Versions Compared

Old Version 1

changes.mady.by.user Universal Importer for Confluence

Saved on

compared with

New Version 2

changes.mady.by.user Kim Landis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Div
classbreadcrumbs

Home / User Provisioning and Identity Lifecycle

...

Provisioning Policies

...

/ Current:

...

Creating Provisioning Policies for Microsoft Dynamics Users


In EmpowerID, Provisioning policies, also known as "Resource Entitlements" or "RETSRETs," are policies that can be created to automate the provisioning, moving, disabling and de-provisioning of resources to users based on their meeting certain qualifying criteria, such as belonging to a specific group, Management Role, Business Role and Location, or Query-Based Collection. Once a policy is created and enabled, EmpowerID continuously evaluates the policy to determine who should and should not have the resource as specified by the conditions of the policy.

Dynamics AX (DAX) has two types of users, Active Directory users and Claims users. By default, DAX provisions all users as Claims Users. Thus, to create both types of users through RET policies, EmpowerID recommends you create a RET policy for both. The difference between these two types of policies is demonstrated below.

This topic demonstrates how to create a RET policy that provisions Microsoft Dynamics AX (DAX) users and is divided into the following activities:

Prerequisites Before you can create a Provisioning policy for DAX users, the following prerequisites need to be met:

.


Info
titlePrerequisites
  • EmpowerID must first be connected to DAX. For

...

  • details,

...




To

Enable RET Provisioning and Deprovisioning
  1. From the Navigation Sidebar, navigate to Account Store Manager by expanding Admin > Applications and Directories and clicking Account Stores.
  2. In Account Store Manager, search for your Microsoft Dynamics User account store and click the Account Store link for the record returned.
  3. On the View page, click the Edit link. Edit links are notated with pencil icons.
  4. From the Edit page, locate the Features section and verify that the AllowProvisioning and AllowDeProvisioning features are enabled (checked). If they are not enabled, click each one so that they have a checkmark and then click Save.
AnchorcreateProvisioningPolicycreateProvisioningPolicyTo

create a provisioning policy for DAX user accounts

From
  1. In the Navigation Sidebar of the EmpowerID Web interface,
navigate to the Find Resource Entitlements page by expanding Admin > Policies and clicking
  1. expand Admin, then Policies, and click Provisioning Policies (
RETS
  1. RETs).
  2. From the Find Resource Entitlements page, click the Actions tab and then click the Create Provisioning Policy tile.
Image Removed


  1. Image Added

  2. In the Choose Type section of the Policy Details form that appears, select Default from the Object Type To Provision drop-down.
Image Removed


  1. Image Added

  2. In the General section of the form, do the following:
    1. Type a name in the Name field.
    2. Optionally, type a description in the Description field.
    3. Select User Acount from the Resource Type drop-down.
    4. Select your DAX user resource system from the Resource System drop-down.
    5. Type user in the ObjectClass drop-down.

      After completing the above, the General section of the form looks similar to the following image.

      Image Added

  3. In the Throttling Settings section of the form, specify the provisioning and deprovisioning thresholds for the policy. These settings are as follows:
    • All Provisions Require Approval - If this option is selected, the provisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
    • All Deprovisions Require Approval - If this option is selected, the deprovisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
    • Require Approval if Provision Batch Larger Than Threshold - This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the provisions. If the threshold is reached, EmpowerID will not provision any of the accounts until approval is granted.

    • Require Approval if Deprovision Batch Larger Than Threshold - This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the deprovisions. If the threshold is reached, EmpowerID will not deprovision any of the accounts until approval is granted.

      Info

      As a best practice, when testing provisioning policies, you should

select

    • select All Provisions Require Approval and All Deprovisions Require Approval to become familiar with how EmpowerID processes RETs. Then, when moving to production, you can set the approval thresholds to a number that makes sense for your environment.


      In our example, we have selected Approve All Provisions and Approve All Deprovisions, meaning that the provisioning and deprovisioning of all DAX user accounts must be approved before those accounts will be processed by RET Inbox.

