About the auto discovery process

If one or more of your target systems is set up to use a proxy server, the updproxy program automatically copies files that have been created or modified to the proxy server.

See updproxy for details of this program.

You can also refresh proxy servers manually. See Managing Proxy Servers for details.

Connector programs connect to target systems and extract information about users (accounts) and other objects from those systems. Each connector is designed to target a specific type of system. Depending on how Bravura Security Fabric is configured and the capabilities of the connector, Bravura Security Fabric may extract information about: computer objects on the domain, service accounts, group memberships, per-user attributes, unassigned tokens, and OrgChart information.

Connector programs write the extracted information to SQLite database files in the <instance>\psconfig\ directory. In Bravura Security Fabric these files are referred to as list files . A SQLite database list file is saved for each target system.

The following is the schema for the connectors to use when writing discovered objects:

discobj ( stableid TEXT, type TEXT, longid TEXT, shortid TEXT, displayid TEXT, sd TEXT ) 
discobjattr ( stableid TEXT, type TEXT, attrkey TEXT, attrval TEXT, seqno INTEGER ) 
discobjrel ( parent_stableid TEXT, parent_type TEXT, reltype TEXT, child_stableid TEXT, child_type TEXT,

All data for a target system is stored according to the schema listed above.

Note the following about listing:

Normally, if a user has an account on a target system and that account has an <accattr> value that is empty, Bravura Security Fabric will attempt to get an associated attribute value from another system. You can change this by enabling the Manage the system > Maintenance > Options > LOADDB NULL IS VALUE setting. When this is enabled, Bravura Security Fabric considers the associated profile attribute value empty; it does not attempt to get an attribute value from another system.

All operations triggered during target listing (Connect, serverinfo, listobj) must be supported by the connectors that runs the list operations, and all have to succeed in order for the newly listed target data to be loaded and processed during discovery.

The "listing information from target systems" task is fail safe; if lists extracted from a target system fail to return sufficient data, where the extracted list file size falls below the value listed for this option, Bravura Security Fabric discards the defunct lists and restores the previously harvested lists.

The Minimum list file size is set on each target system's configuration page .

Profiles containing alternate login ID can be updated by end users using the Attach other accounts (PSL) module or by help desk users using the Help users (IDA) module . See Manual account attachment examples.

You can also specify alternate login IDs for users and add them in batches using a text file <instance>\psconfig \malias.txt. You might do this, for example, to minimize user enrollment time, or where a source of profiles target system has no attributes to map to an easy-to-remember profile ID. The text file must be created manually, and use the following format:

" <Target system ID> " " <Login ID> " " <Profile ID> "

For example:

"ACTIVEDIRECTORY" "glorib" "glorib"
"LINUX" "browng" "glorib"
"LDAP" "gloria.brown" "glorib"
"WEBAPP" "153029" "glorib" 

The next time auto discovery is run, the alternate login IDs are associated with the specified profiles.

Every time auto discovery runs it will add the manual associations specified by malias.txt. If the manual association is removed by the user or help desk through other mechanisms (but not removed from malias.txt), it will be re-added on the next discovery. Removing entries from malias.txt will not remove manual associations it created, as it is only used to add associations. Similarly deleting malias.txt entirely will not remove the manual associations it created.

To remove manual associations added by malias.txt the following must occur:

If you have configured import rules to be evaluated against discovered objects, psupdate evaluates:

See Infrastructure Auto Discovery for details about import rules.

The iddiscover service processes the information stored in list files and loads it into the Bravura Security Fabric database. During this task, new users are imported to Bravura Security Fabric , existing user profiles are updated, and inventories of available groups and unclaimed accounts are created.

If iddiscover discovers accounts that differ only in case on a case-sensitive target system, it writes a warning to its log and notifies the Bravura Security Fabric administrator of a potential security issue.

The psupdate program removes stale session keys from the database. This helps to ensure that the database does not grow too large.

If the RBAC ENFORCEMENT NIGHTLY LIST option is enabled, Bravura Security Fabric runs the rbacenforce program to list role enforcement violations. If the RBAC ENFORCEMENT NIGHTLY SUBMIT option is enabled, Bravura Security Fabric runs the rbacenforce program to submit requests into workflow to rectify the violations. Both of these jobs are run at the end of auto discovery .

Both of these options are set in Manage the system > Resources> Options.

See Role Enforcement for more information about the options.

See rbacenforce for command-line usage and examples.

At the end of the auto discovery process, Bravura Security Fabric runs the loaduccache -load -hours 0 command. This command loads user class and user class point cache for all caches.

The caching that is evaluated on the Bravura Security Fabric server is replicated to other Bravura Security Fabric servers with Database Service replication.

See loaduccache for command-line options and examples.

If automatic assignment is configured, Bravura Security Fabric runs the autores -all -submit command. The command calculates the automatic assignment for configured roles and groups and submits requests based on results.

See autores for command-line options and examples.

In a replicated environment, Bravura Security Fabric can synchronize all the files and registry keys between all nodes during auto discovery . You control this using the Maintenance > Options > PSUPDATE FILE REPLICATION setting. When switched on (by default) psupdate runs the updinst program which synchronizes the files and registry keys between all nodes in the environment. This job is run at the end of auto discovery .

See updinst for command-line usage and configuration options.

The psupdate program automatically sends email notification to the Bravura Security Fabric administrator if:

At the completion of auto discovery Bravura Security Fabric can write a summary of configuration settings for an instance. The summary is written to a file called config-<yyyy>-<mm>-<dd>.kvg in the Logs directory. The file can be used by Bravura Security support to help provide assistance.

You can control this function using the Maintenance > Options > PSUPDATE INSTDUMP setting. When enabled (disabled by default), psupdate runs the instdump program.