Configuring group-level authorization
Users must be loaded into the Bravura Security Fabric database before you can define them as authorizers.
You must assign enough authorizers to meet the minimum number of authorizers requirement. If you do not do this, requests involving the resource are automatically denied unless authorizers are assigned by a workflow plug-in.
When requesting access to network resources using a managed group, users can only submit requests for groups that have at least one authorizer or group owner assigned.
Inheriting phased authorization settings for number of required approvals
When managed groups inherit authorization configurion from the host target system, Bravura Security Fabric also copies phased authorization settings for the Minimum number of authorizers and the Number of denials before a change request is terminated. This behavior is enabled by default by the MANAGED_GROUP_INHERITANCE_COPY_TARGET system variable (Manage the system > Maintenance > System Variables).
When this setting is disabled, managed groups use system default authorization values.
Upgrade note
When upgrading, the prior behavior is retained. This setting was introduced in 12.5.3, 12.6.3, 12.7.2, and 12.8.0. If upgrading from older versions, the setting will be disabled.
Inheriting authorization configuration from the target system
You can configure target systems so that managed groups inherit the authorization configuration settings of the target system. You can also override the configuration for a group or add authorizers.
Enable inheritance by selecting the Default authorization for child resources, including templates and managed groups, will be inherited from the target system option on the relevant Target system information page.
To override or add to the configuration for a managed group:
Navigate to the Managed group information page.
Set Override authorization configuration to:
Only use inherited configuration
Do not inherit any configuration
Add to inherited configuration (default)
Click the Authorization tab.
If you chose to not inherit authorization, then the page shows authorization explicitly setup for the managed group; no authorization from the target system should display.
If you chose to add to inherited authorization, then the page displays settings that are both inherited and explicitly set for the group.
When you choose to add to inherited authorization, the minimum number of required authorizers will be determined by the larger value set for the managed group or target system.
Configuring phased authorization
If phased authorization is enabled, navigate to the managed group’s Authorization page , then:
Click Add new… if you want to add a phase.
To change the order of phases, change the numbers in the Authorization phase column and click Update.
Select a phase to define authorizers and settings.
Determining number of required approvals
To set authorization thresholds for a managed group :
Navigate to the Managed group information page .
Click the Authorization tab.
Select a phase if phased authorization is enabled.
Type a value for the:
Minimum number of authorizers – A value of 0 means requests for the resource are auto-approved.
The default value is set by the MIN AUTHORIZERS policy.
Number of denials before a change request is terminated – A resource request is canceled when this number of authorizers deny it, as long as the Minimum number of authorizers has not been reached.
The default value is set by the MAX REJECTIONS policy.
Click Update.
Click below to view a demonstration of removing authorization requirements from groups that do not require approval to join.
Manually assigning static authorizers
To assign static authorizers to a managed group :
Navigate to the Managed group information page .
Click the Authorization tab.
Select a phase if phased authorization is enabled.
Click Select… at the bottom of the Authorizers table.
Search for, or enable the checkboxes next to the authorizers that you want to assign.
Click Select at the bottom of the page.
Assigning authorizers by user class
To assign authorizers to a managed group based on user class:
Navigate to the Managed group information page .
Click the Authorization tab.
Select a phase if phased authorization is enabled.
The Users must be in the following user classes table allows you to define membership criteria.
To define membership criteria:
Select existing user classes: Click Select… and enable the checkboxes for the user classes you want to add, then click Select.
Create new user classes: Click
Add new…. See Adding user classes for full details on how to create a new user class.
Configure Participant mapping for each user class that you add.
Select and create user classes until you have defined membership.
If your membership criteria includes multiple user classes, define whether users are required to match All of the user classes or Any of the user classes.
Removing users from membership
To remove users from membership, you can:
Edit user classes to change the participants.
Delete user classes from the membership criteria.
Navigate to the membership criteria page where user classes are listed.
Enable the checkbox next to the user classes you want to delete.
Click Delete.
Using group owners as authorizers
Rather than assigning authorizers manually, you can configure Bravura Security Fabric to automatically add group owners as authorizers. Bravura Security Fabric determines group owners using:
The idtrack utility. This program can detect:
The group owner
Group owners can be either a single user or a group. If a group owner is a group, and the group owner is assigned as an authorizer, then all its members and its child group’s members will be added as group authorizers.
The users added to and removed from the group
Which accounts were added and deleted
Which groups have been added and deleted
The network resource management plugin. This plugin determines group owners by examining the group’s configuration on the target system.
The group owners selection plugin. This plugin is used in addition to the resource management plugin. It can:
Replace the assigned owners.
Add additional owners.
Set owners for resources that have no owners assigned.
Before you begin:
Ensure that the Minimum number of authorizers is greater than
0.Ensure that all potential group owners have email addresses.
Set the Managed group/Network resource target type for the target system on which the group resides.
This setting determines the network resource management plugin to run. See Target system options for details.