Image Removed


    • Image Added

  2. In the Advanced section of the form, do the following:
    1. Leave the On Claim Action set to Do Nothing.
    2. Leave the On Transform Action set to Do Nothing.
    3. Select Deprovision from the On Revoke Action drop-down. This tells EmpowerID to delete the DAX user account if the person no longer meets the criteria to receive the resource from the RET, such as would occur if the person was terminated or moved to a Business Role and Location without a RET policy for the specified resource.
    4. Leave the Creation Location Path Resolver Assembly and Creation Location Path Resolver Type fields empty. These fields allow you to use a custom assembly to set where an account (or any RET that requires a path) should be created.

      The Advanced and Creation Path Resolver sections of the form should look like the following image.
Image Removed

    1. Image Added

  2. Click Save.
The next section involves setting Configuration Parameters for the DAX User provisioning policy. This is only necessary if you are creating a provisioning policy for DAX users with an Active Directory user account type. If this provisioning policy is for DAX users with the Claims user account type, you can skip the section.
anchor
setConfigParamssetConfigParams

To set the Configuration Parameters for the Provisioning Policy

  1. Navigate to the Resource Entitlements Find page by clicking the Find Policies breadcrumb located at the top of the Policy Details page for the policy you just created.

    Image Added

  2. From the Policies tab of the Resource Entitlements Find page, search for the policy you just created and click the Display Name link.

    Image Removed
    Image Added

    This opens the View page for the policy.

    Image Removed
    Image Added

  3. In the View page, expand the Configuration Parameters accordion and then click the Add Parameter (+) button.

    Image Added

  4. In the General pane that appears, type accountType in the Name field, Active Directory User in the ConfigurationValue field and then click Save to close the pane.


Next, assign the policy you just created to one or more targets as demonstrated below.

AnchorassignPolicyassignPolicy

To assign the provisioning policy to users



Info

If you did not add configuration parameters to the provisioning policy (as

...

described in the above section), you can begin with step 2 below.



  1. From the View page for the DAX RET, return to the Policy Details form by clicking the Edit link for the policy located at the top of the page.
Image Removed


  1. Image Added

  2. From the Policy Details form, scroll to the Policy Assigned To section and click the Add (+) button underneath the specific target type to which you want to assign the RET. In our example, we are assigning the policy to the Intern in Corporate Business Role and Location so we are clicking the Add (+) button in the Business Role and Locations pane of the section.
Image Removed
  1.  

    Image Added

    This opens the Add Entry pane, which is where you select the specific actor you want to assign the policy to. Because we are assigning the policy to a Business Role and Location, the Add Entry pane is contextualized for that actor type.
Image Removed

  1. Image Added

  2. From the Add Entry pane, click the Select a Role and Location link. In the Business Role and Location selector that appears, do the following:
    1. Search for and select the Business Role to which you want to assign the policy. In our example, we are assigning the policy to the Intern Business Role, so we have selected Intern.

      Image Added

    2. Click the Location tab and then search for and select the Location. In our example, we want the policy to be applied to all Interns in or below the Corporate location, so we have selected Corporate.

      Image Added

    3. Click Select to close the Business Role and Location selector.
    4. Type a number to specify the priority for the RET policy in the Priority field. This value is used to determine the priority of the RET if the user qualifies for the same RET by virtue of another assignment, such as being a member of a group that has the same policy.
    5. Click Save.

      Image Added

  3. Back in the main form, click Save.

If you selected Approve All Provisions, you must manually approve each item in the Resource Entitlement Inbox before EmpowerID will provision the DAX accounts. This is demonstrated in the next section.

AnchorapproveRETS


approveRETS

To approve the resource entitlements

From


  1. In the Navigation Sidebar,
navigate to the RET Inbox by expanding
  1. expand System Logs and
clicking
  1. click RET Inbox.
  2. Click the Pending Approval tab. You should see a record for each RET that needs to be approved.

    Image Added

  3. To approve the RETs, click the Approve drop-down for each RET and select Approve from the menu.

    Image Added

  4. Click the shopping cart icon at the top of the page, then type a reason for the approval in the cart dialog and then click Submit.
Related Topics

  1. Image Added
Anchorconceptsconcepts

Concepts:

Anchoradministrative-proceduresadministrative-procedures

Administrative Procedures:

AnchortopicTOCtopicTOC
  • Overview
  • Create the Provisioning policy
  • Set Configuration Parameters
  • Assign the Provisioning policy
    • Approve the Entitlements



    Tip

    After the RET Inbox has provisioned the DAX user accounts, you can view and manage those accounts as you would any other user accounts.




    Info
    iconfalse
    titleRelated Content