Versions Compared

Old Version 3

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 4

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If your organization has partners that access your system to manage the IT resources you have allocated to them, you can quickly set up your environment to manage those partners using the built-in partner roles and locations.

This topic demonstrates how to manage partner delegations by creating

two

a fictitious

partners

partner named "Hendriks Hardware

" and "Acme Anvils

." We then create

two

a test partner admin and a test partner

admins

user and log in to EmpowerID as those

partner admins

users. The purpose of this is to test the delegations. You can follow along, creating these test partners or

supply

supplying your own.

To follow along, replace these two organizations with your actual partners.

If the environment has been correctly configured, the partner admins should only be able to see their locations; they should not be able to see your IT infrastructure or those of any other of your partners. The partner admins should also be able to manage their partner users outside of your intervention.

To create partner locations

In the Navigation Sidebar

Step 1 – Create a partner location

  1. On the navbar, expand Role Management and click Business Roles and Locations.

From the Business Role and Location management page, select the

  1. Select the Actions tab and then click Create Location.

    Image Added

In


  1. This opens the Location Details form

that appears, do

  1. .

    Image Added

  2. Do the following in the form:

Type a name, display name and description for the Location in the Name, Display Name and Description fields, respectively.

    1. Name – Name of the partner location. It is recommended the name matches the partner organization.

    2. Display Name – Name of the partner location users to see in the EmpowerID UI.

    3. Description – Short characterization of the location

    4. Tick Is Assignable so that the option is enabled.

    5. Underneath Parent

Location

    1. ID, click the X to delete the EmpowerID System location and then click the Select a Location link to open the Location Selector.

From the Location Selector, search
    1. Image Added

    2. Search for and select

Partner and then click Save to close the Location Selector.

    1. Partners.

      Image Added

    2. Select Organization

from

    1. - Security Container as the Location Type

drop-down

    1. .

      Image Added

Back in the main form,

    1. Leave the other fields as is and click Save to create the Location.

  2. Repeat the above steps

3 and 4 above

  1. to create locations for each of your remaining partners.

To create

Step 2 – Create a test partner

admins

admin

  • Log in to the EmpowerID Web application as an administrator.
    • From the Navigation SidebarType a first name and last name for the person in the Last Name and Last Name fields, respectively

    1. On the navbar, expand Identity Administration and click People.

  • In Person Manager, click Create Person Simple Mode underneath the Actions pane.
    • In the Create Person Request form that appears, do the following:

    1. Click the Onboard Person action to initiate the Onboard Person workflow.

    2. Select Simple Mode as the Person Creation Mode and click Next to proceed to the Person Details step fo the workflow.

      Image Added

    3. Enter a First Name and Last Name for the partner admin.

    4. Enter Email and Personal Email addresses for the partner admin.

    5. Underneath Primary Business Role and Location, click the Select a Role and Location link to open the Business Role and Location (BRL) Selector.

      1. From the Business Role pane of the BRL Selector, search for and select Partner Admin.

        Image Added

      2. Click Location to show the Location pane of the BRL Selector.

      3. From the Location pane, search for and select one of the

    appropriate

      1. partner

    location Repeat steps 3 and 4 above to create test partner admins for each of your remaining partner locations

      1. locations you created above, and then click Select.

  • Back in the main form, click Save.
      1. Image Added

    2. Click Next to proceed to the Additional Information section of the workflow.

    3. Review the summary information and click Submit.

      Image Added

    4. Repeat the above steps to create additional test partner admins as needed.

    5. Reset the passwords for each of your test

    users

    1. partner admins. For information on resetting passwords, see Reset Passwords.

    To

    Step 3 – Create a test

    the

    partner

    delegations

    user

  • Log out of the EmpowerID Web application and log back in as one of the partner admins.
  • Enroll for password self-service reset. This occurs the first time you log in as a new person. 
  • Click the Global Search drop-down at the top of the page. You should only see search options for People, Groups and User Accounts.
  • Search for people by clicking in the Global Search field and pressing ENTER. Since your organization does not yet have any partners, you should see no results.
  • Repeat by searching for groups and user accounts. Again, you should see no results.
  • Expand Identity Administration. You should only see menu items for People (Person Manager), Groups (Group Manager) and User Accounts (Account Manager).
  • Click People to navigate to the Find Person Page page, and click the Create Person Advanced action. This action allows partner admins to create a new partner user, and an Active Directory account for that person, in their partner location.
    • From the General tab of the Create Person form that appears do the following:
  • Type a first name, last name and display name for the person in the First Name, Last Name and Display Name fields, respectively.
    • Type a login in the Login field or click the Login Suggestion button, shown below, to have EmpowerID fill the field with a suggested login.

