Connector operations
Bravura Security Fabric uses connectors, also referred to as agents, to perform operations on a target system. Connectors also allow Bravura Security Fabric to set or validate passwords or other authenticators on a target system. The connectors also harvest information about accounts from target systems during the auto discovery process.
Connectors may include:
An agent binary located in the Bravura Security Fabric instance’s agent directory. Product administrators can use their process names to troubleshoot functionality by finding them in Bravura Security Fabric logs or the Windows’ list of running processes.
Any libraries used by the agent. This may include libraries in <Program Files>\Common Files\Bravura Security\, Windows or VisualC++ libraries and the various target libraries, SDKs, Python interpreter, and so on.
In some cases, such as Unix systems, a listener installed on the target system.
Each connector is designed to target a specific type of system; for example, the Active Directory connector (agtaddn) is used to interact with an Active Directory system. Some connectors, such as the flexible SSH connector (agtssh), require a script to define interaction between Bravura Security Fabric and the target system.
Connectors are installed on the Bravura Security Fabric server itself (in the agent directory) and use a remote administration software protocol understood by the target system. For some target systems, such as RSA Access Manager and SAP, client software must be installed on the Bravura Security Fabric server.
The individual actions that connectors take on a target system are referred to as connector operations. Note that not all target systems are capable of supporting all connector operations, and that some operations are not yet available through the Bravura Security Fabric web interface.
See below for details of connector operations. Depending on the Bravura Security Fabric application and the capabilities of each target system, not all operations may be activated.
Check the target system sections for lists of supported connector operations for each target type.
get server information [SERI] Connects to the target system using the specified administrative credentials and queries available system attributes such as version. This operation is primarily used to validate the administrative credentials when Test Credentials is clicked in the Manage the system (PSA) module.
list accounts Lists accounts on the target system, and the attributes for each account.
list attributes Lists selected attributes for multiple accounts on a target system.
Some target systems support incremental listing of attributes. That is, only users with attribute changes since the last listing are returned.
list groups Lists groups.
list members Lists members of a managed group.
list account attributes Lists attributes for a specified account.
list computer objects Lists computer objects on a target system.
list subscribers Lists subscriber accounts on a target system.
user verify password [VERI] Checks if a given password is the correct, current password for an account. If the application supports the concept of intruder lockout and the verification fails, the intruder lockout counter is incremented.
administrator verify password [AVER] Checks if a given password is the correct, current password for an account without triggering an intruder lockout if the password is not correct.
user change password [CHNG] Changes the password for an account, from a known current value to a desired new value. If the application supports the concept of intruder lockout, then the intruder lockout counter is cleared and the account unlocked. If the application supports the concept of password expiry, then the expiry date is set according to the expiry policy of the application.
This almost always requires the user to know their current password, and have authenticated with it. Frequently it requires the user to re-authenticate before a password change is allowed, in case of unauthorized access to a logged-in session.
This operation is implemented for most connectors, but never used in Bravura Security Fabric, even for self-service reset. Change turns into verifyreset in the Password Manager Service (
idpm) and Change turns into adminchange in the Privileged Access Manager Service (idarch) .administrator reset password [ARES] Administratively resets an account's password to a new value. If the application supports the concept of intruder lockout, then the intruder lockout counter is cleared and the account unlocked. If the application supports the concept of password expiry, then the expiry date is set according to the expiry policy of the application. Disabled accounts will remain disabled.
You can use the Connector behavior page to change the behavior of this operation for some targets.
This operation is used for the vast majority of password change operations.
This includes help desk resets and self-service resets within Bravura Pass , initial password setting for new accounts in Bravura Identity , and periodic password changes of managed accounts in Bravura Privilege .
Password changes are almost always done by the target admin credential or system credential.
Usually target systems will allow any password for admin resets, so helpdesk can use "standard passwords" and passwords can be reused. Therefore, the system must ensure that the password strength rules in the product stop unacceptable password reuse.
administrator reset+expire password [ACEX] Administratively resets an account's password to a new value and expires the account's new password, so that the user is forced to change their password the next time they log in.
This operation is used by the help desk when "reset and expire "is used.
This minimises the issue of the help-desk using "standard passwords" or password reuse or admins remembering the password, as the user will change it almost immediately.
