Managing Britive Profiles

Application administrators can configure a Britive profile to associate the permissions of an onboarded application, and setup policies so that certain members can have access to the profile with or without approval. 

Application administrators can create and manage Britive profiles using the following steps.

Creating a Britive Profile

1. Login to Britive with administrator privileges.
2. Click on Admin -> Application and Access Profile Management.
3. Click on the application and select Profiles from the navigation menu.
4. Click on CREATE PROFILE.
5. Enter the following on Create Profile page:
   1. Enter the following in the General section of the page:
      1. Enter Name.
      2. Enter Description (Optional).
      3. Check Use Default App Console URL to use the default application console URL or enter the Console URL. The user is directed to a specified console URL instead of default landing page of an onboarded application.
   2. Enter the following in the Expiration section of the page:
      1. Enter the Expiration Timeout in minutes. 
   3. Click Done.
6.  After the profile is created, enter the details in the following tabs to complete a profile:
   • Associations
   • Permissions
   • Policies
   • Identities
   • Tags
   • Session Attributes (For AWS and AWS-standalone applications only)

Associations

The Associations tab displays the scope of the permissions applied in a particular application. An administrator can select the environment(s)/resource(s) to be associated with this profile. This tab varies as per the application. 

Permissions

The Permissions tab displays the list of permissions granted for the profile. The applicable permissions are displayed for selection and are specific to each application. 

To add permissions:

1. Click on ADD PERMISSIONS button.
2. In the Add Permissions page, select the required permission, click + icon to add this permission.
3. The list of permissions depend on the onboarded application. For example: For AWS, user can add only one role per profile or for OCI, user can add only groups.

Policies

The Policies tab displays the list of policies created for a profile. An application administrator can create a policy to select which users can use the profile and whether the profile needs an approval or not before checking out a profile.

1. Click on the ADD POLICY button.
2. Enter the following on the Add Policy page:
   • General:
     • Policy Name
     • Description (Optional)
   • Members:
     • Users: Select None or add a list of selected users for this policy.
     • Tags: Select None or add a list of selected tags for this policy.
     • Service identities: Select None or add a list of selected service identities for this policy.
   • Generic Conditions:
     • IP based: Select if you want access based on the IP addresses. Enter an IP address or a list of comma-separated IP addresses or IP address range in the text box.
     • Time-based: Select the Date-time range or Schedule Daily for applying the policy.
   • Approvals: Select whether the user needs an approval for accessing a profile. Enter the following details if you select Approval Required as Yes:
     • Notification Medium: A notification medium is created in the Admin->Global Settings section. For more details, see Creating and Managing Notification Mediums.
     • User list: Select the users from the user list. A notification is sent to these users for approval.
     • Tag list: Select the tags from the list.
     • Maximum time to Approve: Enter the time in Hours:Minutes format. The approval request expires if it is not approved in this specified time.
3. Click Save and Enable.

User can Edit/Clone/Enable/Disable/Delete a policy by clicking Manage for a particular policy.

Identities

The Identities tab displays the identities assigned to a profile. The identities are specific to application. For example: 

• It is mandatory to have a mapped account for the user for the following applications: Azure, GCP, Salesforce, Okta, Snowflake, and ServiceNow. 
• User can add users and service identities for AWS application but user can add service identities only if the programmatic access is enabled while creating an Azure application.

To add identities:

1. Click on ADD IDENTITIES button.
2. Add a tag by clicking Add icon. Users can choose to add a tag for a specified time slot only by clicking Add for specified time icon.
3. Click Done.

Tags

The Tags tab displays the tags assigned to a profile. It is mandatory to have mapped account for all users that are part of tag for the following applications: Azure, GCP, Salesforce, Okta, Snowflake and ServiceNow.

To assign tags to a profile:

1. Click on ADD TAGS button.
2. Add an identity by clicking Add. Users can choose to add an identity for a specified time slot only by clicking Add for specified time icon.
3. Click Done.

Session Attributes

The Session Attributes tab displays the session attributes added to the profile.

There are two types of attributes:

• Identity: The selected value for the attribute is collected from the user's profile when they checkout AWS profile from My Access tab.
• Static: User has to specify a value that remains the same for all users in the Attribute Value field.

To add a session attribute:

1. Click on ADD SESSION ATTRIBUTE button.
2. Enter the following on the Session Attribute page:
   1. Select the Attribute Type, either Identity or Static.
   2. Select the Attribute.
   3. Enter the name of the attribute as defined in role configured in AWS in Mapping Name field.
   4. Select Transitive to pass the session attributes when assuming other roles and those roles have the same attributes defined.
   5. Click ADD SESSION ATTRIBUTE.