a poor but common design.

An agent is another term for a target system connector.

In environments where users log in using a standard user ID, they might have an alternate login ID, or non-standard ID, on some systems. This is sometimes referred to as an alias.

A privileged account used by one application to authenticate another, possibly over a network. Examples are database accounts, accounts used to access web services and APIs.

A process that uses an app2app account to connect to an app2app server.

A process that accepts connections from app2app clients and authenticates those connections by validating the app2app credentials provided.

A system or application, which has its users, possibly passwords and entitlements. It is access to applications and entitlements within them that we will be managing in this project.

A user who has responsibility for who can use a particular application.

Accounts that exist as data in a database-driven application. Applications commonly store lists of their accounts in database applications such as MSSQL. Note that MSSQL itself stores its own list of logins, which are also application-specific accounts.

An approval workflow is a business process where human actors may enter, review, approve, reject and/or implement a change request .

An approved exception is a role violation which has been flagged as acceptable, and which consequently may be removed from violation reports and/or not corrected.

When authorizers receive too many requests they tend to approve requests without reading them.

When account attributes from more than one target system are mapped to the same profile attribute, the priority scheme reconciles any difference in values when loading the Bravura Security Fabric database.

An attribute is more specifically referred to as an account attribute, a Bravura Security Fabric profile and request attribute, or a group attribute.

A user who may run reports regarding which users have access to groups and applications and who may monitor the progress and details of the access certification process.

Acceptable Use Policy

A process used to establish that a user who wishes to connect to a service is the user they claim to be. This normally follows identification. Many processes are available for authentication, including user-entered passwords, answers to security questions, use of one-time password devices, and so on.

Logic that allows you to customize the end-user authentication process. You can configure authentication modules and plugins to apply different requirements to certain user groups, combine authentication measures for stronger security and adaptation to your business processes.

An authentication factor is something a user presents to a system in order to prove his identity. It may be something he (and hopefully only he) knows, or proof of possession of a physical object, or a measurement of some physical characteristic (biometric) of the living human user. In other words, something the user knows, or something he has, or something he is.

The "building blocks" of authentication chains; for example, the password verification interface is provided by the password.pss authentication module.

The authentication priority list sets the order in which Bravura Security Fabric attempts to authenticate users via password authentication. Only those target systems which are configured to verify passwords may be included in the list.

Changes to user profiles or entitlements may be subject to approval before they are acted on. In cases where approval is required, one or more authorizers are assigned that responsibility.

The process by which Bravura Security Fabric lists users, accounts, and other objects on connected target systems and loads the information into its database. The listing and loading is carried out by the psupdate program, which is scheduled to run nightly by default.

Also referred to as automatic access management, automated administration allows Bravura Identity to modify an existing system of record, note changes, and automatically create users, modify existing users, or submit workflow change requests.

Automated provisioning systems typically operate on a data feed from a system of record, such as a human relations (HR) system and automatically create login IDs and related logical access rights for newly hired employees or contractors.

It should be noted that automated provisioning normally operates without a user interface – i.e., data flows in from one system and out to one or more other systems, without any further user input in between.

Auto-provisioning reduces IT support costs and can shorten the time required to provision new users with requisite access rights.

Automated termination systems typically operate on a data feed from a system of record, such as a human relations (HR) system and automatically disable access rights for existing users when they have left an organization.

It should be noted that automated termination normally operates without a user interface – i.e., data flows in from one system and out to one or more other systems, without any further user input in between.

Auto-termination reduces IT support costs and can make access deactivation both faster and more reliable than manual processes.

Authorizers in an approvals process may not respond to invitations to review a change request in a timely manner. When this happens, automatic reminders may be sent to them, asking them again to review change requests.

Biometric authentication requires that some measurement of the user’s body, metabolism or behavior is compared to a similar measurement enrolled earlier. A successful match is used as a successful authentication.

A pattern is a collection of scripts and components used to implement a set of identity and access management business processes for a specific type of organization. These components were designed around a multitude of common use cases, and provide an easily configurable method to implement these use cases.

A set of pre-defined policies and business rules built around Bravura Privilege , designed to simplify control over access to privileged accounts and security groups across a variety of systems.

Access disclosure by automatically launching a login session to a managed account, without revealing the value of its password to the user. This may be direct (launch on the user’s PC), on a VDI proxy, or via a web proxy; but in all cases, the password is neither known to nor typed by the user.

