Examples: Reloading data
Business requirement
When organizational changes happen, it is essential that Bravura Security Fabric is updated. For example:
Employees transfer, take a leave of absence or depart
New staff are employed
Staff or the organization move location
Phone numbers change
These changes need to be reflected in Bravura Security Fabric quickly and easily.
Solution
Bravura Security Fabric can be configured to:
Discover groups, their attributes, and their members on a defined-target system, then to load the discovered data to the database.
To detect and update changes in attributes associated to user accounts such as names, passwords, phone number, office and home address, work status (active or inactive due to leave of absence), manager, team/group/department, and contact information.
The detected changes are updated on scheduled intervals. Authorized users can also run the update program manually in Manage the system or on the command line.
Initial considerations
Where are the changes coming from?
Account attributes changes (set by default)
Group membership changes, (parent/child group)
Persistent listing setting: enable or not enable (set to not enable by default)
The target system such as user accounts being added and deleted, accounts joining or leaving managed groups (group membership), changes in account association (user transfer)
Addition or deletion of target system
How do you want to update the changes in the database?
Use scheduled intervals for auto discovery to detect the changes and load them into database
Manually run auto discovery when required
A combination of scheduled and manual processes
Best practice
Run auto discovery when there are changes in the target system or the selected options in the page.
Detecting changes in AD target system using the "Track account changes" option
This example shows how to configure Bravura Identity to detect changes to accounts on an Active Directory target system that have been made out-of-band from Bravura Security Fabric . Changes that will be tracked include:
Accounts added and deleted
Accounts joining or leaving
Managed groups
Account attribute values being changed
Account association being changed
The tracked changes are viewable in reports as part of each user’s profile history. This can also be used in automated user administration.
This example assumes that:
Bravura Security Fabric and Connector Pack installed.
An Active Directory target system is added as a source of profiles.
To use the target system option:
Log in to the front-end as superuser.
Click Manage the System > Resources > Target systems > Manually defined.
Select the Active Directory target system.
Ensure that the Track account changes box is selected.
Click Update to save the change.
Run auto discovery using either the Manage the system module or command-line interface.
Detecting changes in AD target system using the "Track group changes" option
This example shows how to configure Bravura Identity to detect changes in group membership in an Active Directory target system that are made out-of-band from Bravura Security Fabric . The tracked changes are viewable in reports on group membership. This can also be used in automated user administration .
This example assumes that:
Bravura Security Fabric and Connector Pack installed.
An Active Directory target system is added as a source of profiles.
To use the target system option:
Log in to the front-end as superuser.
Click Manage the System > Resources > Target systems > Manually defined.
Select the Active Directory target system.
Ensure that the Track group changes box is selected.
Click Update to save the change.
Run auto discovery using either the Manage the system module or command-line interface.
Detecting changes in AD target system using the "Enable persistent listing" option
This example shows how to configure Bravura Security Fabric to receive changes from Active Directory and AD LDS LDAP as they happen on the domain controller. This feature is only present on Active Directory DN and LDAP target systems on Lightweight Directory Services (AD LDS). It is disabled by default.
This example assumes that:
Bravura Security Fabric and Connector Pack installed.
An Active Directory target system is added as a source of profiles.
Use target system option to enable persistent listing in AD target system
Log in to the front-end as superuser.
Click Manage the System > Resources > Target systems > Manually defined.
Select the Active Directory target system.
Ensure that the Enable persistent listing box is selected.
Click Update to save the change
Run auto discovery using either the Manage the system module or command-line interface, which will run the Persistent Connector Service (
agtsvc) on the target.
If you change which objects are listed, where objects are listed from, or which attributes are listed; for example, change the OUs to list users or groups from, complete the following additional steps:
Use targetsync to synchronize the instance database state with the state of the target system.
cd C:\Program Files\Bravura Security\Bravura Security Fabric\default\util\ targetsync.exe -target <AD_target_name>
Stop discovery on the target system then use the Persistent Connector Service client program. agtsvccli , to make a new full list with the -full option
agtsvccli.exe -startlist --targetid <AD_target_id> -full
Run auto discovery using either the Manage the system module or command-line interface.
When persistent listing is enabled,
The first time the Persistent Connector Service runs, it will list all objects. Each subsequent time the service will only list changes detected.
If the service is stopped, upon restart it will list all changes since it was stopped.
The domain controller that the service lists from can be changed without losing data.
If a full list to reload all data must be redone, this can only be accomplished using the -full option with the Persistent Connector Service client program,
agtsvccli.