To configure Bravura Security Fabric to automatically add group owners as authorizers:
Enable the Automatically add group owners as authorizers checkbox.
Click Manage if the group is not already managed; otherwise, click Update.
Group owner selection using a plugin
Generally, Bravura Security Fabric determines the owners of a particular group by examining the group’s configuration on the target system. This is done in real time using a network resource program such as nrcifs .
You can also write a group owner selection plugin to do the following:
Replace the assigned owners returned by
nrcifs.Add additional owners for the user to select.
Set owners for resources that have no owners assigned.
Any owner returned by the plugin will have the same requirements of an authorizer. If the owner is new, Bravura Security Fabric adds the owner as a static authorizers and maps him to the Bravura Security Fabric object.
Note
Do not specify a user that is already a owner of a group. This will create duplicate owner entries for the group.
Group owners are not necessarily the users who will authorize requests for a group. The IDSYNCH AUTH CRITERIA MOD PLUGIN may be configured to alter the list of authorizers at the time that the Workflow Manager Service processes a request.
To use a group owner selection plugin:
Click Workflow > Options > Plugins .
Type the name of the plugin program or PSLang script in the IDACCESS OWNERS PLUGIN field.
Click Update.
There are no shipped plugins to use with this plugin point. A sample script, idaccessauthmod.psl, is included in the samples\ directory.
Write a custom group owner selection plugin
Requirements
See Writing plugins for general requirements.
Execution points
The plugin is run by View and update profile (IDR) module when users view resource details or submit requests to modify group memberships in Bravura Security Fabric .
Input
Input passed to the plugin is as follows:
"" "" = {
"requester" = "<profile ID>" # The profile ID for the person submitting the request.
"resourceid" = "<resource ID>" # The resource ID of the resource being viewed.
"resourceunc" = "<network path>" # The UNC network path that is the groups are a part of.
"group" "<long ID of the group>" = {
"desc" = "<group desc>" # Description of the group
"hassubgroups" = "<true|false>" # Indicates if the group has members that are groups.
"member" = "<true|false>" # Indicates the recipient's current membership status.
"owners" "" = { # Existing owners
"owner" = "<profile ID>" # 0 or more
}
"perm" "" = { # Permissions of the group for the resource selected.
"read" = "true" # present if the group has read permission to the resource.
"write" = "true" # present if the group has write permission to the resource.
}
} # 0 or more
"recipient" "<profile ID>" = { # The recipient of the request.
"account" = "<account ID>" # The account ID that the groups could effect.
}
} The following is an example of the input sent to the plugin program:
"" "" = {
"requester" = "CLARKDAV"
"resourceid" = "PUB"
"resourceunc" = "\\\\ADSRV1\\PUB\\LEGAL"
"group" "CN=Management,OU=Groups,OU=IDM,DC=example,DC=local" = {
"desc" = ""
"hassubgroups" = "true"
"member" = "false"
"owners" "" = {
"owner" = "BanksH"
}
"perm" "" = {
"read" = "true"
}
}
"group" "CN=Sales,OU=Groups,OU=IDM,DC=example,DC=local" = {
"desc" = ""
"hassubgroups" = "false"
"member" = "false"
"owners" "" = {
}
"perm" "" = {
"read" = "true"
}
}
"recipient" "CLARKDAV" = {
"account" = "ClarkDav"
}
} Output
With the addition of extra or replacement owners, the output should mirror the input to the plugin. The plugin output only affects the owners assigned to the respective group.
Output passed from the plugin is as follows:
"" "" = {
"errmsg" = "<message>" # Error message returned by the plugin
"retval" = "0" # Mandatory; zero is success and non-zero is failure.
"group" "<long ID of the group>" = {
"desc" = "<group desc>" # Description of the group
"hassubgroups" = "<true|false>" # Indicates if the group has members that are groups.
"member" = "<true|false>" # Indicates the recipient's current membership status.
"owners" "" = { # KVGroup that overrides the list of owners for the group
"owner" = "<profile ID>" # Each owner is listed once.
}
"perm" "" = { # Permissions of the group for the resource selected.
"read" = "true" # present if the group has read permission to the resource.
"write" = "true" # present if the group has write permission to the resource.
}
} # A group for each one sent on input.
} The following is an example of the expected output:
"" "" = {
"errmsg" = ""
"retval" = "0" # Success
"group" "CN=Management,OU=Groups,OU=IDM,DC=example,DC=local" = {
"desc" = ""
"hassubgroups" = "true"
"member" = "false"
"owners" "" = {
"owner" = "BanksH"
"owner" = "SMITHBO"
}
"perm" "" = {
"read" = "true"
}
}
"group" "CN=Sales,OU=Groups,OU=IDM,DC=example,DC=local" = {
"desc" = ""
"hassubgroups" = "false"
"member" = "false"
"owners" "" = {
"owner" = "SMITHBO"
}
"perm" "" = {
"read" = "true"
}
}
}