An extension that allows the web app privileged sign-on disclosure to broker access to the configured website.

A certificate is a public key that has been encrypted by a certificate authority (CA). Since the CA’s public key is well known, anyone can decrypt the certificate to find the original public key.

Since the CA’s business is to verify that a given public key was generated by the user it purportedly comes from, public keys signed by the CA can be trusted to really belong to their stated owner.

Certificates are useful for signature verification (a document is encrypted by the user’s private key, and this is verified using the user’s certificate) and authentication (a user is asked to encrypt something, and if the user’s certificate can decrypt it, then the user must have possessed the matching private key).

A certificate authority is an organization whose public key is very well known, whose private key is very well protected, and whose business function is to encrypt the public keys belonging to users and systems with its own private key and to publish the resulting encrypted public keys ().

A unit of certification bounded by time and the scope of information being certified.

The manager responsible for initiating an OrgChart-centric certification round. When this manager initiates a certification campaign, Access Certifier sends an email to all of their subordinate managers (both direct and indirect), requesting that they each review their direct subordinates’ rights.

A change request consists of one or more proposed changes to user profiles, such as creating new profiles, adding new accounts to existing profiles, changing identity attributes. Requests may be subject to authorization before being implemented.

A check-in/check-out process is one where a user "checks out" access to a privileged account, much like a library book, and "checks it back in" when finished. The password to the privileged account is often randomized at check-in time, if the number of remaining checkouts reaches zero.

Access disclosure may be limited, in the sense that only a limited number of users are allowed to sign in to a given privileged account at the same time. For example, only a single person might be allowed to sign into the root account on a Linux system at any given time.

Classless inter-domain routing is a way to interpret a single IP address to represent many unique IP addresses. A CIDR IP address ends with a slash followed by the IP network prefix.

Coarse-grained user provisioning is a process where new accounts are created for new users, with basic entitlements rather than all of the required entitlements.

This may be easier to automate and faster to deploy, but requires further, manual intervention before a new user can be fully productive.

Password complexity rules are those parts of a password policy designed to ensure that users choose hard-to-guess passwords. Examples are requirements to use long passwords, to use mixed case or to avoid dictionary words.

A connector is a piece of software responsible for automatically discovering accounts, groups and group memberships on some systems or applications and for automatically fulfilling changes to accounts or group memberships on that system.

Credentials are the data used to both identify and authenticate a user. The most common credentials are login IDs and passwords. Other credentials refer to other types of authentication factors, including biometric samples of the user, public key certificates, etc.

A graphical summary report of statistics for Bravura Security Fabric operation and usage.

Database administrator

A given authorizer may not always be available. For example, authorizers may take holidays, be ill, be too busy to respond, etc. In these cases, an authorizer may wish to delegate their authority to another user – temporarily or permanent. The new authorizer is a delegated one.

A person who can delegate other user’s responsibilities.

Dependencies tell Bravura Identity to verify that a user has an account on one system before it creates a new account for the same user on another system. You can define these dependencies based on:

A disabled account is one where the administrator lockout flag has been set.

Any system discovered by Bravura Privilege . It may be represented by a computer object in AD or an entry in a CMDB data export.

A discovered system that is converted to a target either manually or through import rules. Bravura Privilege will at least attempt to connect to the system, discover accounts and randomize passwords. Additional discovery may be performed as well, such as listing groups and services.

A service account that exists on a directory (like Active Directory) domain for which a member server runs a service, and the service executes in the security context of the service account.

A domain-level secure kiosk account is a specially constructed and locked-down network operating system login account. It is typically used to allow users who forgot or otherwise disabled their network login password to gain access to a self-service password reset facility.

Authorizers are determined and assigned at the time the request is submitted, using criteria based on properties of the request (relationship to the recipient, value of a particular request attribute, access requested and so on).

A regular user who uses Bravura Security Fabric as a self-service user, help desk user, workflow manager, or authorizer.

The process of inviting users to provide data about themselves, such as answers to security questions, mobile phone numbers, etc. Enrollment also includes identifying and authenticating users into a registration web portal and prompting users to enter this data.

An enterprise role is a collection of entitlements spanning multiple systems or applications . Like simple roles, enterprise roles are used to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users.

In the abstract, a record in a system which allows a user to perform some action, such as logging into that system or using a function within it. This is typically granted for either an account or a group membership.

A collection of systems, software and supporting infrastructure required by Bravura Security Fabric to function.

.json files that define environment specific configurations for components that would otherwise be common across multiple environments. For example, they would capture different target addresses for a development environment versus a production environment. These files are applied prior to component installations.

A given authorizer may not always be available. In cases where an authorizer fails to respond to a request to approve or reject a requested change, and where the authorizer has not named a delegated authorizer, an automatic escalation process may select a replacement authorizer after a period of time. This replacement is the escalated authorizer.

A role may be explicitly assigned to a user – i.e., some database will include a record of the form "user X should have role Y."

A global password policy is a policy designed to combine the policies of multiple target systems. It the product of combining the strongest of each type of complexity rule and the most limited representation capabilities of the systems where passwords will be synchronized.

A set of users within a single application, which has an associated set of access rights. Users are assumed to be granted rights within each application by being placed in a group. Some applications may use different terminology for groups, such as roles. The term group is used in this document and the Bravura Security Fabric user interface.

Group attributes define groups on target systems; for example, the group description in Active Directory. When you add a target system, there is an option to list group attributes. Group attributes can be mapped to resource attributes.

A user who has the responsibility to decide who should belong to a particular group.

A group membership is the assignment of a given user to a given security group, thus providing an entitlement to the user who owns the account.

A group owner is a user that is responsible for the management of a group, and who can directly modify the list of group members and (possibly) group owners.

A predefined set of one or more groups, defined within the scope of a managed system policy, which can be checked out – that is, temporarily attached to an authorized user’s (normally unprivileged, pre-existing) account.

A hardware token is a small device, typically either the size of a credit card or suitable for attaching to a user’s key chain, which computes a one time password . Users use a hardware token to prove possession of a device (i.e., something they have) as an authentication factor .

Any user that is a member of the help desk trustee user class, and so can submit a request to assign an owner at account onboard or update.

A regular user who can log into Bravura Security Fabric and access the Help users (IDA) module, to act on the behalf of other users.

Values that are not entered or seen by end users in the change request form or results.

Bravura Security Fabric uses ID filters to determine which accounts are imported to Bravura Security Fabric from a target system.

A process used to differentiate one user from another. This normally involves assigning unique identifiers (strings or characters) to each user and asking users to enter their identifier. Identifiers may be drawn from an existing data source, such as network login IDs, HR employee numbers, email addresses, and so on.

Includes target systems that users may select to enter their login IDs on, in order to identify themselves in Bravura Security Fabric .

An identity provider (IdP) identifies and authenticates a user on behalf of the service provider reducing the burden of managing multiple specific credentials.

When users access the service provider's (SP) URL, they are redirected to the IdP, which identifies and authenticates the user. Once users authenticate they are redirected back to the application along with a cryptographically signed SAML assertion indicating who they are (identity), and what they may access (authorization). This mechanism allows multiple applications to share a single, secure login process.

A "human agent" that manually fulfills requests. An implementer can accept or decline tasks, and mark them as completed or cannot be completed. Implementers can also be assigned to deliver inventory objects to recipients.

A role may be implicitly assigned to a user – i.e., some database will include a rule of the form "users matching requirements X should be automatically assigned role Y."

The entirety of the Bravura Security Fabric installation, including all its servers

A message sent to a user, such as an authorizer or implementer, asking that user to take some action, such as approving or completing a change. Typically sent via email.

A privileged account that authorized users sign in to, via interactive login sessions, to perform tasks (for example, installing software, managing users and permissions, applying patches, inspecting logs).

The Bravura Pass component which is installed on a target system to perform transparent synchronization.

Many systems and applications incorporate a “lockout” flag which indicates that too many unsuccessful attempts have been made to sign into a given login account during a given time interval. An intruder unlock is a process for clearing this flag, normally (by a person or by automated software) using privileged credentials to the system where the flag is stored.

Inventory refers to physical assets that can be provisioned to users. Bravura Identity can be used to provision SecurID tokens, access badges, and other devices associated with security access. It can be integrated with an asset management system to provision office furniture, PCs, telephones and other equipment.

An inventory manager is a Bravura Security Fabric user who can manage inventory items by location and type; for example a user may be assigned to manage smart phones in New York. An assigned inventory manager can add inventory items to the Bravura Security Fabric database, change the state of an item. They can also change the location if they are responsible for the same item types in different locations.

