Common deployment scenarios
The following scenarios illustrate how organizations of different sizes and maturity levels typically deploy Bravura Privilege. Each scenario builds on the previous one.
Scenario 1: Credential vaulting and rotation
Profile: Small to mid-size organization, or an organization beginning its PAM journey. May be using the limited Bravura Privilege license included with another Bravura Security Fabric product.
Goal: Eliminate static, shared administrator passwords and establish basic credential hygiene.
What to deploy:
Vault-only managed systems for credentials that cannot be managed through a connector (offline systems, physical safes, API keys).
Push-mode managed systems for servers and network devices with supported connectors.
Scheduled password randomization on all managed accounts.
Basic disclosure (display and copy) for authorized users.
Outcome: No more shared passwords. Every privileged credential is unique, rotated regularly, and stored in an encrypted, replicated vault with a full audit trail.
Scenario 2: Controlled access with workflows
Profile: Mid-size organization with compliance requirements (SOX, PCI-DSS, HIPAA) or a need to control who accesses privileged accounts and when. Requires a full Bravura Privilege license.
Goal: Add request/approval workflows, just-in-time access, and delegated team-based administration.
What to deploy (in addition to Scenario 1):
Bravura Privilege Pattern for team-based management with pre-defined requests for onboarding, updating, and offboarding systems and accounts.
Request and approval workflows with auto-approval for routine access and manual approval for high-risk requests.
Risk-based access decisions to adapt approvals based on request context (time of day, location, request history).
Auto-discovery and import rules to automate system and account onboarding at scale.
Direct-connect session brokering (browser extension, RDP, SSH) with credential injection.
Outcome: Privileged access is time-bounded, approved, and auditable. Business stakeholders manage their own teams through self-service workflows. Auto-discovery keeps the inventory current without manual effort.
Scenario 3: Enterprise PAM with session monitoring and IGA convergence
Profile: Large enterprise with thousands of systems, multiple data centers or cloud regions, regulatory audit requirements, and a need for converged identity and privileged access governance. Requires a full Bravura Privilege license.
Goal: Full-featured PAM with session recording, service account management, API credential retrieval, and integration with identity governance.
What to deploy (in addition to Scenarios 1 and 2):
Session recording and monitoring for all high-value systems, with tamper-resistant recording, live oversight, and session termination capabilities.
Service account password management with automated subscriber discovery, password propagation, and transaction management.
API credential retrieval to replace static embedded passwords in scripts, applications, and CI/CD pipelines.
Local Workstation Service for laptops and intermittently connected endpoints.
Connector proxies for firewalled network segments and DMZs.
Access certification campaigns for periodic review of privileged entitlements.
Integration with Bravura Identity for converged identity lifecycle and privileged access governance.
Outcome: Enterprise-wide privileged access governance with full audit trail, session forensics, automated credential management for both human and non-human identities, and converged IGA+PAM in a single platform.