Viewing and Updating Profiles

From the main menu, click View and update profile under:

Account status

You can also view account status by clicking the "Account status" icon , provided you have required permissions ("View account"). The status will be displayed next to the account.

Request actions

Depending on configuration and your permissions, Bravura Security Fabric displays profile information and a menu of request options, which are set up by Bravura Security Fabric administrators and use a simplified wizard form. License requirements are noted in this section.

The operations that you are allowed to carry out on another user’s profile are controlled by an operation filter. By default, the only operation that regular users can perform for other users is to request new resources, if Bravura Identity is licensed.

See also

For information about delegation, see Delegating Responsibility.

Bravura Security Fabric uses profile and request attributes to collect information about you, and if Bravura Identity is licensed, to help define requested resources. Attributes are grouped for organizational purposes and to determine who can read or write the information.

When a provisioning or access request workflow is implemented, Bravura Security Fabric can be configured with other customized groups of attributes listed on the View and update profile page and other request forms.

You can update profile information provided you have write permissions for profile attributes.

Note the following:

If profile information is mapped to vCard properties, you can view a user’s profile information as a vCard contact record (.vcf). You can download the contact record or scan a QR code with the contact record onto a mobile device.

Navigate to the Profile information and entitlements page , then click Download profile as vCard to download the contact record saved as a .vcf file:

BEGIN:VCARD
VERSION:3.0
FN:John Doe
EMAIL:doejo@example.net
ADR:;;1401 1st Street SE;Calgary;AB;T2G 2J3;Canada
BDAY:1987-07-23 06:00:00
TEL;TYPE=CELL:403-555-4535
ORG:Bravura Security
TEL;TYPE=FAX:403-555-2545
FN:John Doe
N:Doe;John
NICKNAME:Johnny
NOTE:Contractor until 2015-12-31
TEL;TYPE=HOME:403-555-6543
TITLE:Developer
URL:http://www.bravurasecurity.com
TEL;TYPE=WORK:403-555-6541
END:VCARD

Click Scan profile as QR code to display the QR code:

The contact record may also be imported directly into the native contacts lists for both Android and iOS mobile devices from the Download profile as vCard link when accessed from the Bravura One app .

From the Bravura One app, navigate to a user's Profile information and entitlements page and then click Download profile as vCard. The contact record will be added to the native contacts lists for the Android or iOS mobile device.

See also

See Mobile Access for more information about Bravura One and the Bravura One app.

You can view user profile history, provided you have the required "View profile history" permission.

Viewing profile history allows you to view a chronological list of changes that have been made to a user profile. This can include changes to attributes, account ownership, group memberships, role memberships, and requests where the selected user is the recipient.

Navigate to the Profile information and entitlements page , then click View profile history.

In addition to updating information (attributes), you may be able to request the following account operations for yourself or others:

Adding new accounts

You can request new accounts on supported target systems.

Disabling or enabling accounts

You can request that an account be disabled if it is no longer needed, but it should not be deleted. The account itself remains intact, and you can enable it later.

Deleting accounts

You can request that an account be deleted if it is no longer needed and should be removed.

On almost every target system, this operation is permanent, and all your information in the account is lost. A more prudent course of action would be to disable the account, recover any data the account may have, and then delete the account later.

Moving accounts to another directory

Without affecting other account properties, you can move accounts between directories on context target systems such as LDAP Directory Service, Novell Directory Services (NDS), and Microsoft Active Directory.

Depending on how Bravura Security Fabric is configured, you set the destination (the To container) by selecting it from the drop-down list or by typing it in the text field.

Most systems have some sort of group membership that allows you certain access privileges. You can manage group memberships for each account you have on different systems. You can also manage group memberships using the Groups app .

Group recommendations

Product administrators can configure the Change group membership page so that users see recommendations of group memberships to add or delete, based on consistency among the user’s peer group.

A peer group is a group of users who share a common attribute; for example, users working at the same location or in the same department, or with the same manager.

When configured, users can show or hide recommendations by clicking the Recommendations button in the middle panel. Recommendations are visually represented by a color bar with a number stating the percentage of peers who are members. This can help the user to decide whether to add or delete a membership.

In the above screenshot:

• Membership is not recommended. None of the user’s peers are members.

• Membership is recommended. 25% of the user’s peers are members.

• Membership is strongly recommended. 75% of the user’s peers are members.

Entitlements such as accounts and group memberships can be grouped as roles.

Roles may be assigned even when the recipient of the request already has some or all of the required entitlements (such as an account or group memberships).

When adding or removing entitlements, you may be required to resolve role enforcement violations before continuing. Role enforcement rules are put in place to ensure users have the correct access privileges according to roles that are assigned to them.

In order for users to resolve role enforcement violations, role-based access enforcement must be enabled globally and for entitlements involved. Users must also have the "Enforce role-based access for user" attribute set to "True".

If the recipient of your request has a surplus violation – that is, too many privileges – you can resolve it by:

If the recipient of a request has a deficit violation – that is, not enough privileges – you can resolve it by:

Once your request is approved, the rule is overridden for the user.