KVGroup stands for Key-Value Groups. A KVGroup has a key, a name, and its contents. It contains a set of key-value pairs, as well as a set of "inner” KVGroups. There is no limit to the level of nested KVGroups. KVGroups are used extensively for inter-process communication in Bravura Security Fabric .

A service account that exists on the same system where the service that runs in its security context executes.

Some systems monitor failed authentication attempts. If too many failed attempts to log on to a single account are detected, then the account is locked.

Intruder lockouts mean that authentication to the particular account is now denied, but the account is not intentionally disabled by an administrator. Intruder lockout may be triggered by users who persistently mistype their own passwords; for example, with the [Caps Lock] or [Num Lock] key depressed.

Most systems differentiate between locked and disabled accounts .

The unique identifier that a user types to sign into a system or application is that user’s login ID on that system.

An account on a managed system which was both discovered and, by either manual action or by satisfying an automated import rule, is managed by Bravura Privilege– that is, Bravura Privilege may periodically randomize its password and/or may grant access to the account, subject to the policy.

A managed group is a group of accounts defined on a target system, such as AD or LDAP, whose membership is monitored and managed in Bravura Security Fabric . On some target systems, this can include groups inside groups. An unmanaged group is simply a group whose membership is not monitored and managed in Bravura Security Fabric .

A workstation or server that is a member of a Bravura Privilege managed system policy. Bravura Privilege must manage access to at least one account on the Managed System.

The intersection of a set of managed accounts, a set of managed systems, and policy rules. For example, rules determine how often to randomize passwords, which users are allowed access to the managed accounts on the managed systems in question, and what kind of access is granted.

A single user who is responsible in some way for the actions and access rights of another user. Synonymous with a supervisor.

A person identified in the OrgChart as having one or more persons reporting to him or her (subordinates).

Copying configuration files and raw data from one instance to another.

Within the context of this document, mobile devices consist of smart phones and tablets. They do not include laptops.

Mobile passwords are passwords stored in the security database on a portable device, such as a PDA or smart phone. Mobile devices typically have dynamic addresses, are sometimes turned off and may not respond to requests they receive from the network, other than special cases such as phone calls and text messages.

An administrative session that has been monitored and recorded. A monitored session may process specific- or full-system content.

Multi-factor authentication means authentication using multiple factors . For example, a user might sign into a system with a combination of two things he knows, or a combination of something he knows and something he has, or perhaps something he knows, something he has and something he is.

The premise is that adding authentication factors makes it more difficult for a would-be attacker to simulate a legitimate authentication and consequently impersonate a legitimate user.

A Bravura Privilege user who has not been pre-authorized to check out access to a given privileged account, but who requests such access on a one-time basis, via a request form and approval workflow.

Orchestration is the coordinated process involving one service account password change and related subscriber notifications. Subscriber notification can inform subscribers of a new password value for a service account that it uses. Notification may require extra steps, in addition to providing the new password value - such as stopping and restarting services.

The OrgChart is an acyclic graph, stored in the Bravura Security Fabric database, that identifies the primary manager for every user in an organization.

OrgChartdata is Bravura Security Fabric ’s representation of an organization chart. It can be created, for example, using Org Manager, Bravura Security’s enterprise OrgChart management solution.

A state indicating that the organization chart is being built from scratch. An organization is likely to use this state only once during the initial gathering of organization chart data.

An orphan account is an account belonging to a previous user who has left the organization.

A one-time password (OTP) is an algorithm used to produce a different password every time a user needs to authenticate. An OTP may be time-based (i.e., the password for any given minute/hour/date is different and may be computed both by the user and the system into which the user wishes to authenticate). An OTP may also be series based (the password value depends on the number of times the user has signed on before), or may be computed by the user in response to a challenge presented by the server.

Often, remove applications using Bravura Security Fabric APIs will use an OTP.

A parallel authorization process is one where multiple authorizers are invited to comment concurrently – i.e., the identity management system does not wait for one authorizer to respond before inviting the next.

Parallel authorization has the advantage of completing more quickly, as the time required to finish an authorization process is the single longest response time, rather than the sum of all response times.

You can configure pass-thru authorization to grant groups of external users, such as Active Directory domain users, access to the Manage the system (PSA) module. A plugin is used to verify that a product administrator has entered a correct password and belongs to the correct user group before allowing the product administrator to log in. The plugin also determines the product administrator ’s access rights.

Password age is the number of days since a password was last changed.

A process and policy for ensuring that users select new passwords that are complex, in the sense that they would be very difficult for an attacker to guess and therefore compromise. Password complexity policy is normally made up of multiple specific rules, such as a requirement for minimum length, using characters from different classes, not using a dictionary word, and so on.

Password expiry is a process whereby users are forced to periodically change their passwords. An expiration policy may be represented as the longest number of days for which a user may use the same password value.

The reason for password expiry is the notion that, given enough time, an attacker could guess a given password. To avoid this, passwords should be changed periodically and not reused.

A password history is some representation of one or more previously used passwords for a given user. These passwords are stored in order that they may be compared to new passwords chosen by the user, to prevent the user from reusing old passwords.

A password policy is a set of rules regarding what sequence of characters constitutes an acceptable password. Acceptable passwords are generally those that would be too difficult for another user or an automated program to guess (thereby defeating the password mechanism).

Password policies may require a minimum length, a mixture of different types of characters (lowercase, uppercase, digits, punctuation marks, etc.), avoidance of dictionary words or passwords based on the user’s name, etc.

Password policies may also require that users not reuse old passwords and that users change their passwords regularly.

Many applications offer weak encryption of data, such as office documents or spreadsheets. Such encryption is susceptible to brute force to key recovery, and such key recovery is offered by password recovery applications, most often offered to users who forgot the passwords they used to protect their own documents.

A password reset is a process where a user who has either forgotten his own password or triggered an intruder lockout on his own account can authenticate with something other than his password and have a new password administratively set on his account.

Password resets may be performed by a support analyst or by the user himself (self-service).

A constraint applied to the composition of a password to ensure that it is difficult to guess.

A product feature that allows Bravura Security Fabric to receive changes from Active Directory or AD LDS LDAP as they happen on the domain controller. This feature is only available for Active Directory DN and LDAP Directory Service target systems. It is disabled by default.

An account with elevated privileges that is owned by a single user.

A phased authorization process is one where multiple authorizers are invited to review a request in sequence. Authorizers are grouped into phases and once a request is meets approval requirements in phase one, it must be reviewed by the next set of authorizers in phase two. Phase two authorizers could be, from another department or level of management. There is no limit to the number of phases.

A PIN is a short, numeric password . PINs are commonly used with bank debit cards and as a secondary authentication factor accompanying technologies such as biometrics or hardware tokens.

A process where a user’s PIN – for example to activate a smart card or one time password device, or a legacy application or voice mail system – is set to a new value, without knowing the current value of that PIN. This is normally done (by a person or by automated software) using privileged credentials to the system where the PIN is stored.

PIN reset performed by the user on their own behalf, through a self-service application. Some other form of authentication is required to do this, as the user’s PIN is presumably forgotten or locked out.

A plugin is software developed independently of Bravura Security Fabric that is invoked by Bravura Security Fabric to validate or acquire information, or to alter its own behavior. The plugin can be a program or a script.

A plugin point is a set of conditions that cause Bravura Security Fabric to invoke a plugin, where the plugin can be a program or a PSLangscript. Plugin points may be enabled, disabled, or configured within Bravura Security Fabric .

A Bravura Privilege user who has been pre-authorized to check out access to at least one privileged account, such that they can initiate a login session to that account at any time.

Security change requests that involve a variety of possible triggers and operations. Request attributes, workflows, access controls and operations are pre-configured for each request.

Security questions where the question is drawn from a finite set, defined in advance. The answers remain user-specific.

The person who initially held a responsibility that is delegated or escalated to another person.

At runtime, the Bravura Security Fabric server presents a web GUI for all password management functions. It also provides services for the Bravura Security Fabric remote API, transparent password synchronization, password change notification, server replication, and remote logging.

A privileged account is a login ID on a system or application which has more privileges than a normal user. Privileged accounts are normally used by system administrators to manage the system, or to run services on that system, or by one application to connect to another. Examples include Administrator on Windows, sa on SQL Server and root on Unix/Linux.

The information that Bravura Security Fabric stores about a user. This may include a full name, personal details, information about the user’s accounts (login IDs and attributes), access controls, authentication data, and more.

Profile and request attributes are associated with Bravura Security Fabric users and processes. They can provide information about a user, a request, or both. Values for these attributes can be loaded automatically from associated account attributes, provided by a plugin, or entered by users in a form on the Bravura Security Fabric GUI.

A profile ID is a globally unique identifier for a human user.

Fulfills requests on behalf of the Bravura Security Fabric server. The proxy service is useful for securing communication to a insecure target or to facilitate transversing a firewall to access a target.

The service must be installed on a separate Windows server.

A set of Bravura Security Fabric proxy servers responsible for running connectors that communicate with a set of systems, typically in the same location or on the same network segment. This is typically required when direct connection is blocked by a firewall.

Questions that users must answer to authenticate may be grouped into sets. A question set may consist of either predefined (the same for every user) or user-defined (possibly different for every user) questions. Each user has their own answers to each question in each set.

Role-based access control

Changes to user profiles or entitlements always have a recipient – that user profile which will be created, modified or deleted.

Regular expressions are a powerful mechanism for extracting patterns out of text strings.

A user who has at least one account on a target system, and can log into Bravura Security Fabric . Regular users can be end users and/or product administrators.

Bravura Security uses the concept of release trains to streamline the release of fixes and stability enhancements. Customers request the head of a release to implement the latest available patch for their product major.minor version. Release trains allow customers to benefit from fixes and enhancements as soon as they become available.

A repeated invitation, sent if there was no response to an earlier invitation.

Two or more Bravura Security Fabric servers configured to automatically communicate (replicate) all changes to each other, without any connection between their underlying databases. This is unnecessary if using only a single server, or if all servers use a single, shared database schema. A typical environment will use either shared schema or replication, but not both.

All Bravura Security Fabric replication partners communicating changes to each other are part of the same replication group.

When two or more Bravura Security Fabric servers are configured to replicate changes to each other, each server involved in the replication is considered a replication partner.

A set of data containing information related to entitlements, optionally correlated with users and approvers and applications.

Changes to user profiles or entitlements are often initiated by a requester – literally a person who makes a change request. In other cases they may be initiated by an automated process, which may or may not have a "virtual" (i.e., non-human) ID.

Resource attributes are defined in Bravura Security Fabric and associated with resource objects such as target systems and managed groups.

Resource entitlement attributes define the relationship between two resources.

Representational State Transfer: A software architectural style that defines a set of constraints to be used for creating Web services. Web services that conform to the REST architectural style, called RESTful Web services, provide interoperability between computer systems on the Internet.

Request attributes can have restricted values. This means that users choose a value from a drop-down list on the New account form. The values can be configured manually or determined by a plugin.

The person with the responsibility of reviewing and verifying users or rights.

Bravura Identity uses roles to allow users to set up or request user accounts based on a group of templates . You can group the templates according to your organization’s needs. For example, you can create roles to reflect:

A role change is a business process where a user’s job function changes and consequently the set of roles and entitlements that the user is assigned should also change. Some old entitlements should be removed (immediately or after a period of time), some old entitlements should be retained, and some new entitlements should be added.

Roles and role assignment are unlikely to remain static for any length of time. Because of this, they must be managed – the entitlements associated with a role must be reviewed and updated and the users assigned the role, implicitly or explicitly, must be reviewed and changed. The business processes used to effect these reviews and changes are collectively referred to as role management (sometimes enterprise role management).

A role violation is when a user is assigned an entitlement that contradicts a user’s role assignment. The entitlement may be excessive – i.e., not predicted by the role, or it may be inadequate – i.e., the role assignment predicts that the user should have an entitlement, but the user does not.

Security Assertions Markup Language: An XML-based, open-standard data format for exchanging authentication and authorization data between parties; in particular between an identity provider and a service provider.

At runtime, this server functions the same as the Bravura Security Fabric server. It serves as a backup, for fail over and redundancy. Nightly, the Secondary server receives configuration, account lists, database, and software updates from the primary server.

Bravura Security Secure Browser trusted app that brokers access to a configured website with added session recording.

A disclosure plugin, which provides a method that brokers access to websites using a dedicated browser window with added session monitoring.

A common form of non-password authentication, security question authentication prompts a user to answer one or more personal questions. Authentication is premised on the assumption that only the user would know the answer to these questions.

An intruder unlock performed by the user on their own behalf, through a self-service application. Some other form of authentication is required to do this, as the user’s password is presumably forgotten or locked out.

Enable users to manage their profiles, submit security change requests, and authorize or manage security change requests. Self-service modules are only accessible to users with accounts.

Password reset performed by the user on their own behalf, through a self-service application. Some other form of authentication is required to do this, as the user’s password is presumably forgotten or locked out.

