Determining users’ email addresses
For a production deployment, Bravura Security recommends that all users have an email address defined in Bravura Security Fabric . In most cases, Bravura Security Fabric determines email addresses by the value of the EMAIL profile attribute, which can be mapped to an account attribute on a given target system; for example, the EMAIL profile attribute is mapped to the mail account attribute in an Active Directory target system by default.
When Bravura Security Fabric sends messages to users, it attempts to determine their email addresses using:
An email override value provided by a requester or by Bravura Security Fabric
If no override exists, then;
The value of the EMAIL profile and request attribute
If no email user attribute is set, then;
The plugin defined by the IDSYNCH USERS EMAIL PLUGIN plugin point
If that fails, Bravura Security Fabric returns an empty string.
The exception is the address of the system administrator, which you set during installation. You can modify this address using the RECIPIENT EMAIL field on the global email page.
Specifying email override values
An email override value can be assigned to a:
Static authorizer—This value is provided by a product administrator when he or she adds the authorizer to Bravura Security Fabric . Bravura Security Fabric sends email to the override address whenever the authorizer’s input is required for any request.
Requester—This value is provided by the requester when they make a request. Bravura Security Fabric sends email to the override address whenever the request is updated.
Recipient—This value is provided by a requester when he or she creates an access change request on behalf of the recipient. Bravura Security Fabric sends email to the override address whenever this request is updated.
Bravura Security Fabric sends all other messages to the user’s "regular” email address.
Using the EMAIL profile and request attribute
The built-in EMAIL profile and request attribute is used to gather and store users’ primary email addresses. There are several ways to populate this attribute, including:
Loading email attributes listed from a target system (recommended)
By default, the EMAIL profile and request attribute is mapped to the account attributes listed in the table below.
Allowing users to edit the attribute in the View and update profile (IDR) module.
Before you can do this, you must set up the built-in EMAIL attribute and add it to an attribute group to which requesters have read/write access.
Target | Attribute |
|---|---|
Active Directory | |
Exchange 2000 Server | |
IBM OLAP | EMailID |
LDAP Directory Service | |
Lotus Domino Server | InternetAddress |
BMC Service Desk Express Suite (SDE) | EMail Address |
Lotus Domino Server | InternetAddress |
PeopleSoft Application Server | EmailAddress |
Remedy 6 Server | email address |
Remedy 7 Server | email address |
RSA Access Manager | email_address |
SAP Server | E_MAIL |
See also
Account attributes to learn how to change the default mappings.
You can also set up Enforced enrollment to direct users to the Password synchronization registration (PSR) module to fill in their details.
Using the email address plugin (IDSYNCH USERS EMAIL PLUGIN)
The users’ email address plugin receives all information about a user, including all attributes and accounts. It can return an email address according to any rule you specify. For example, you may want it to append the domain name to users’ profile IDs:
profile ID@example.com
To set the users’ email plugin, type the name of the executable or PSLang script in the IDSYNCH USERS EMAIL PLUGIN field on the Workflow > Options > Plugins page.
There are no shipped plugins for use with the plugin point.
Requirements
See Writing plugins for general requirements.
Execution points
When configured, the plugin is run by the user notification system and by the Workflow Manager Service, if installed.
Input
The email address plugin is sent all data about the user whose email address is required.
Input passed to the plugin is as follows:
"" "" = {
"authorizer" = "<profile ID>"
"viewer" "user" = { ...}
# The viewer's data.
} For example:
# KVGROUP-V1.0
"" "" = {
"authorizer" = "marliese.capek"
"viewer" "user" = {
"id" = "marliese.capek"
"name" = "Marliese Capek"
}
} Output
Output passed from the plugin is as follows:
"" "" = {
"errmsg" = "<error message>" # Error messaged by the plugin
"retval" = "0" # Mandatory; zero is success and non-zero is failure
"authorizer" "<profile ID>" = {
"email" = "<email address>"
# The email address to use for the authorizer
}
} Following is an example of the output:
"" "" = {
"errmsg" = ""
"retval" = "0"
"authorizer" "marliese.capek" = {
"email" = "marliese.capek@norse.bravurasecurity.com"
}
}