Skip to main content

Filtering users and accounts

Bravura Security Fabric uses ID filters to include or exclude users (profile IDs) and accounts (long IDs) from a target system. The filters are applied during the auto discovery process when accounts are imported.

For example, configure Bravura Security Fabric to filter IDs if:

  • You want to prevent Bravura Security Fabric from creating profiles for certain administrative accounts.

  • The total number of profile IDs exceeds the number of users you are licensed for.

  • You want to prevent users from attaching accounts that are used for specific purposes on a system. For example, you may want to prevent users from attaching an nt_guest account on a Windows NT system.

  • You want to prevent Bravura Identity from creating users and accounts with certain IDs.

Default behavior is affected by the Use ID filters to include only certain users and accounts checkbox, located on the Target system information page .

When the Use ID filters to include only certain users and accounts option is:

  • Not selected – Bravura Security Fabric imports all IDs except those that have been explicitly excluded by an ID filter.

  • Selected – No accounts are imported. You must set up an ID filter to explicitly include certain IDs.

    2513.png

Use the Manage ID filters page to identify account IDs that you want or don’t want managed by Bravura Security Fabric , or to be included or excluded from a source of profile IDs.

When filtering on target systems, you use the Include in system option to create an inclusion or exclusion list.

  • An ID is “excluded” if it matches a Pattern on the Manage ID filters page and the corresponding Include in system checkbox is not selected.

    Bravura Identity prevents users from creating accounts with an ID that matches an excluded ID pattern.

  • An ID is “included” if it matches a Pattern on the Manage ID filters page and the corresponding Include in system checkbox is selected.

When filtering on profile IDs, the Include in system option does not apply. If Use ID filters to include only certain users and accounts is selected for a target system, then the filter acts as an inclusion list. If the setting is not selected, the filter acts as an exclusion list.

See also

You can also use a script to import a list of IDs to filter .

Including and excluding accounts

Click below to view a demonstration of creating a filter that excludes AD user accounts with "admin" in their name. In other words, to prevent Bravura Security Fabric from creating profiles for administrative accounts when auto discovery is run.

To include or exclude users or accounts:

  1. Click Maintenance > Auto discovery > Manage ID filters.

    Bravura Security Fabric displays the Manage ID filters page.

  2. In the Pattern field, type an ID or a regular expression that represents the users or accounts you want to include or exclude.

    Bravura Security Fabric preserves the case of account IDs; however, all profile IDs are treated as case-insensitive.

  3. Select Regular expression if the pattern is a regular expression. Otherwise, Bravura Security Fabric will treat the pattern as an exact ID.

  4. Select Include in system if the filter should include matching account IDs.

    If the Include in system option is not selected, the matching IDs are always excluded.

  5. Select a Filter on item to run the filter on all target systems, a single target system, or profile IDs.

    Filters on ”(All target systems)” includes ”(Profile ID)”. This means the filter will match all account IDs as well as Bravura Security Fabric Profile IDs.

  6. Click Update.

The following are examples for filtering users and accounts:

  1. To exclude all accounts starting with _service from an Active Directory target system:

    Pattern

    ^_service

    Regular expression

    selected

    Include in system

    deselected

    Filter on

    ADDOMAIN

  2. To include the profile ID JANED from a target system with the Use ID filters to include only certain users and accounts checkbox selected:

    Pattern

    janed

    Regular expression

    deselected

    Include in system

    selected

    Filter on

    (Profile ID)

Testing filter rules

Use the Test button to test whether an ID will be imported to Bravura Security Fabric based on the rules you have applied. You can test whether:

  • An account will be imported from a particular target system

  • An account ID will be included as a profile ID

To test your filter rules:

  1. On the Manage ID filters page, type an ID in the Profile ID/Account field.

  2. Select ”(Profile ID)” from the Test on drop-down list if you want to test whether the ID will be included as a profile ID.

    or

  3. Select a target ID from the Test on drop-down list if you want to test whether the ID will be imported from the selected target system.

  4. Click Test.

    Bravura Security Fabric displays the results at the top of the page.

Using a script to import IDs to filter

You can use a script to import IDs that you want to filter from the Bravura Security Fabric database. A sample Python script, idfilter_import.py, is provided in the samples directory. If you cannot find the sample file, try re-running setup to modify your installation. Sample files are automatically installed with complete (typical) installations. You can select them in custom installations.

The script requires a file listing IDs, one per line, that are to be filtered out.

Run the script from a Bravura Security Fabric command prompt with elevated privileges:

python idfilter_import.py -r <filename> | --file_name <filename>

For example:

python idfilter_import.py -r users.rem

After running the script, the IDs listed in the file should be listed in the Manage ID filters page.

See also

You can also set a user filter plugin or a user list generation plugin to filter the users that a logged-in user can manage.

In this section: