Versions Compared

Old Version 16

changes.mady.by.user Kim Landis

Saved on

compared with

New Version 17

changes.mady.by.user Kim Landis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Div
classbreadcrumbs

/wiki/spaces/E2D/pages/29982926  /  Installation and Configuration  /  Connecting to Directory Systems  /  Current: Connecting to Amazon Web Services


Warning

Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include:

  • Configuring the appropriate server roles for your EmpowerID servers
  • Reviewing the Join and Provision Rules for your environment
  • Reviewing the Join and Provision Filters for your environment

If you have already connected EmpowerID to another external directory, you can skip these prerequisites.


Excerpt

EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.

EmpowerID includes an Amazon Web Services (AWS) connector that allows organizations to bring the data (user accounts, groups, roles and computers) in their AWS domain to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. When EmpowerID inventories AWS, it creates an account in the EmpowerID Identity Warehouse for each Amazon user account, a computer for each Amazon computer, a group for each Amazon group, and a special group called an RBAC-Only group for each Amazon role.

Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision Amazon accounts for any person within your organization based on their role. For more information on Resource Entitlements, see Configuring Provisioning Policies.


Info

Prerequisites: In order to connect EmpowerID to AWS, you must have an AWS domain with an account that EmpowerID can use to connect to AWS. (EmpowerID recommends using a dedicated service account.) At a minimum, this account must have a policy with permission to read the user, group and computer data in AWS. If you plan to use EmpowerID to provision, deprovision and modify this data in AWS, the profile needs to have create, update and delete permissions as well. In addition, you must provide EmpowerID with the following information:

  • Access Key ID for the service account
  • Secret Access Key for the service account
  • AWS Site Name
  • AWS TenantID


After ensuring you have met the prerequisites specified in the Getting Started with Directory Systems topic, you connect EmpowerID to AWS by doing the following:

  1. Creating an account store in EmpowerID for AWS.
  2. Configuring EmpowerID settings for the account store connection, including whether to provision EmpowerID Persons during inventory or in batches using the Account Inbox permanent workflow (recommended).
  3. Reviewing and configuring the attribute flow rules for the account store.
  4. Turning on inventory.
  5. Enabling the Account Inbox Permanent Workflow when ready—if you are using batch processing to provision Person objects from the inventoried user accounts. This is the recommended method.
  6. Monitoring Inventory.


Info

Before connecting EmpowerID to a directory system, you should determine whether you want EmpowerID to provision Person objects from the user accounts it discovers in the account store. If you do, then you should be able to answer the following questions before turning on inventory.

  1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time using the Account Inbox (recommended)?
  2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
  3. How many user accounts can one Person have in the account store?
  4. If people can have more than one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
  5. Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?
  6. If you have Resource Entitlement policies in place, do you want EmpowerID to apply them to the account store?


To create an account store for AWS

  1. Log in to the EmpowerID Management Console as an administrator.
  2. Click the application icon and select Configuration Manager from the menu.
  3. In Configuration Manager, select the Account Stores node and then click the Add New button above the grid.




  4. Select Amazon AWS from the Security Boundary Type drop-down and then click OK.




  5. In the Account Store Details screen that appears, do the following:
    1. Type the address to your AWS site in the Site Name field.
    2. Type the Access Key ID generated by Amazon for the service account in the Client Key field.
    3. Type the Secret Access Key generated by Amazon for the service account in the Client Secret field.
    4. Type the TenantID for your AWS site in the TenantID field.

    5. Click Save.



      Warning

      If the values entered in the Account Store Details screen are incorrect, EmpowerID will not be able to authenticate to Amazon and the connection will fail.



      EmpowerID creates the Amazon connection and opens the Account Store Details screen for the Amazon account store. This screen contains settings for configuring how EmpowerID manages the Amazon account store. Configuring this screen is discussed in the next section.





To configure EmpowerID for the account store

  1. In the General pane of the Account Store Details screen, tick the red sphere to a green check box for each of the following settings that you want to enable:
    • Allow Person Provisioning— If enabled, EmpowerID provisions a Person object for each user discovered in the account store.
    • Allow RET Provisioning —  If enabled, EmpowerID applies any Resource Entitlements policies to each person provisioned from an inventoried AWS account if those people are placed in a Business Role and Location that is targeted by a Resource Entitlement Policy.
    • Allow RET De-Provisioning —  If enabled, EmpowerID removes any Resource Entitlements received by the AWS users if those users no longer meet the criteria for those resources.
    • Allow Create Account On Membership Request — Select to allow users without accounts to request group membership and automatically have an account created.

  2. In the Inventory pane of the Account Store Details screen, do the following:
    1. If you are provisioning people during inventory, toggle the icon to the right of the Allow Automatic Person Provision On Inventory setting from a red sphere to a green check box.
    2. If you are provisioning people during inventory, click the Edit Image Modified button to the right of Business Role for New Inventory Provision and select an appropriate Business Role for each person.
    3. If you are provisioning people during inventory, click the Edit button to the right of Location For New Inventory Provision and select an appropriate Location for each person.

If you want EmpowerID to provision Persons from the user accounts using the Account Inbox (recommended), you need to enable the Account Inbox permanent workflow. This is demonstrated below.

To enable the Account Inbox permanent workflow

  1. From the Navigation Sidebar of the EmpowerID Web interface, expand Admin > EmpowerID Servers and Settings and click Permanent Workflows.
  2. From the Permanent Workflows page, click the Display Name link for Account Inbox.



  3. From the View One page for the workflow that appears, click the edit link for the workflow.



  4. From the Permanent Workflow Details form that appears, select Enabled and then click Save. Based on the default settings applied to the workflow, EmpowerID will process 1000 of the user accounts in the Account Inbox every ten minutes, provisioning Person objects from those user accounts and joining them together based on the Join and Provision rules applied to the account store.

To monitor inventory

  1. From Navigation Sidebar, expand System Logs > Policy Inbox Logs and click Account Inbox.

    The Account Inbox page appears. This page provides tabbed views of all information related to processing new user accounts discovered in a connected account store during inventory. An explanation of these tabs follows.

  • Dashboard - This tab provides a quick summary of account inbox activity.
  • Not Processed - This tab displays a grid view of all inventoried user accounts not yet used to provision a new EmpowerID Person or joined to an existing Person. Any accounts that fail to meet the Join and Provision rules are displayed here as well.
  • Failed - This tab displays a grid view of any account joining or provisioning failures.
  • Ignored - This tab displays a grid view of all accounts ignored by the account inbox. Accounts are ignored if they do not qualify as user accounts.
  • Joined - This tab displays a grid view of all accounts joined to an EmpowerID Person. Joins occur based on the Join rules applied to the account store.
  • Processed - This tab displays a grid view of all accounts that have been used to either provision a new EmpowerID Person or joined to an existing EmpowerID Person.
  • Provisioned - This tab displays a grid view of all accounts that have been used to provision an EmpowerID Person. Provisioning occurs based on the Provision rules applied to the account store.
  • Orphans - This tab displays a grid view of all user accounts without an EmpowerID Person.
  • All - This tab displays a grid view of all user accounts and the status of those accounts in relation to the Account Inbox.

To confirm inventory

  1. From the Navigation Sidebar, navigate to Change Manager by expanding System Logs and clicking Audit Log.
  2. Type AWS in the Search field and press ENTER. You should records for your AWS users approved by EmpowerID System.
  3. If you have AWS groups, click the Group Membership Changes tab and search for your AWS groups. You should those groups and the group members.
  4. From the Navigation Sidebar, navigate to AWS Manager by expanding Pages and clicking AWS Manager. You should see a dashboard displaying your AWS account store information.
  5. Click through each tab of AWS Manager. You should the information relevant to that tab, as well as an Actions panel with a list of actions that you can perform against the selected resource or resource type. For example, if you select the EC2 Instances tab, you can view information about your EC2 instances, delete or disable those instances as well create new instances, among other things.