Attribute groups
An attribute group is a named collection of profile and request attributes. Bravura Security Fabric uses attribute groups to determine:
Who can see or edit certain attribute values (access controls).
How attributes are displayed to users.
Access controls
You assign permissions to user groups to control their members’ read and write access to attribute groups, and therefore the attributes within each group. An individual user’s access is determined by his or her membership in one or more user groups.
The following user groups exist by default:
allauthorizers– All users designated as authorizers of requests.
allimplementers– All users designated as implementers of requests.
allrecipients– All recipients of access change requests.
allrequesters– All requesters of access change requests.
allself– Restricts all users to have access to only their attributes.
msp_report_users– Product administrators who can generate and view managed system policy reports.
For example, you may want to allow some authorizers to enter confidential, required information such as users’ salaries or Social Security Numbers without allowing requesters to see them.
Attribute display
You can have groups of related attributes display:
For certain request operations; for example, create user, access account, or add user to a group.
On the main page or any number of sub-pages on the request form
This is useful to avoid exposing users to hundreds of profile and request attributes on one page.
You can also determine the relative order in which the attributes appear within the group.
In some cases, you may not want the attributes to display at all. The attribute values are still available to the system, including interface programs and plugins; for example, you may use a plugin to set default values rather than have users fill them in.
Enforcing validation
Normally, if a value is required, Bravura Security Fabric stops a request from proceeding if the user has not entered a correctly formatted value. You can turn off validation for an attribute or attribute group if an incorrectly entered value should not block a request. This can be useful, for example, if a user needs to create or update their profile but does not have complete information.
Built-in attribute groups
The following attribute groups are included in Bravura Security Fabric :
Attribute group | Description | Members | Access control | Operations |
|---|---|---|---|---|
APP_BUILTIN | Bravura Privilege built-in attributes, used in the Privileged access app and Session monitor. | desc_app, notes_app, email_app | All authorizers (read), recipients (read), requesters | Single account access, Temporary group membership, Account set access, View recorded sessions, Search recorded sessions, Download recorded sessions |
APP_RECIPIENT | Bravura Privilege recipient attributes, used in the Privileged access app. | recipient_app | All authorizers (read), recipients (read), requesters | Single account access, Temporary group membership, Account set access |
ARCHBASEATTR | Bravura Privilege request base attributes, used in check-out requests. | ppm_view_time_begin, ppm_view_time_end, use_duration, duration_unit, duration_interval | All authorizers, recipients (read), requesters | Single account access, Temporary group membership, Account set access |
ARCH_EXTEND_CHECKOUT | Bravura Privilege check-out extension details. | arch_extend_checkout_reason, duration_interval, extension_duration_unit | All authorizers, recipients (read), requesters | Extend a check-out |
ARCH_REQ_GRP | Bravura Privilege group set attributes, used in the Privileged access app. | account_target_list | All authorizers (read), recipients (read), requesters | Temporary group membership |
ARCH_REQ_SSH | Bravura Privilege SSH attributes, used in the Privileged access app. | arch_operation_type, ssh_auth_key | All authorizers (read), recipients (read), requesters | Single account access, Generic PAM check-out request |
BASEATTRIBUTE | Base attributes for all user profiles. | first_name, other_name, last_name, profile_pic | All authorizers, implementers, requesters, and recipients of access change requests. | View profile, Create user profile, Update profile |
SSH_PUBLIC_ATTRS | SSH public key attributes for all user profiles. By default, this is not displayed to users. | ssh_public_keys | All authorizers (read), self | View profile, Create user profile, Update profile |
CERT_ATTR_TO_DISPLAY | When starting a new certification campaign, the page shows the members of this attribute group by default. | email, profile_pic | All reviewers (read) | No operations set |
CERT_ORGCHART_MANAGER | During a certification campaign based on an OrgChart, this attribute group is used to determine OrgChart managers and is used in transfer requests. | orgchart_manager | All requesters, all recipients, all reviewers, all authorizers, all implementers | No operations set |
MAQBASEATTR | Bravura Privilege account set access request attributes used for command execution. | maqcmd_scope, maq_command | All authorizers, requesters and recipients | Account set access |
ORGCHART_DISPLAY | Displays attributes for each user on the page. For example, add the EMAIL attribute to display each user’s email address in the OrgChart structure. | profile_pic | No access controls; visible to all users | Operations cannot be set, only for viewing on the Browse the OrgChart page |
RBACENFORCEATTR | Attributes used to place users in role-enforcement jurisdiction. | rbacenforce | All authorizers, implementers, and requesters | View profile, Create user profile, Update profile |
REQUESTONLY | Used only in the context of a request, and do not modify a user’s profile. By default, this is not displayed to regular users. | viewable_by_recipient | All authorizers, implementers, and requesters of access change requests | No operations set |
SM_BROWSER_VIEW | Bravura Privilege recorded session meta data browser view limits. | sm_browser_view_time_end, sm_browser_view_time_start | All authorizers (read), requesters | View recorded sessions |
SM_SEARCH | Bravura Privilege recorded session meta data browse limits. | sm_search_dest_managed_system, sm_search_initiator, sm_search_managed_account, sm_search_search_time_end, sm_search_search_time_start, sm_search_sess_time_end, sm_search_sess_time_start, sm_search_source sm_search_source_account, sm_search_msps | All authorizers (read), requesters | Search recorded sessions |
SM_VIEW | Bravura Privilege recorded session meta data view limits. | sm_event_type, sm_view_expiry_time | All authorizers (read), requesters | Download recorded sessions |
Getting started
You use the page to configure general attribute group information and to access additional configuration settings. To navigate to this page:
Click Manage the system > Workflow > Attribute groups.
