Versions Compared

Old Version 1

changes.mady.by.user Anonymous

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In EmpowerID, you can create Provisioning policies, also known as "Resource Entitlements" or "RETS," Provisioning Policies allow you to automate the provisioning, moving, disabling, and de-provisioning of resources to for users based on whether they belong to a specific:

  • Group
  • Management Role
  • Business Role and Location
  • Query-Based Collection

Once a policy is created and enabled, EmpowerID continuously evaluates the policy to determine who should and should not have the resource as specified by the conditions of the policytheir roles, memberships and locations within your organization.

This topic demonstrates how the following:

  • How to create a

RET

  • provisioning policy that provisions ServiceNow user accounts

. Info
titlePrerequisites
Before you can create a Provisioning policy for ServiceNow accounts, the following prerequisites need to be met:

  • How to assign the provisioning policy to an EmpowerID actor type

Note

Prerequisites

  • EmpowerID must first be connected to ServiceNow. For

the

  • details,

see 

To create a policy that provisions ServiceNow accounts

From the Navigation Sidebar, expand the Admin node, then Policies, and click Provisioning Policies (RETS
Tip

Provisioning policies can be targeted against any number or combination of Management Roles, groups, Business Roles and Locations, Query-Based collections, as well as individual people.

How to create a provisioning policy for ServiceNow User Accounts

  1. n the navbar, expand Identity Lifecycle and click Provisioning Policies (RETs).

  2. On the

     Actions tab

    Policies page, click

    the Create Provisioning Policy tile.
    Image Removed
    In the Choose Type section of the Policy Details form that appears, select Default from the 

    the Add button at the top of the grid.

    Image Added

     

  3. Under Choose Type, select Default from the Object Type To Provision

     

    drop-down.

    Image Added

    4. For the Resource Type, select

  4. In the

     

    General

     

    section of the form

    , enter

    fill in the following

    settings.
  5. For the Name and Display Name fields, enter a name.

  6. fields:

    1. Name — Enter a name for the policy.

    2. Description — Enter a description for the policy.

    3. Resource Type — Select User Account.

    7. For the 

    1. Resource System

    8. , select ServiceNow

    1. — Select your inventoried DAX User resource system.

    9. For the 

    1. Object Class

    10. , enter

    1. — Enter User.

    11. For the 

    1. Creation Path

    12. , search

    1. — Click the Select an External Location link and then search for and select your ServiceNow location.

    13. Image Removed
    1. Image Added


  14. In the

     

    Throttling Settings

    , set these as required for your organization.

    section of the form, specify the provisioning and deprovisioning thresholds for the policy. These settings are as follows:

    • All Provisions Require Approval

    15.  - Select to send provisioning for

    • — If this option is selected, the provisioning of each RET specified by the policy

    16. for approval

    • will need to be approved by a user delegated access to the Resource Entitlement Inbox.

    • All Deprovisions Require Approval

    17.  - Select to send deprovisioning for

    • — If this option is selected, the deprovisioning of each RET specified by the policy

    18. for approval

    • will need to be approved by a user delegated access to the Resource Entitlement Inbox.

    • Require Approval if Provision Batch Larger Than Threshold

    19.  - Set

    • — This field allows you to set a numeric value

    20. for

    • that needs to be reached by a single run of the Resource Entitlement Inbox before

    21. approval is required

    • an approver needs to approve the provisions. If the threshold is reached,

    22. no accounts are provisioned

    • EmpowerID will not provision any of the ServiceNow user accounts until approval is granted.

    • Require Approval if Deprovision Batch Larger Than Threshold

    23.  - Set

    • — This field allows you to set a numeric value

    24. for

    • that needs to be reached by a single run of the Resource Entitlement Inbox before

    25. approval is required

    • an approver needs to approve the deprovisions. If the threshold is reached,

    26. no accounts are deprovisioned

    • EmpowerID will not deprovision any of the ServiceNow user accounts until approval is granted.

    27. Tip

    As a best practice, when testing provisioning policies, select All Provisions Require Approval and All Deprovisions Require Approval to become familiar with how EmpowerID processes RETs. Then, when moving to production, you can set the approval thresholds to a number that makes sense for your environment.

  27. In the Advanced section of the form, enter the following settings.
  28. Leave On Claim Action set to Do Nothing.
  29. Set On Transform Action to Move.
    30. Set On Revoke Action to Deprovision. This tells EmpowerID to disable the ServiceNow account

  30. In the Advanced section of the form, do the following:

    1. Select a desired option from the On Claim Action drop-down. You have the following options:

      • Do Nothing — No action occurs. This tells EmpowerID to simply mark any previous resources assigned to the user that match this policy as RET-managed resources. For example, if the user already has a ServiceNow user account and is placed in a Management Role targeted by the RET policy, EmpowerID marks that user's ServiceNow account as RET managed.

      • Delete and Recreate — The user account is deleted and recreated.

      • Move — Marks any previous resources assigned to the user that match the RET as RET-managed resources and moves the user object to the OU specified by the RET policy.

      • Publish Workflow Event — Executes custom workflow code.

    2. Select a desired option from the On Transform Action drop-down. You have the following options:

      • Do Nothing — No action occurs.

      • Delete and Recreate — The user account is deleted and recreated.

      • Move — Marks this resource with the new RET policy number and moves the user object to the OU specified by the RET policy

      • Publish Workflow Event — Executes custom workflow code.

    3. Select a desired option from the On Revoke Action drop-down. You have the following options:

      • Do Nothing — No action occurs.