A sequential authorization process is one where multiple authorizers are invited to comment, one after another.

Sequential (or serial) authorization has the advantage of minimizing the nuisance to authorizers in the event that an early authorizer rejects a change request .

A managed account that has at least one subscriber. The service account provides a security context for a subscriber to authenticate against.

A service account password is used on Windows systems to start a service program which runs in a context other than that of the SYSTEM user. The service control manager uses a login ID and password (of the service account) to start the service program.

A shared account is a login ID on a system or application that is used by more than one human or machine user. Privileged accounts are often shared: for example, root, sa or Administrator by system administrators.

Security Information and Event Management: A field within computer security focused on log message and event gathering/reporting, commonly used for centralized systems monitoring. The term is also commonly used to refer to third-party products that facilitate centralized monitoring of logs and other data streams.

A simple role is a collection of entitlements defined within the context of a single system . Roles are used to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users.

A secure kiosk account is a special Windows login ID and password, which is well known to users (for example, it may be advertised on the wallpaper image of the login screen). Special security policies are applied to this account, so that when it signs into a Windows workstation, a locked down (kiosk-mode) web browser is launched instead of the normal Windows desktop.

A SKA is a mechanism that allows users to access a self-service password reset web application despite being locked out of the initial workstation login screen.

A set of HTML snippets (* .z files), Javascript files, and Sassy Cascading Style Sheets (SCSS files) used to change the appearance or text (language) of the Bravura Security Fabric GUI. Each skin includes its own set of buttons and graphics, static HTML files, Javascript files and style sheets. You create new skins using the make.bat program.

A smart card is a credit-card-sized device that houses an integrated circuit, with some processing and storage capabilities. Smart cards are often used to carry a user’s private encryption key and one or more certificates (the user’s signed public key or other keys).

Smart cards are useful for authentication since they constitute an authentication factor (something the user has) and they often require a second factor (e.g., user typing in a password) to be activated, which is a second factor (something the user knows).

Segregation of Duties rules are used to identify exceptions to roles or possible access conflicts. Rules are created that specify conflicting resources that a user should not have simultaneous access to. Once the rules are in place, users in violation of the rules are automatically identified. Permission to override the rule is granted on a case by case basis and must be approved.

System of Record

A target system that is used by Bravura Security Fabric to generate profiles. Every account discovered from a source of profiles (SoP) target that is not removed by a filter will create a profile in Bravura Privilege and will count against the user license.

A service provider is a SAML compliant product or service configured to trust an identity provider (IdP) to authenticate and collect entitlements for users, rather than performing the authentication themselves

Single sign-on (SSO) is any technology that replaces multiple, independent login prompts with a consolidated authentication process, so that users don’t have to repeatedly sign in.

A standard login ID is a system or application ID that uses a naming system that is consistent with other systems or applications in an enterprise; for example, the person named John Smith owns the standard login ID JOHNS on Windows and Unix systems.

Requests involving resources (target systems, templates, roles or groups) are routed to pre-defined authorizers mapped directly to the objects.

A static segregation of duties policy is one that prevents one login account or user profile from having two or more conflicting entitlements . These entitlements may be thought of as a toxic combination. For example, the same user may not both authorize an expense and print the cheque to pay for it.

The act of further delegating an already delegated responsibility.

Bravura Security Fabric may manipulate user accounts on managed systems that are implemented as aggregates of smaller systems. Examples of aggregate systems include:

A sub-host is one component of such an aggregate system.

A person is deemed to be a subordinate of his or her manager. By definition, each manager has at least one subordinate.

A subscriber is an entity that stores passwords or permissions used to authenticate to a primary security database, such as local Windows SAM database or Active Directory. It can be a process, program, or file, such as Service Control Manager, IIS, scheduler or DCOM objects.

The process of notifying subscribers of new service account password values.

A product administrator who has all administrative privileges. You create the first superuser when you install Bravura Security Fabric . A superuser cannot be a regular user; that is, they cannot access self-service menus.

A system administrator is a user with absolute control over a target system . The system administrator may install any or all software on the managed system, can create or delete other users on that system, etc.

Representations of systems in the environment, but without a connector or technical integration.

Bravura Security Fabric uses a designated account (for example psadmin) on each target system to perform operations. This account is known as a target administrator in Bravura Security Fabric . It is not necessarily a real user.