Create or select the group you want to define.
Creating attribute groups
To create an attribute group:
Click Manage the system > Workflow > Attribute groups.
Click Add new…
Bravura Security Fabric displays the Attribute Group definition page.
Type a unique ID and Description .
Set rules for validation enforcement:
Enforce validation when creating new accounts – Enable this if new account requests can only proceed if correctly formatted values are entered for this attribute group.
Validation behavior when updating existing accounts – Determine whether Bravura Security Fabric should always validate values for this attribute group before proceeding with a request, or only if the values have been modified.
If you want to provide additional information for end users, enter text in the Notes (above attributes) or Notes (below attributes) fields.
These fields support
!!!tags for internationalization and HTML markup. See Add language tags for detailed information.Click Add.
Click below to view a demonstration showing you how to include Bravura Security Fabric profile and request attributes in an attribute group to allow them to be seen and updated by users.
Next:
Adding attribute group members
Profile and request attributes must be added to an attribute group before they can be used.
It is recommended that you avoid making a single attribute a member of more than one attribute groups that might be used for the same operation. If necessary, create specific profile and request attributes for each of the groups so that they can better reflect the attribute group to which they belong.
To add attributes to a group:
From the Attribute Group definition page, click the Members tab.
Click Add to see a list of all attributes.
Search for, or select the checkboxes next to the attributes you want to include.
Click Add.
To remove attributes from the attribute group, select the checkbox next to the attribute and click Delete . If required confirm your actions .
To display group membership for a profile and request attribute, if any, select the profile and request attribute, then click the Attribute groups tab.
Assigning read and write permissions
To assign read and write permissions for an attribute group:
From the Attribute Group definition page, click the Access control tab.
If required, search to refine the list of attributes displayed on the page.
Select Read and Write checkboxes as required.
By default, the checkboxes indicate allowed permissions. If Bravura Security Fabric is configured to display Allow and Deny columns, ensure that you select checkboxes in the appropriate columns. See configuration notes below.
Click Update.
Caution
If you require users to be able to edit attributes with restricted or boolean values, you must assign them both read and write permissions.
When assigning read and write permissions for an attribute group, consider the following:
If an attribute group contains required attributes that can only be edited by authorizers, the requirement is ignored until the request reaches the authorization stage. If authorizers then fail to provide values for the required attributes, the request is automatically denied.
When a user group is assigned write-only permissions to attributes with restricted or boolean values, they are automatically granted read and write permissions since write-only permissions would prevent users from viewing or editing attributes.
In some cases it may be easier to prevent certain users from accessing specific objects, rather than trying to find a way to grant limited user access.
Use the ACL DENY ENABLE setting on the Manage the system > Policies > Options page to allow console users to deny read and write permissions to objects.
Determining how attributes are displayed
To determine how a group of attributes is displayed to users:
From the Attribute Group definition page, click the Display criteria tab.
Determine the Display type. Select:
Main – to display the group and its attributes on users’ main profile page.
Subsidiary – to display the group’s attributes on a subsidiary page on users’ profile pages.
None – to hide the group and its attributes from users on their profile page.
Select the operations for which the attributes are displayed.
Click Update.
Notes about display:
Bravura Security Fabric does not display empty groups (without attributes) to users.
Errors will occur if multiple attribute groups contain the same attribute and are displayed on the main page.
The list of operations does not apply to pre-defined requests.
Determining attribute group display order
To determine the order in which attribute groups are displayed to users:
Click Manage the system > Workflow > Attribute groups.
Click Order... .
Drag and drop one of the double direction arrows in the ID field to change the attribute groups’ order in the list.
Click Update.
When you click Update, Bravura Security Fabric automatically adjusts the attribute groups’ Order values to increments of 10. This allows you to manipulate the group order without changing the full list. For example, to move the BASEATTRIBUTE (10) group between ARCHBASEATTR (20) and REQUESTONLY (30), set its relative order to 25.