    1. On the navbar, expand Identity Administration and click People.

    2. Click the Create Identity action.
      This opens the Create Identity form.

      Image Added

    3. Fill in the following required fields and click Save.

    Field

    Description

    Example

    First Name

    First name of the user

    Frank

    Last Name

    Last name of the user

    Emu

    Login

    EmpowerID login for the user

    frank.emu

    Primary Role and Location

    Business Role and Location for the user. For partners, the Business Role is Partners and the location is the location for the partner organization.

    Partner in Henrik Hardware

    Procedure:

    1. Underneath Primary Business Role and Location, click the Select a Role and Location link to open the Business Role and Location (BRL) Selector.

      1. From the Business Role pane of the BRL Selector,

    press ENTER to have EmpowerID return all Business Roles the partner admin can select. You should only see Partner and Partner Admin.Click Partner to select the role and then click Location to expand the Location pane

      1. search for and select Partner.

        Image Added

      2. Click Location to show the Location pane of the BRL Selector.

      3. From the Location pane

    of the BRL Selector, press ENTER to have EmpowerID return all locations the partner admin can see. You should only see the partner location in which the person is the partner admin. You should see no other partner locations or your internal IT structure.Click the partner location to select it

      1. , search for and select one of the partner locations you created above, and then click Select

    to close the BRL Selector

      1. .

  • Click Save to create the new partner. Because partner admins have the delegations to create people in their respective locations, you should see a message stating that the person was successfully created.
  • Repeat as desired, creating as many test partners as you want.
    • Reset the password for each of the test partners you created

      1. Image Added


    4. Repeat the above steps to create additional test partner users as needed.

    5. Reset the passwords for each of your test partner users. For information on resetting passwords, see Reset Passwords.

    Step 3 – Test the partner delegations

    1. Log out of the EmpowerID Web application and log back in as

    the

    1. a partner

    admin

    1. user.

    Log back in to the Web application as one of the test partners and enroll for password self-service reset.
    Expand the nodes in the Navigation Sidebar. You should see that you have few options and cannot even view other people in your organization.

    1. If prompted to protect access to your identity, select None.

      Image Added

    2. Click the Global Search drop-down at the top of the page. You should only see search options for People.

    3. Search for people by clicking in the Global Search field and pressing ENTER. You should only see the people in the partner organization.

    4. View the navbar. You should see the navigation items:

    Navigation Item

    Purpose

    Dashboards

    View personal home dashboard

    Password Management

    Access to following features:

    • Personal Profile page –View and edit personal profile

    • Manage Your Identity Workflow – Provides access to the following self-service actions:

      • Delete an MFA authenticator

      • Enroll for Q&A password reset

      • Manage Account Recovery Contacts

      • Change my password

      • Edit my profile

      • Register an MFA authenticator

    My Identity

    Directs the user to the My Identity app

    IAM Shop

    Directs the user to the IAM Shop app

    Business Requests and Tasks

    Directs the user to the My Tasks app

    Identity Administration

    Directs the user to the Resource Admin app

    Step 3 – Test the partner admin delegations

    1. Log out of the EmpowerID Web application and log back in as a partner admin.

    2. If prompted to protect access to your identity, select None.

      Image Added

    3. You should see the same navigation and search options as the partner user, with the exception that you can access the Find People page from the navbar.

    4. From the navbar, expand Identity Administration and click People.
      You should see that you have access to the actions shown below.

      Image Added

    Optional exercises

    Repeat the above steps, creating as many partner users and partner admins as desired. Your test results should be consistent across the board.

    In a non-production environment, do the following to have EmpowerID automatically provision user accounts for the partners:

    1. As an administrator, create test OUs for the partner locations you created above.
      For a general example on creating OUs, see Create Organizational Units

    2. Map those locations to the appropriate OUs.
      For a general example on mapping locations to OUs, see Role and Location Mapper

    3. Create a Provisioning Policy that provisions an Active Directory user account in the appropriate OU for each person assigned to the Partner in Partners Business Role and Location. This policy will provision an AD Account for all partner and partner admins in any location under the Partners location.
      For a general example, see Active Directory User Account Provisioning Policies.

    4. Log in to the Web application as one of the partner admins and search for user accounts. You should see one user account for each partner you created.

    topicTOC
    Div
    class
    stylefloat:left; position:fixed; padding: 5px;
    idtocarticleNav

    IN THIS ARTICLE

    Table of Contents
    div
    Table of Contents
    maxLevel
    maxLevel
    stylefont-size: 1rem; margin-bottom: -45px; margin-left: 40px;text-transform: uppercase;

    In this article

    4
    minLevel2
    stylenone
    printablefalse