To allow for synchronization of passwords across accounts, and to ensure that password history is properly maintained in Bravura Pass, it is strongly recommended that the user is directed to log in to a target with the transparent synchronization interceptor (almost always Active Directory). Otherwise the password could be reset for a second lifetime from the product using self-service reset.
verify+reset password [VRRE] Verifies if the account's password matches the new password, and if the verification fails, administratively sets it to the new password. If the verification succeeds, then the reset is not necessary, and the operation returns success.
This operation is used when a password change is triggered from transparent synchronization.
This is used only in Bravura Pass.
Passwords are set to be changed in the product on all targets in the target group, without determining what target the password change came from. The verify is used so that, on the initiating target, we do not change the password again unnecessarily.
This also avoids failing the reset operation due to race conditions, i.e. if the target in question was already changed centrally.
For example:
Reducing propagation delay in an AD by resetting the password on DCs in different data centers directly, one of the requirements of the Login Assistant.
Different targets configured on AD as well as AD-authenticated systems, e.g. workstations or servers joined to that AD, SAP CUA and application nodes, Linux centralized user management, linked LDAP systems and so on.
Different targets configured on the same AD, and with the same accounts, for different purposes.
When an account is disabled, a user cannot log in using that account even if the user knows the correct password for the account. Most applications differentiate between an enabled/disabled state and an unlocked/locked state.
check account enabled Checks if an account is enabled.
enable account Enables an account.
disable account Disables an account.
When an account is locked out, the user cannot log in using that account even if the user knows the correct password for the account. Most applications differentiate between an enabled/disabled state and an unlocked/locked state.
check account lock Checks if an account is locked.
lock account Locks an account (sets the intruder lockout).
unlock account Unlocks an account (clears the intruder lockout).
lock account + enter emergency access mode Locks an account, and then enters emergency access mode.
There are two types of expiry relating to accounts: password expiry and account expiry. When the password is expired, the application forces the user to change it during his next login after he has successfully authenticated using his current password. When an account is expired, it is no longer usable, and the user cannot log in using the account even if he knows the correct password for the account. Most applications differentiate between password expiry and account expiry.
expire password Expires an account's password.
unexpire password Unexpires an account's password.
check password expiry Checks if an account's password is expired.
check account expiry Checks if an account is expired.
expire account Expires an account.
unexpire account Unexpires an account.
The typical behavior of all built-in connectors is to copy a template account, and then update the attributes of the copy.
create account Creates a new account on the target system. This operation creates the account (possibly using a template for some attribute values), then sets other attribute values – including the password for the new account.
delete account Deletes an existing account on the target system. The typical behavior is to first ensure that the account being deleted exists.
update attributes Updates attributes for an existing account.
add user to group Adds an account to a group.
delete user from group Removes an account from a group.
move contexts Moves an account to a new context or location on a context-sensitive target.
rename account Renames an existing account's short ID. By default, this operation is not supported from the Bravura Security Fabric GUI.
create group Creates the specified group.
Currently, group creation does not support the setting of any attributes. This operation is not supported from the Bravura Security Fabric GUI.
delete group Deletes the specified group.
This operation is not supported from the Bravura Security Fabric GUI.
add group to group Adds a group to a group.
Currently, adding group to group does not support the setting of any attributes.
This operation is not supported from the Bravura Security Fabric GUI.
remove group from group Removes a group from a group.
Currently, deleting group from group does not support the setting of any attributes.
This operation is not supported from the Bravura Security Fabric GUI.
resynchronize tokens Resynchronizes a token.
set token pin Sets the PIN for a token.
challenge response authentication Uses challenge response authentication; for example to reset tokens or encrypted passwords.
reset hard drive encryption password Resets the hard drive encryption password on workstations protected with hard drive encryption systems.
generate an unlock code to recover control of a machine after reboot Uses challenge response authentication to recover control of a machine from the login screen after reboot.
generate an unlock code to recover control of a machine after reboot and set new password Uses challenge response authentication to recover control of a machine from the login screen after reboot and sets a new password.
generate an unlock code to recover control of a machine from the unlock screen Uses challenge response authentication to recover control of a machine from the unlock/screensaver screen.
update resource [UPRS] Updates subscriber attributes, typically password.
run command This operation executes a command or script via the checked out multiple accounts request.