Bravura Safe User Management
Connector name |
|
Connector type | Python script, |
Type (UI field value) | Bravura Safe User Management |
Connector status / support | Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security. |
Installation / setup | It also has an
|
Upgrade notes | Added in Connector Pack 4.5 and removed for Connector Pack 4.8. The Bravura Safe User Management connector is for targeting Bravura Safe servers that were created prior to 2025. The Bravura Safe User Management (2025+) connector should be used for the latest Bravura Safe servers from 2025 and later. |
Bravura Security Fabric utilizes the agtpython connector to be able to list users from an organization or team from Bravura Safe and to be able to reset their master passwords.
The following Bravura Security Fabric operations are supported by the Bravura Safe User Management connector:
get server information
user change password
administrator reset password
add user to group
delete user from group
create group
delete group
List:
accounts
attributes
groups
members
For a full list and explanation of each connector operation, see Connector operations.
The Bravura Safe connector can be used to manage the Bravura Safe credentials from collections for the users within an organization or team from Bravura Safe .
Preparation
Before you can target Bravura Safe User Management, you must:
Set up Bravura Safe
See Bravura Safe Documentation to learn how to set up a Bravura Safe instance, team, and users.
Recommended Bravura Safe permission sets
The following are the recommended sets of permissions for the Bravura Safe User Management administrator.
Bravura Safe User Management target administrator:
User type: Custom
Admin Permissions:
Manage users
Manage password reset
Access Control:
The option for "This user can access only the selected collections" may be selected and set with no collections specified.
This will allow to list for all types of users (users, administrator, owners, etc) but only be able to set passwords on users and not for administrators or owners.
In order to be able to change passwords on administrators and owners, the administrator account needs to have higher permissions. For example, to be able to set the passwords for an Admin user, the administrator account would need to be set to Admin or Owner type.
An administrative account of type Admin would also not be able to set passwords for users of type Owner since they can only manage the items that for the type they have access to and below.
Set up target system administrators
The Bravura Safe User Management target system requires two administrative credentials that are previously configured on the Bravura Safe instance.
To configure the first target administrator:
Log in to Bravura Safe via the web interface and open your Team.
Click Teams, then Manage.
Invite a new user:
Click Invite User.
Enter the email address for a user that will be used as the administrator.
Set the User type to Custom.
Set the specific permissions as noted above for the recommended permissions.
Click Save.
Complete the process to onboard the user.
Alternatively, edit the permissions for a current user by clicking on their email address and modifying for the above set of recommended permissions.
The email address and master password set for this user will be used for the system credentials for the Bravura Safe target system.
To configure the second target administrator:
Log in to Bravura Safe via the web interface.
Click the drop-down for the user profile icon located at the top right of the screen.
Click Account settings.
Click Security, then the tab.
Click View API key.
Enter the current user’s master password to confirm identity.
This will then display values for client_id and client_secret.
These values will be used for the administrator credentials for the Bravura Safe User Management target system.
Targeting Bravura Safe User Management
For each Bravura Safe system, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):
Type is
Bravura Safe User ManagementAddress uses options described in the table below:
Options marked with a 
are required.
Option | Description |
|---|---|
Script file: | The hard-coded script file that is used by the Bravura Safe User Management connector ( (key: script) |
Server: | The domain name URL for the Bravura Safe instance. (key: server) |
HTTP Network Proxy: | Specifies a network proxy URL to use for connecting. (key: proxy) |
Organization name: | The organization or team name within the Bravura Safe instance that will be used to target. (key: organizationName) |
Default level of access when adding users to collections | The access permissions to set for a user when adding users to a collection. Default is "Can view". Other options are "Can edit", "Can view, except passwords", and "Can edit, except passwords". (key: defaultAccessLevel) |
Note
The option for Default level of access when adding users to collections added in Connector Pack 4.7.0.
The full list of target parameters is explained in Target System Options .
List groups is not supported for the Bravura Safe User Management connector; ensure that it is unchecked.
Setting the administrator credentials
The Bravura Safe User Management target system requires two administrative credentials, as outlined in Set up target system administrators.
The first administrator and password are set to the email address and master password of the previously onboarded administrative user. The System password option must be checked.
The second administrator and password are set to the values for client_id for the administrator id and client_secret for the administrator password for the API key on the Bravura Safe instance.
Handling account attributes
You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select Bravura Safe User Management from the Manage the system > Resources > Account attributes > Target system type menu.
The _accessLevel account attribute can be used (Connector Pack 4.7.0 or later) to set the access permissions for a user when adding users to a collection. This is accomplished using the group user add operation when adding members to a managed group. The default behavior when adding members can also be set using the "Default level of access when adding users to collections" target system address option.
The allowable values for the _accessLevel account attribute are Can view, Can edit, Can view, except passwords, and Can edit, except passwords.
Within Bravura Safe , users listed in which the permissions may be modified are the users that may be added or removed from the collection (or managed group within the Bravura Security Fabric instance) and therefore manipulated for the access level.
The users that are not editable in Bravura Safe for a collection's access permissions may not be modified from the Bravura Security Fabric instance for the access level. They are inherited global permissions that are generally set at the user level granting permissions to all collections and cannot be modified. While you can set individual permissions on the collection for users with an inherited global permission, the global one will still take precedence.
The _accessLevel account attribute can also only be used to set the access permission level and cannot be listed once it is set.