Users can request access to an existing profile and associated policy or create their profiles and then request access. Approvers get a notification after a profile is submitted for approval. A profile is ready for checkout after the request is approved.
Access Builder can now support tag-based access requests instead of requesting access to each profile individually. This way, users can request access to tags, which grants access to all associated profiles.
Log in to Britive.
Click on Access builder from the navigation menu.
Applications:
Select an application from the list of applications.
Select an existing profile or clone an existing profile using the Clone profile icon in front of the existing profile, or create a profile using Creating a Profile.
Click Request to request access to a profile of your choice, or click on the View profile icon against any profile and select Request.
Profile, Permissions, and Associations tabs display read-only profile information.
Select the Policies tab, and from the list of policies, click Select for the required policy. Only one policy can be selected for requesting access.
Click Next.
Enter Justification to be sent with the approval request.
Click Submit. All approver(s) get a notification on the Britive UI as well as on the configured notification medium.
Tags:
Select a tag from the list of tags. The list displays all the tags for which Is Requestable ? field is enabled while configuring tags. The list also displays the associated application profiles, resources, and secrets.
Click Request to request access.
Enter Justification to be sent with the approval request.
All approver(s) get a notification on the Britive UI as well as on the configured notification medium.
Click View details to see more details about the associated application profiles, resources, and secrets.
Users can check the request status using the My requests menu option from the navigation menu.
Creating a Profile
Log in to Britive.
Click on Access builder from the navigation menu.
Select an application from the list of applications.
Click on Create Profile to create a new profile or click the Clone profile icon in front of a profile to clone an existing profile.
Enter the following in the General section of the page:
Enter Name.
Enter Description (Optional).
Check the Use Default App Console URL to use the default application console URL or enter a Console URL as needed. The user is directed to a specified console URL instead of the default landing page of an onboarded application.
Enter the following in the Expiration section of the page:
Enter the Expiration Timeout value in minutes. Users can select the maximum profile expiration timeout NOT exceeding the time mentioned in Access Builder Settings.
Enable Allow Impersonate under Impersonation Settings to grant service/AI identities permission to act on behalf of users or tags.
Click Done.
At this point, you can continue the profile creation or save it as a draft to work on it later. Draft profiles without any updates are deleted after 30 days.
Edit the association selection in the Associations tab. Users can select only associations configured in Access Builder Settings by an administrator. This tab varies as per the application.
Add permissions using the Select Permission button. On the Select Permissions page, the applicable permissions are displayed for selection and are specific to each onboarded application. For example, for AWS, the user can add only one role per profile, or for OCI, the user can add only groups. Also, the permission is displayed for selection only if it is available in all the selected associations.
On the Select Permissions page, select the required permission, and click the + icon to add this permission.
Note:
Any changes made to profile associations after permissions are already added result in clearing such permissions and require re-configuring them.
[For AWS applications only] Britive-managed roles:
Administrators or users can create their own roles with the required AWS-managed policies or inline policies so that Britive profiles can be built using those permissions. These roles get provisioned in AWS after they are checked out from Britive.
Click Create Permission.
Enter the following in the Create Role page:
Name
Description
Permissions:
Select Existing Policy: Select from the listed policies. Click on the information icon to view the policy details.
Create Inline Policy: Enter the Name and the Policy code in JSON format in the Create Policy page. Click Validate to validate the policy details.
Add New Tag (Optional): Enter the Key and Value pair and click Add.
Click Save.
Britive-managed permissions are displayed with icon b, indicating that a role is Britive-managed.
Add policies using the Add Policy button. A user can create a policy to select which users can use the profile and whether the profile needs approval or not before checking out a profile.
Enter the following in the Add Policy pages:
General
Enter the Policy Name.
Enter the Description (Optional)
Members:
Users: Click Select Users and add one or more members for this policy.
Tags: Click Select Tags and add one or more tags for this policy.
Service identities: Click Select Service Identities and add one or more service identities for this policy.
AI identities: Click Select AI Identities and add one or more AI identities for this policy.
Notes:
If a requester does not add any members to the policy (policy saved as a draft) then the requester is added to the policy and the policy is enabled upon approval.
If a requester adds the member(s) to the policy while creating a policy, the policy is enabled only for those members. In this case, the requester is not added to the policy automatically.
Generic Conditions:
- IP based: Select if you want access based on the IP addresses. Enter an IP address or a list of comma-separated IP addresses in the text box.
- Time based: Select the Start and End Date/TimeDate-time range or Set Time Schedule for applying the policy.
Step-up Verification: Select Yes if step-up verification is required for this profile. Once selected, you can select if the previous successful verification can be used for subsequent profile checkouts. The step-up verification validity is configured in the step-up verification validity settings in the Security tab. For more information, see Configuring Step-up Verification Validity.
Approvals: Select whether the user needs approval to access a profile. Enter the following details if you select Approval Required as Yes:
Notifications: Select notification medium(s) using the Add Notification button. Before use, notification mediums can be created in the Admin->Global Settings section. For more details, see Creating and Managing Notification Mediums.
- Slack or Slack Application:
- (Optional) Specify the Slack Channel ID:
- To find the Slack Channel ID:
- Right-click on the Slack channel you want to use.
- Select View Channel Details.
- Scroll to the bottom to find the Channel ID.
- Click Validate Channels to validate the listed channels. Ensure you have integrated the Britive app with channels (private/public) before validating them. For more information about integrating the app, see Configuring Slack App.Note:You can add only one Slack notification medium per policy.
- To find the Slack Channel ID:
- (Optional) Specify the Slack Channel ID:
- Slack or Slack Application:
Click Save and Enable after the configuration is done.
Click Next to continue creating a profile or Save as Draft to save the profile workflow and work on it later.
Enter the Justification to be sent with the approval request.
Click Submit.
Users can check the request status using the My Requests menu option from the navigation.