Resolve enforcement violations

The following example procedure describes how to resolve enforcement violations when changing group membership is requested and would cause the recipient to be in surplus and deficit violation.

If surplus and deficit violations are detected, Bravura Security Fabric adds a wizard page to Resolve enforcement violations.

To resolve a surplus violation, click:

• Request role to open the wizard that lists roles that require the entitlement in question, select a role, then click Accept to request the selected role.

  

  Roles that include the entitlement as a legacy entitlement will not be listed.

• Request exception to allow the user to keep the excess entitlement.

• Remove to remove the excess entitlement.

  

• Undo to bring back the three action buttons: Request exception, Remove, and Request role.

To resolve a deficit violation, click:

• Request exception to allow the user to keep the role with the missing entitlement.

  

• Add to allow the user to add the missing entitlement.

• Remove role to remove the role corresponding to the missing entitlement.

• Undo to bring back the three action buttons: Request exception, Add, and Remove role.

After every violation is resolved, click Submit to submit the request. Authorization may be required, depending on configuration.

If there are no deficits, and the last step in the request results in a surplus, the request is automatically submitted with the default action for a surplus. The user does not see the Resolve enforcement violations page in this case. For example, assuming:

• Role1 includes group1

• UserA has no deficits, does not belong to Role1, and is not a member of group1

1. UserA navigates to the Join or leave groups page.

   The page includes a Submit button, and no Next button.

2. UserA selects group1.

3. UserA clicks Submit .

   Bravura Security Fabric submits the request for group membership for group1, and an exception for a surplus violation.

When role-based access enforcement is enabled, and an administrator adds an entitlement to role to which you are assigned, you will be tagged as having a deficit violation.

Depending on configuration, Bravura Security Fabric may automatically submit a request to add the new entitlement to your profile, or request an exception, during the next auto discovery process.

Before the auto discovery, you can manually submit a request to add missing entitlements to your profile, or request an exception. Depending on configured access controls, an administrator may be able to submit the request for you.

In order for this request to be available, role-based access enforcement must be enabled. Users must also have the "Enforce role-based access for user" attribute set to "True". Once the request is approved, the enforcement rule is overridden.

When requesting resources, your request might violate a Separation of Duties (SoD) rule, which is a security rule designed to ensure that users do not have too much access to certain restricted entitlements. An error is displayed when a request violates an SoD rule.

You must resolve the violation by:

If an exception is approved, the SoD rule will be ignored, and the requested entitlements will be assigned to you.

If an outstanding request conflicts with a new request, you will not be able to submit the request. The outstanding request needs to be completed, canceled or denied before an exception to the SoD rule can be requested.

If a user already had the conflicting entitlements before the SoD rule was created, the violations can be resolved via a user’s Profile information and entitlements page. The standard built-in request is Default resolution for segregation of duties rules, which navigates to an SoD wizard page where all pre-existing SoD violations are listed.

The link may be available from other users’ profile pages depending on access controls for the built-in PDR _RESOLVE_SOD_VIOLATIONS_.

When a request causes new SoD violations, the SoD wizard page will present before submitting the request. All unresolved SoD violations including existing ones are listed on that page.

Group membership change causing rule violation

The following procedure describes how to request an exception to a rule where a request for group memberships would cause the recipient to be in violation.

If exceptions are allowed, Bravura Security Fabric adds a wizard page to Resolve violations.

1. Click the request exception icon to submit a request to allow the user to keep the conflicting entitlements.

   

2. Type a reason for the exception and modify the expiry date if necessary, then click Apply.

   Alternatively, click the revoke icon to remove one of the conflicting entitlements.

   

3. Click Submit.

   Relevant authorizers are notified to review the request if necessary. See Tracking and Updating Requests to learn how to track your request.

   When you remove a resource from a user’s profile, it is permanently deleted.

Indirect group membership change causing rule violation

Some target systems support the concept of a nested group. A nested group is a group that is a member of another group. For example, in Active Directory you can add a group as a member of another group. The nested group then inherits the rights of the parent group.

Bravura Security Fabric also calls these groups parent groups and child groups. If an account is a member of a child group, they have what is called indirect membership to the parent group.

When requesting resources that have nested groups, your request might violate a SoD rule applied to a nested resource.

The main procedure on how to request an exception for a rule remains the same for indirect groups, except that Indirect membership details are displayed on the Bravura Security Fabric wizard page.

You can compare your profile (or the profile of another user) against a model user, provided that you (or the user for whom you are acting) and the model user meet the criteria set by profile comparison rules.

Compare profiles

To compare your profile with another user:

Depending on configured access controls, you may be able to initiate an an access certification campaign for another user from their profile page or on the menu of request types.

Access certification is the process by which you review the login IDs, personal information, and memberships within one or groups. You identify access privileges that are appropriate and remove those that aren't, and sign a statement that indicates that the review has been completed. You can carry out the review yourself or delegate it to another user.

To initiate an access certification campaign for a single user:

Review entitlements as described in Acting on user entitlements .