      • Deprovision — The user account is deleted if the person no longer meets the criteria to receive the resource from the RET, such as would occur if the person was terminated or moved to a Business Role and Location without a RET policy for the specified resource.

      • Disable — The user account is disabled if the person no longer meets the criteria to receive the resource from the RET.

      • Disable and Move — The user account is disabled and moved to the OU specified in the OU to Move Disabled Users field if the person no longer meets the criteria to receive the resource from the RET.

      • Publish Workflow Event — Executes custom workflow code.

    4. Leave the

    31.  

    1. Creation Location Path Resolver Assembly

    32.  

    1. and

    33.  

    1. Creation Location Path Resolver Type

    34.  

    1. fields empty. These fields allow you to use a custom assembly to set where

    35. to create

    1. an account (or any RET that requires a path) should be created.

    36. Image Removed
  36. Back in the main form, click Save.
Next, add Assignees to

  1. Click Save to create the policy.

  2. After EmpowerID creates the policy, you should be directed to the completed Policy Details page for the policy.

    Image Added

Next, assign the policy you just created . Here you specify the Business Roles and Locations, Management Roles, Management Role Definitions, Query-Based Collections, Groups, or People to assign to the policy. If Assignees are not set, EmpowerID assigns all users to the ServiceNow profile by default.

To set the Assignees

  • Click the Find Policies breadcrumb located at the top of the Policy Details page.
    • From the Policies tab, search

    to one or more targets as demonstrated below.

    How to assign the provisioning policy

    1. On the Policy Details page, click the Find Policies breadcrumb. 

      Image Added


    2. Search for the policy you just created and then click the

       

      Display Name

       

      link for it.

      Image RemovedImage Added

      This

      opens

      directs you to the

       

      View

       

      page for the policy.

      View pages allow

      This page allows you to

      view and manage resources.
      Image Removed
      In

      manage the policy as needed. 

      Image Added


    3. On the View page, click the

       

      Assignees

       

      accordion to expand it

      and then, in Business Roles and Locations, click the Add (+) button.
      Image Removed
      Select a Role and Location, for example, All Employees in ServiceNow, and click Select, then Save. EmpowerID uses this information to decide who gets provisioned an account in ServiceNow.
      Image Removed

    Next, assign the policy you just created to one or more targets as demonstrated below.

    To assign the provisioning policy to users

    Still in the Assignees accordion, scroll down to People, and click the Add (+) button to add a person as an assignee to the policy. In the Person box, press ENTER to search, and select a person.
    Image Removed
  • Click Save.

    • If you selected All Provisions Require Approval, Resource Entitlement Inbox, and Resource Entitlement, you must manually approve each item in the Resource Entitlement Inbox for this policy before EmpowerID can provision the ServiceNow accounts. This is demonstrated in the next section.

    To approve the resource entitlements

  • In the Navigation Sidebar, expand System Logs, then Policy Inbox Logs and select Provisioning (RET) Inbox.
    • Click the Pending Batches tab to see a batch for the ServiceNow Resource Entitlement. In our case, you can see the Person you assigned to the ServiceNow location on the Pending Approval tab.
    Image Removed
  • To approve the batch or the person, click the Approve drop-down and select Approve from the menu.
    • Click the shopping cart icon at the top of the page, then type a reason for the approval in the cart dialog and then click Submit.
    Image Removed
    Tip

    After the RET Inbox has provisioned the ServiceNow accounts, you can view and manage those accounts and the groups created for those accounts from the ServiceNow Manager page. To see it, in the Navigation Sidebar, expand Pages and click ServiceNow Manager. The tabs along the top give you access to Users, Roles and Groups, and Role and Group Changes.

    InfoiconfalsetitleRelated Content

    1. . This accordion allows you to assign the policy to any or the following EmpowerID actor types:

      • Business Roles and Locations — All people in the selected Business Role and Location combinations receive the resource granted by the policy.

      • Management Roles — All people in the selected Management Roles receive the resource granted by the policy.

      • Management Role Definitions — All Management Roles that are children of the selected Management Role Definition receive the resource granted by the policy.

      • Query-Based Collections (SetGroup) — All people in the selected collection receive the resource granted by the policy.

      • Groups — All people in the selected groups receive the resource granted by the policy.

      • People — All people selected receive the resource granted by the policy.

    2. From the Assignees accordion, click the Add button above the assignee type to which you are making the assignment.

    3. In the Add Entry pane that appears, search for and select the appropriate assignee.

    4. Enter a number to specify the priority for the RET policy in the Priority field. This value is used to determine the priority of the RET if the user qualifies for the same RET via another assignment, such as being a member of a group that has the same policy. The lower the number, the higher the priority. 

      Image Added

    5. Click Save.

    6. Click Save on the main page.

    Insert excerpt
    IL:External Stylesheet - Test
    IL:External Stylesheet - Test
    nopaneltrue

    Div
    stylefloat: left; position: fixed; top: 105px; padding: 5px; idtoc
    classtopicTOC
    Div
    stylemargin-left: 40px; margin-bottom: 40px;
    Live Search

    spaceKey

    size

    E2D
    Div
    stylefont-size: 1rem; margin-bottom: -45px; margin-left: 40px;text-transform: uppercase;

    On this page

    Table of Contents
    large

    placeholderSearch the documentationtypepage

    2
    maxLevellabels2020,admin

    IN THIS ARTICLE

    Table of Contents
    minLevel2
    maxLevel4
    stylenone