Page Comparison

In EmpowerID, Provisioning policies, also known as "Resource Entitlements" or "RETS," are policies that can be created Provisioning Policies allow you to automate the provisioning, moving, disabling, and de-provisioning of resources to for users based on their meeting certain qualifying criteria, such as belonging to a specific group, Management Role, Business Role and Location, or Query-Based Collection. Once a policy is created and enabled, EmpowerID continuously evaluates the policy to determine who should and should not have the resource specified by the policy.

Infotitle

roles, memberships and locations within your organization.

This topic demonstrates the following:

How to create a provisioning policy that provisions Exchange mailboxes
How to assign the provisioning policy to an EmpowerID actor type

Info

Prerequisites

EmpowerID must first be connected to Active Directory. For details, see Connecting to Active Directory.
For Exchange mailboxes, you must have an Active Directory with an Exchange Organization.
RET provisioning and RET deprovisioning must be enabled on the Active Directory account store.

This topic demonstrates how to create a RET policy that automates the provisioning and de-provisioning of Exchange mailboxes.
info

Tip
Provisioning policies can be targeted against any number or combination of Management Roles, groups, Business Roles and Locations, Query-Based collections, as well as individual people.

To

How to create a

RET that provisions

provisioning policy for Exchange mailboxes

In

n the

navigation sidebar, expand Admin, then Policies, and click

navbar, expand Identity Lifecycle and click Provisioning Policies (RETs).

From

On the

Find Resource Entitlements

Policies page, click

the Actions tab and then click the Create Provisioning Policy tile.

Image Removed
In the Choose Type section of the Policy Details form that appears, select

the Add button at the top of the grid.
Image Added
Under Choose Type, Select Exchange User Mailbox from the Object Type To Provision drop-down.

Image Removed

Image Added
In the General section of the form

, do

fill in the following fields:

Type a name and display

1. Name — Enter a name for the policy

in the Name and Display Name fields, respectively. These fields are required.Optionally, type

1. .
2. Description — Enter a description for the policy

in the Description field and specify

1. .
2. Mailbox Load Balancing Group — Enter the mailbox load balancing group

in the Mailbox Load Balancing Group field

1. .

Select your Exchange organization from the Exchange Organization drop-down.

1. Exchange Organization — Enter the name of your Exchange Organization.
2. Depends on Resource System — Select the Active Directory domain with the Exchange

organization from the Depends on Resource System drop-down

1. Organization. This specifies that the user must have an AD account in that domain before the mailbox can be provisioned.

The General

In the Throttling Settings section of the form

looks similar to the image below.

Image Removed

, specify the provisioning and deprovisioning thresholds for the policy. These settings are as follows:
- All Provisions Require Approval

-

- — If this option is selected, the provisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
- All Deprovisions Require Approval

-

- — If this option is selected, the deprovisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
- Require Approval if Provision Batch Larger Than Threshold

-

- — This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the provisions. If the threshold is reached, EmpowerID will not provision any of the

accounts

- mailboxes until approval is granted.
- Require Approval if Deprovision Batch Larger Than Threshold

-

- — This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the deprovisions. If the threshold is reached, EmpowerID will not deprovision any of the

accounts

- mailboxes until approval is granted

.
InfoAs a best practice, when testing provisioning policies, you should select All Provisions Require Approval and All Deprovisions Require Approval to become familiar with how EmpowerID processes RETs

- .

Then, when moving to production, you can set the approval thresholds to a number that makes sense for your environment.

In

our example, we have selected All Provisions Require Approval and All Deprovisions Require Approval, meaning that

the

provisioning and deprovisioning of all mailboxes must be approved before those mailboxes will be processed by RET Inbox.

Image Removed
In the

Advanced section of the form, do the following:
1. Select

Do Nothing

1. a desired option from the On Claim Action drop-down. You have the following options:
  - Do Nothing — No action occurs. This tells EmpowerID to simply mark any previous resources assigned to the user that match this policy as RET-managed resources. For example, if the user already has an Exchange mailbox and is placed in a Management Role targeted by the RET policy, EmpowerID marks that user's mailbox as RET managed.
  - Publish Workflow Event — Executes custom workflow code.
2. Select

Deprovision

1. a desired option from the On Revoke Action drop-down.

This tells EmpowerID to delete the mailbox

1. You have the following options:
  - Do Nothing — No action occurs.
  - Deprovision — The mailbox is deleted if the person no longer meets the criteria to receive the resource from the RET

, such as would occur if the person was terminated or removed from a qualifying Management Role, group, Business Role and Location or Query-Based Collection.
The Advanced section of the form looks similar to the following image.

Image Removed

Leave the Creation Location Path Resolver Assembly and Creation Location Path Resolver Type fields empty. These fields allow you to use a custom assembly to set where an account (or any RET that requires a path) should be created.

Back in the main form, click Save.

1. - .
  - Disable — The mailbox is disabled if the person no longer meets the criteria to receive the resource from the RET.
  - Publish Workflow Event — Executes custom workflow code.
Click Save to create the policy.
After EmpowerID creates the policy, you should be directed to the completed Policy Details page for the policy.
Image Added

Next, assign the policy you just created to one or more targets as demonstrated below.

To

How to assign the

Exchange Mailbox RET policy to a targetScroll to the Policy Assigned To section of

provisioning policy

On the Policy Details

form and click the Add (+) button underneath the specific target type to which you want to assign the RET.
In our example, we are assigning the policy to the Contractor in All Business Locations Business Role and Location so we are clicking the Add (+) button in the Business Role and Locations pane of the section. In this way, each Person who has the Contractor Business Role in any location will receive a mailbox.

Image Removed
This opens the Add Entry pane, which is where you select the specific actor you want to assign the policy to. Because we are assigning the policy to a Business Role and Location, the Add Entry pane is contextualized for that actor type.

Image Removed

From the Add Entry pane, click the Select a Role and Location link.

In the Business Role and Location selector that appears, do the following:Search for and select the Business Role to which you want to assign the policy.
In our example, we are assigning the policy to the Contractor Business Role, so we have selected Contractor.

Image Removed
Click the Location tab and then search for and select the Location.
In our example, we want the policy to be applied to all contractors within any business location of the default organization regardless of their location, so we have selected Anywhere.

Image Removed

Click Select to close the Business Role and Location selector.

Type

page, click the Find Policies breadcrumb.
Image Added
Search for the policy you just created and then click the Display Name link for it.
Image Added

This directs you to the View page for the policy. This page allows you to manage the policy as needed.
Image Added
On the View page, click the Assignees accordion to expand it. This accordion allows you to assign the policy to any or the following EmpowerID actor types:
- Business Roles and Locations — All people in the selected Business Role and Location combinations receive the resource granted by the policy.
- Management Roles — All people in the selected Management Roles receive the resource granted by the policy.
- Management Role Definitions — All Management Roles that are children of the selected Management Role Definition receive the resource granted by the policy.
- Query-Based Collections (SetGroup) — All people in the selected collection receive the resource granted by the policy.
- Groups — All people in the selected groups receive the resource granted by the policy.
- People — All people selected receive the resource granted by the policy.
From the Assignees accordion, click the Add button above the assignee type to which you are making the assignment.
In the Add Entry pane that appears, search for and select the appropriate assignee.
Enter a number to specify the priority for the RET policy in the Priority field.

This value is used to determine the priority of the RET if the user qualifies for the same RET

by virtue of

via another assignment, such as being a member of a group that has the same policy.

Click Save.

Image Removed

Back in the main form, click Save.

If you selected Approve All Provisions, you must manually approve each item in the Resource Entitlement Inbox for this policy before EmpowerID will provision the mailboxes. This is demonstrated in the next section.

To approve pending RETs

From the Navigation Sidebar, expand System Logs and click Provisioning (RET) Inbox.

Click the Pending Approval tab. You should see a list of all RETS requiring approval.

Info
If you do not see a list of RETS pending approval, allow several minutes for EmpowerID to process the RET policy and then press the Search button.

Image Removed
To approve a RET, click the Approve drop-down and select Approve from the menu.

Image Removed

Repeat for each RET you want to approve.

When finished with your approvals, click the shopping cart at the top of the page, type a reason for the approval in the dialog and then click Submit.

Image Removed
Back in the RET Inbox, click the Approved or Rejected tab. You should see the RETs you approved show in the grid with a RET Action of Grant.

Image Removed

To verify the RET policy provisioned mailboxes in Exchange

On your Exchange server, open the Exchange Management Shell and run the following Powershell cmdlet (the cmdlet assumes you provisioned the mailboxes within the last day):
Code Block

language	powershell

The mailboxes provisioned by the RET policy are returned.

Info

icon	false
title	Related Content

The lower the number, the higher the priority.
Image Added
Click Save.
Back in the main form, click Save.

Insert excerpt

	IL:External Stylesheet
	IL:External Stylesheet
nopanel	true

Div

class

style	float: left; position: fixed; top: 105px; padding: 5px;
id	toc
	topicTOC

Div

style	margin-left: 40px; margin-bottom: 40px;

Live Search

spaceKey

size

E2D

Div

style	font-size: 1rem; margin-bottom: -15px; margin-left: 40px;text-transform: uppercase;

In this article

toc

large

placeholderSearch the documentationtypepage

labels	2020,admin

IN THIS ARTICLE

Table of Contents

maxLevel	4
minLevel	2
style	none

Versions Compared

Old Version 4

New Version Current

Key

How to create a

provisioning policy for Exchange mailboxes

How to assign the

provisioning policy

To approve pending RETs

To verify the RET policy provisioned mailboxes in Exchange