Versions Compared

Old Version 4

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 5

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Insert excerpt
Google Apps
Google Apps
nopaneltrue

Insert excerpt
Amazon Web Services
Amazon Web Services
nopaneltrue

EmpowerID Box connector allows organizations to bring the user and group data in their Box system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:

  • Account Management
    • Inventory Box user accounts
    • Create, Update and Delete Box user accounts
    • Enable and Disable Box user accounts

  • Group Management
    • Inventory Box groups
    • Inventory Box group memberships
    • Create and Delete Box groups
    • Add and Remove members to and from Box groups

  • Attribute Flow
    Users in Box are inventoried as accounts in EmpowerID. The below table shows the attribute mappings of Box user attributes to EmpowerID Person attributes.

Div
stylemargin-left: 40px


Box AttributeBox TableCorresponding EmpowerID AttributeDescription
nameUserNameName of the user
FirstNameUserFirstNameFirst name of the user
LastNameUserLastNameLast Name of the user
DisplayNameuserFriendlyNameDisplay name of the user
loginUserLoginLogin of the user
statusUserActiveSpecifies whether the user is active
CompanyNameUserCompanyCompany name of the user
DescriptionUserDescriptionDescription of the user
LanguageUserPreferredLanguageLanguage of the user
Job_titleUserTitleTitle of the user
PhoneUserTelephonePhone number of the user



Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision Box accounts for any person within your organization based on your policy requirements.


Info
titlePrerequisites

In order to connect EmpowerID to Box, the following prerequisites need to be met:

  1. Your organization must have an enterprise Box account.
  2. You must supply the credentials for the Box administrator account. EmpowerID uses this account as a connection proxy to manage Box on your behalf.


Insert excerpt
Active Directory
Active Directory
nopaneltrue


This topic demonstrates how to connect EmpowerID to Box and is divided into the following activities:

Anchor
registerempowerid
registerempowerid
To register EmpowerID as an application in Box

  1. Login in https://app.box.com/developers/console.
  2. Click Dev Console and then click Create New App.
    Image Removed
    Image Added

  3. Select Enterprise Integration and click Next.
    Image Removed
    Image Added

  4. On the Authentication Method page, select OAuth 2.0 with JWT (Server Authentication) and then click Next.
    Image Removed
    Image Added

  5. Name the app and then click Create App.
    Image Removed
    Image Added

    Box creates the app and generates developer token.
    Image Removed
    Image Added

  6. Click View Your App.

    This directs you to the Configuration page.
    Image Removed
    Image Added

  7. Under Application Access, select Enterprise.
    Image Removed
    Image Added

  8. Under Application Scopes, select the options shown below.
    Image Removed
    Image Added
  9. Under Advanced Features, select Perform Action as Users and Generate User Access Tokens.

  10. Under Add and Manage Public Keys, click Generate a Public/Private Keypair

    Info

    When you click Generate a Public/Private Keypair, Box will send a Verification code to the mobile number linked to the account. To use this feature, Two-factor authentication must be enabled on Box. 



    Image RemovedImage Added

  11. Enter the code sent to your mobile number.
  12. Back on the Configuration page, under App Settings, click Download as JSON.
    Image Removed Add and manage public keys, download the JSON file generated by Generate a public/private keypair.
  13. Save your changes and then point your browser to https://app.box.com.
  14. Select Admin Console from sidebar.
  15. Select Enterprise Settings and then click the Apps tab.
    Image Removed
    Image Added

  16. Under Custom Applications, click Authorize New App and wait about 10 minutes before proceeding to the next step.
  17. Copy the value for the ClientID of the application from the JSON file you downloaded above.
  18. Paste the ClientID in the API Key field of the App Authorization dialog and then click Next.
    Image Removed
    Image Added

  19. Click Authorize.
    Image Removed
    Image Added

After registering EmpowerID in Box, the next step is to create a Box account store in EmpowerID.


Anchor
boxaccountstore
boxaccountstore
To create a Box account store in EmpowerID

  1. From the navigation sidebar of the EmpowerID Web interface, expand Admin > Applications and Directories and then click Account Stores and Systems.
  2. On the Account Stores page, click Create Account Store.
    Image Removed
    Image Added

  3. Under System Types, search for Box.
  4. Click Box.com to select the type and then click Submit.
    Image Removed
    Image Added

  5. On the Box Settings page that appears, do the following:
    1. Enter a Name in the Name field.
    2. Enter a UPN Suffix in the UPN Suffix field.
    3. Click Choose File and upload the application JSON file you downloaded from Box.
    4. Click Submit.
      Image Removed
      Image Added


Anchor
attributeflow
attributeflow
To configure Attribute Flow rules

Tip
iconfalse


Expand
titleAbout Attribute Flow Rules


Info
iconfalse

EmpowerID supports the configuration of attribute synchronization rules for flowing attribute changes between directories and the EmpowerID Identity Warehouse. Attribute Flow rules are visually configured and are always relative to the relationship between an attribute in a directory and the corresponding attribute in the EmpowerID Identity Warehouse. Attribute Flow rules define the specific fields and attributes that are synchronized between the EmpowerID Identity Warehouse person objects and the external user accounts to which they are linked. Additionally, Attribute Flow rules can be weighted by account store. For example, if you have connected EmpowerID to an HR system as well as Active Directory, and you want any changes made to an attribute in the HR system to take priority over changes made in Active Directory or EmpowerID (while allowing changes to be made in any system), you would give a higher score for each CRUD operation originating from the HR account store and correspondingly lower scores for the Active Directory account store.


The following flow rules are available:

  • Image Added No Sync - When this option is selected, no information flows between EmpowerID and the native system.
  • Image Added Bidirectional Flow - When this option is selected, changes made within EmpowerID update the native system and vice-versa. For most attributes, this is the default setting.
  • Image Added Account Store Changes Only - When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.
  • Image Added EmpowerID Changes Only - When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.

The following CRUD operations are available:

  • Create - This operation is used to create an attribute value for an existing attribute when the value of that attribute is null.
  • Update - This operation is used to update the value of an attribute.
  • Delete - This operation is used to delete the value of an attribute.




  1. From the navigation sidebar, expand Admin > Applications and Directories and click Attribute Flow Rules.

  2. From the Attribute Flow Rules page, click the Advanced Search drop-down button, enter the name of the Box account store and then click Search to filter the rules shown in the grid.
    Image Removed
    Image Added


    Info

    The attributes from the EmpowerID Person object are displayed in the left column with the corresponding attributes from the account store displayed in the right column.


  3. To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu.
    Image Removed
    Image Added


  4. To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.

    Info

    EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID, such as would be the case if an HR System and Box were being inventoried by EmpowerID.


Now that the attribute flow has been set, the next steps includes turning on and monitoring inventory.

Anchor
inventory
inventory
To turn on inventory

  1. Back on the Account Stores page, search for the Box account store you just created.
  2. From the grid, click the Account Store link for your Box account store.
    Image Removed
    Image Added

  3. On the Account Store Details page that appears, click the Edit icon.
    Image Removed
    Image Added

    This opens the edit page for the Box account store. This page allows you to specify the account proxy used to connect EmpowerID to your Box account as well as how you want EmpowerID to handle the user information it discovers in Box during inventory.
    Image Removed
    Image Added


  4. From the Inventory tab, check Inventory Enabled
    Image Removed
    Image Added

  5. Click the Save button at the bottom of the page.

If you are using the Account Inbox to provision or join the user accounts in Box to Empower Persons, you need to turn on the Account Inbox. This is demonstrated in the below section.

Anchor
accountinbox
accountinbox
To enable the Account Inbox permanent workflow

  1. From the Navigation Sidebar of the EmpowerID Web interface, expand Admin > EmpowerID Servers and Settings and click Permanent Workflows.
  2. From the Permanent Workflows page, click the Display Name link for Account Inbox.
    Image Removed
    Image Added

  3. From the View One page for the workflow that appears, click the edit link for the workflow.
    Image Removed
    Image Added

  4. From the Permanent Workflow Details form that appears, select Enabled and then click Save. Based on the default settings applied to the workflow, EmpowerID will process 1000 of the user accounts in the Account Inbox every ten minutes, provisioning Person objects from those user accounts and joining them together based on the Join and Provision rules applied to the account store.
    Image Removed
    Image Added


Anchor
monitorinventory
monitorinventory
To monitor inventory

  1. From Navigation Sidebar, expand System Logs > Policy Inbox Logs and click Account Inbox.

    The Account Inbox page appears. This page provides tabbed views of all information related to processing new user accounts discovered in a connected account store during inventory. An explanation of these tabs follows.
    Image Removed
    Image Added


  • Dashboard - This tab provides a quick summary of account inbox activity.
  • Not Processed - This tab displays a grid view of all inventoried user accounts not yet used to provision a new EmpowerID Person or joined to an existing Person. Any accounts that fail to meet the Join and Provision rules are displayed here as well.
  • Failed - This tab displays a grid view of any account joining or provisioning failures.
  • Ignored - This tab displays a grid view of all accounts ignored by the account inbox. Accounts are ignored if they do not qualify as user accounts.
  • Joined - This tab displays a grid view of all accounts joined to an EmpowerID Person. Joins occur based on the Join rules applied to the account store.
  • Processed - This tab displays a grid view of all accounts that have been used to either provision a new EmpowerID Person or joined to an existing EmpowerID Person.
  • Provisioned - This tab displays a grid view of all accounts that have been used to provision an EmpowerID Person. Provisioning occurs based on the Provision rules applied to the account store.
  • Orphans - This tab displays a grid view of all user accounts without an EmpowerID Person.
  • All - This tab displays a grid view of all user accounts and the status of those accounts in relation to the Account Inbox.


Expand
titleRelated Content


Info
iconfalse


Section


Column


Div
styletext-transform:uppercase;font-size:12pt;font-weight:600;

concepts:

Overview of the EmpowerID Identity Warehouse

Overview of Inventory

Account Inbox Overview

Overview of Attribute Flow






Div
stylefloat: left; position: fixed; top: 70px; padding: 5px;
idtoc
classtopicTOC


Div
stylemargin-left: 40px; margin-bottom: 40px;

Live Search
spaceKeyE2D
placeholderSearch the documentation
typepage


Div
stylefont-size: 1rem; margin-bottom: -35px; margin-left: 40px;text-transform: uppercase;

In this article



Table of Contents
stylenone