Birthright access is a term used to define a Person’s initial access to IT systems based upon their role in the organization. It is the access they automatically receive by policy without generating any requests for access. EmpowerID divides this access into two types: Provisioning Policies which define the new objects that should be automatically created for a Person, and then access assignments which are the policies that will add the Person’s user accounts to groups, application roles, or permissions.
EmpowerID’s Provisioning Policies, also commonly known as Resource Entitlements or RETs, XXXX
•Resource Entitlements (RETs) are policies that govern how resources, such as an Active Directory account or an Exchange mailbox, are given to people and when they are revoked.
•RET policies can be assigned to any EmpowerID Actor Type (Person, Business Role and Location, etc.)
•RETs can be triggered manually in specific workflows using a workflow shape or can be automatic using the EmpowerID Jobs
EmpowerID supports automated provisioning and deprovisioning of birthright account identities in external target directories and applications through the configuration of provisioning policies. These policies can be assigned or scoped using any RBAC assignment point such as Business Role and Location, Query Based Collection, or Management Role membership.
Pre-Requisites
•Each Account Store has a setting to Allow RET Provisioning and one to Allow RET De-Provisioning
•These settings are all that is required for manual workflow-triggered RET processing
•For automated background RET processing:
•At least one server must be running the Worker Role Service
•The RET Inbox Processor Job and Recalculation Job must be enabled for at least one of these servers
RET Actions/Events
•Claim – Occurs when EmpowerID discovers a person with a resource that matches a RET to which they are assigned, but the resource is not marked as having been provisioned by an RET.
•Transform – Occurs when a person with a resource provisioned by one RET policy receives an equivalent RET from a different policy.
•Revoke – Occurs when a person who received a resource via an RET no longer receives the RET policy.
On Claim Action
The four options and outcomes are:
•Do Nothing - No changes are made.
•Move - In the case of user accounts, moves the user object to the OU specified by the RET or as determined through the mapping of OUs to Business Roles and Locations.
•Delete and Recreate - In the case of user accounts, deletes and recreates the user.
•Register Event - Raises the event specified.
On Transform Action
The four options and outcomes are:
•Do Nothing - No changes are made.
•Move - In the case of user accounts, moves the user object to the OU specified by the RET or as determined through the mapping of OUs to Business Roles and Locations.
•Delete and Recreate - In the case of user accounts, deletes and recreates the user.
•Register Event - Raises the event specified.
On Revoke Action
The four options and outcomes are:
•Do Nothing - No changes are made to the resource.
•De-provision - Deletes the resource.
•Disable - Disables the resource.
•Register Event - Raises the event specified.
Register Event Option
•This is an optional setting that allows you to enter the name of a predefined EmpowerID event registration.
•The RET action will "fire" this event which then triggers the initiation of all workflows that subscribe to the event.
•The specified event workflows must have an input property of the type Resource named "resource" (case sensitive).
•The RET process will pass in the resource of the Person's RET (Account, Home Folder, Exchange Mailbox, etc.) that triggered the event for further processing by the custom workflow(s).
•The custom workflows can be used to implement more advanced processes for deprovisioning or other events.
AD/LDAP Account Creation Location Logic
When provisioning users automatically via provisioning policies into AD or LDAP directories, EmpowerID must determine into which OU a person’s account should be provisioned. The default logic is to follow the RBAC mapping for the Location portion of a Person’s Business Role and Location to create the account in the Account Store OU mapped to that EmpowerID Location. In some cases, this default logic is not desired and a custom rule should be implemented. For these cases, EmpowerID allows the creation of a plugin in Workflow Studio to handle this unique RET AD/LDAP Account Creation Location logic.
