Configuring Bravura Safe (2025+) collections for auto-association
The following are recommended Bravura Safe target system settings for using the collections and managed groups:
Source of Profile IDs: unchecked
Automatically attach accounts: checked
Account attribute to automatically attach accounts to user profiles: set to a custom account attribute
In this case, the value for a user's custom account attribute is set to the user's collection name.
The Bravura Safe collections and custom account attributes for this purpose are named exactly the same as the profile ID of the user in the Bravura Security Fabric instance. Each item in that collection will then be listed as an account for the user from the Bravura Safe target. For example:
In Bravura Safe a collection exists and is named "User1".
Within the "User1" collection, there may be one or more login items stored.
Each of these login items will be listed as accounts for the "User1" user Bravura Security Fabric.
Add a custom attribute in Bravura Safe
To add a custom attribute for items on the Bravura Safe server:
Edit a Bravura Safe item.
Click the link for the New custom field.
Set Name to the custom attribute name, for example
safe-collection.Set Value to the collection name of the Bravura Safe item.
Locate the value for IDSYNCH ID PLUGIN MASK
The value for the plugin will be used for the Bravura Safe (2025+) custom account attribute for the PSLang expression.
Navigate to Manage the system > Workflow > Options > Plugins.
Locate the IDSYNCH ID PLUGIN MASK field.
Note the value.
Add a custom account attribute in Bravura Security Fabric
To add a custom account attribute on the Bravura Security Fabric instance:
Navigate to Manage the system > Resources > Account attributes.
Select one of the following:
Target system type, then select the Bravura Safe (2025+) target system type from the drop-down list, then click Select.
Target system, then select the Bravura Safe (2025+) target system. Use the search function if necessary.
From the Target system level overrides tab, click Add new... , then:
Set ID to the custom attribute name, for example
safe-collection.Set Action when creating account to
Set to specified value.Set Action when updating account to
None.Check the checkbox for Load attribute values from target system.
Click Add to save the changes.
Set Value type to
PSLang expression.Set Attribute value to the same value as IDSYNCH ID PLUGIN MASK then click Add to save the changes
When users are created using the Bravura Safe (2025+) connector, the new user must first be added to a Bravura Safe collection. This is accomplished by the new using being added to the template user's collection. The custom account attribute will also be updated to be the value for the user's Bravura Safe collection name and Bravura Security Fabric profile ID.
Ensure that the template user that is assigned for the Bravura Safe (2025+) target has the permissions locked down both on the Bravura Safe server for the collection for the access permissions as well as on the Bravura Security Fabric instance so that no one else has access.
To clean up the Bravura Safe collection assignment from the template user:
If the template collection is a managed group, the group (Bravura Safe collection) may be unassigned from the template user through a workflow request from the Bravura Security Fabric instance.
If the template collection is not a managed group, then the Bravura Safe collection for the template will need to be unassigned directly from the Bravura Safe server.
Also ensure that for a user's collection within Bravura Safe, that the access permissions for the Bravura Safe user are set to Can view. This will ensure that the users are able to see the Safe item in the collection and copy out the secret value, but they are unable to change any of the settings directly in Bravura Safe. This also ensure that the value for the custom attribute within their Safe item may also not be able to be modified.