Skip to main content

Resolving role enforcement violations

When adding or removing entitlements, you may be required to resolve role enforcement violations before continuing. Role enforcement rules are put in place to ensure users have the correct access privileges according to roles that are assigned to them.

In order for users to resolve role enforcement violations, role-based access enforcement must be enabled globally and for entitlements involved. Users must also have the "Enforce role-based access for user" attribute set to "True".

If the recipient of your request has a surplus violation – that is, too many privileges – you can resolve it by:

  • Removing the resource from the profile

  • Requesting an exception to the rule for the resource

  • Requesting a role to which the resource is required

If the recipient of a request has a deficit violation – that is, not enough privileges – you can resolve it by:

  • Adding the resource to the profile

  • Requesting an exception to the rule for the missing resource

  • Removing a role so that there are no deficits

Once your request is approved, the rule is overridden for the user.

Note

Running auto discovery will automatically resolve enforcement violations. Depending on configuration Bravura Security Fabric will submit a request for an exception, or to add an entitlement in deficit, or to remove a surplus entitlement.

Resolve enforcement violations

The following example procedure describes how to resolve enforcement violations when changing group membership is requested and would cause the recipient to be in surplus and deficit violation.

If surplus and deficit violations are detected, Bravura Security Fabric adds a wizard page to Resolve enforcement violations.

rbac-resolve-wizard

To resolve a surplus violation, click:

  • Request role to open the wizard that lists roles that require the entitlement in question, select a role, then click Accept to request the selected role.

    rbac-resolve-request-role

    Roles that include the entitlement as a legacy entitlement will not be listed.

  • Request exception to allow the user to keep the excess entitlement.

  • Remove to remove the excess entitlement.

    rbac-resolve-undo

  • Undo to bring back the three action buttons: Request exception, Remove, and Request role.

To resolve a deficit violation, click:

  • Request exception to allow the user to keep the role with the missing entitlement.

    rbac-resolve-surplus-deficit

  • Add to allow the user to add the missing entitlement.

  • Remove role to remove the role corresponding to the missing entitlement.

  • Undo to bring back the three action buttons: Request exception, Add, and Remove role.

After every violation is resolved, click Submit to submit the request. Authorization may be required, depending on configuration.

If there are no deficits, and the last step in the request results in a surplus, the request is automatically submitted with the default action for a surplus. The user does not see the Resolve enforcement violations page in this case. For example, assuming:

  • Role1 includes group1

  • UserA has no deficits, does not belong to Role1, and is not a member of group1

  1. UserA navigates to the Join or leave groups page.

    The page includes a Submit button, and no Next button.

  2. UserA selects group1.

  3. UserA clicks Submit .

    Bravura Security Fabric submits the request for group membership for group1, and an exception for a surplus violation.

In this section: