...
The following image shows the possible targets of a RET policy. When a policy is targeted to a collective actor, such as those depicted below, every person belonging to that actor receives the entitlements specified by the policy. Thus, in the below image, each person belonging to the Help Desk in Customer Services BRL, the Help Desk Technicians group, the Enterprise IT Help Desk Management Role, and the All Users with Help Desk Titles Query–Based Collection would receive an AD user account, an Exchange mailbox, and a Home home folder.
| Info |
|---|
The image below is only to demonstrate how RETs can be targeted to different actors in EmpowerID. However, as a best practice, a RET like the one depicted below would be assigned to only one actor type at a more global level, such as All Standard Employees in All Business Locations. |
...
Depending on how a particular Resource Entitlement policy is configured, any change occurring to a person's status, such as a change to their Business Role and Location may trigger changes in the user accounts and resources assigned to that person. For example, if your company employs contractors along with standard employees, you could configure RET policies to automatically provision an Active Directory account, a mailbox, and a home folder each time a new employee is onboarded (rather than for each specific actor type as depicted above), but only provision an Active Directory account (within a different OU) and a mailbox for contractors. In the event a contractor becomes a standard employee, or an employee becomes a contractor, these policies could take the appropriate action and do things like move the user accounts for those people to the OU that corresponds to their role as well as provision or de–provision de-provision resources accordingly.
| Info |
|---|
This process is dependent on the configuration of the Allow RET Provisioning and Allow RET De–Provisioning settings for the account store containing the user accounts. Accessible from the configuration screen for the account store in Configuration Manager, these settings tell EmpowerID whether RET policies can be applied to the user accounts that have been inventoried from that account store. The function of these settings is as follows:
|
...
On Transform Action – Transforming occurs when a person with a resource provisioned by one RET policy receives an equivalent RET from a different policy. This typically happens when a person changes their Business Role or Location. The Transform Action marks this resource with the new RET policy number and triggers the Transform Action specified by the new RET policy. All Transform Actions are not implemented for all types of RETs. The four options and outcomes are:
Do Nothing – No changes are made.
Move – In the case of user accounts, moves the user object to the OU specified by the RET or as determined through the mapping of OUs to Business Roles and Locations.
Delete and Recreate – In the case of user accounts, deletes and recreates the user.
Register Event – Raises the event specified.
On Revoke Action – This occurs when a person who received a resource via a RET no longer receives the RET policy, typically due to a change in Business Role or Location.
Do Nothing – No changes are made to the resource.
De-provision – Deletes the resource.
Disable – Disables the resource.
Register Event – Raises the event specified.
Claim Action Workflow Event – This is an optional setting that allows you to enter the name of a predefined EmpowerID event registration. The RET action will "fire" this event which then triggers the initiation of all workflows that subscribe to the event. The only requirement for these event workflows is an input property of the type Resource named "resource" (case sensitive). The RET process will pass in the resource of the Person's RET (Account, Home Folder, Exchange Mailbox, etc.) that triggered the event for further processing by the custom workflow(s). The custom workflows can be used to implement more advanced processes for deprovisioning or other events.
Transform Action Workflow Event – This is an optional setting that allows you to enter the name of a predefined EmpowerID event registration. The RET action will "fire" this event which then triggers the initiation of all workflows that subscribe to the event. 160; The only requirement for these event workflows is an input property of the type Resource named "resource" (case sensitive). The RET process will pass in the resource of the Person's RET (Account, Home Folder, Exchange Mailbox, etc.) that triggered the event for further processing by the custom workflow(s). The custom workflows can be used to implement more advanced processes for deprovisioning or other events.
Revoke Action Workflow Event – This is an optional setting that allows you to enter the name of a predefined EmpowerID event registration. The RET action will "fire" this event which then triggers the initiation of all workflows that subscribe to the event. The only requirement for these event workflows is an input property of the type Resource named "resource" (case sensitive). The RET process will pass in the resource of the Person's RET (Account, Home Folder, Exchange Mailbox, etc.) that triggered the event for further processing by the custom workflow(s). The custom workflows can be used to implement more advanced processes for deprovisioning or other events.
...
Active Directory User Accounts
...