Account related operations that are performed by Bravura Security Fabric connectors when interacting with target systems.

A computer system or application that has users or accounts to be managed or referenced by Bravura Security Fabric . Bravura Security Fabric will periodically list accounts, and potentially groups, group memberships, and account attributes, from this target system during the auto-discovery process.

Target systems can be grouped in Bravura Security Fabric to apply different password policies, apply different synchronization rules, or to allow help-desk users to manage a subset of target systems.

A container for users and resources, that often represent a real business unit in an organization. Teams are used to define who manages and gets access to those resources managed by Bravura Security Fabric .

A group of individual users or managed groups with assigned team privileges.

Used to store and retrieve credentials for target systems that do not communicate with Bravura Security Fabric or other secrets (e.g., a safe's combination). They are not intended to set or randomize credentials stored within them.

The science of telephones in which sound is translated into electrical signals and then translated back into sound.

A template account is used by Bravura Identity as a reference when provisioning new accounts on a particular target system. Rather than requiring an administrator to provide every parameter when creating a new account on a target system, Bravura Identity can copy relevant parameters from this template account. In effect, Bravura Identity implements a ”clone user” operation. Multiple template accounts can be defined for any given target system, representing different types of users, uniquely identified by their group memberships, privileges, home directory locations, and so on. Template accounts are typically dedicated to this task and do not represent real users.

All users eventually leave an organization. Likewise, customers may terminate their relationship with vendors. Generically, these events are called termination.

When users change their password on a trigger system , the new password is subjected to a global password policy in addition to the native policy. If the password is acceptable, the new password is changed both on the initial system and, automatically, on every other system where the user has a login ID.

Special software is installed on an Active Directory, Windows servers, OS/390 mainframe, Unix, LDAP Directory Service, or OS/400 target system to monitor password changes and test the strength of new password choices. Successful password changes trigger automatic password synchronization for other accounts on other systems that belong to the same user.

Deploying a newer version of Bravura Security Fabric in place of an older version using setup .

Configured criteria for segmenting users. They can be expressed in terms of profile attributes and group memberships on target systems.

When users join an organization, they are normally granted access to systems and applications. This is called user creation.

A defined segment of Bravura Security Fabric users whose permissions are determined by an access control list. They do not necessarily refer to target system account groups, although they can be mapped to them via user classes.

Security questions where both the question and the answer are chosen by the user.

Representations of accounts on system vaults, along with stored (but not actively managed) passwords.

Bravura Privilege supports ’vault-only’ mode, where users store sensitive strings (passwords, PKI certificates, etc.) which are subject to retrieval, access control and audit, but which are not actively managed by the system.

Key/value stores, where the key is the account name and the value is encrypted and disclosed like a password. Vaults can also be key/file stores, where files are encrypted. This functionality provides secret storage within Bravura Security Fabric .

User who has access to web application PDRs (pre-defined requests). This person needs to be a member of the PAM_TEAM_ADMINS user class, and needs to be configured by a product administrator.

A web proxy acts on behalf of one or more web browsers, fetching web pages for users and possibly adding capabilities such as caching (to reduce an organization’s bandwidth usage), filtering (to block unwanted content) and monitoring (to record user activity).

Web proxies act on behalf of one or more users.

The primary server service for providing the user interface. Bravura Security Fabric works with any web server product that supports CGI execution. The web server must be installed on the same Windows host as Bravura Security Fabric . The installer will auto-detect and configure IIS.

Web-based password synchronization works by having a user sign into a consolidated web page to change multiple passwords, rather than waiting for each system or application to prompt the user to change just one password.

Users typically sign into the password synchronization web page using a primary login ID and password and can then specify a new password, which will be applied to multiple systems and applications.

A password synchronization web application typically must enforce a password policy , which should be at least as strong as the policies in each of the target applications .

Disclosure configuration created in Bravura Security Fabric using JSON configuration files to provide single sign-on access to a website.

In this document, workflow refers to the authorization workflow for access change requests.

Bravura Security Fabric empowers users to submit requests to create, modify, or terminate systems access. Bravura Security Fabric ’s workflow system is used to:

An authorizer who can resume, suspend, delegate, or cancel individual requests in the request queue.

Workstation passwords are passwords stored in the security database on a user’s workstation (PC or laptop). Workstations typically have dynamic addresses, are sometimes turned off and do not respond to requests they receive from the network.