Skip to end of banner
Go to start of banner

Getting Started with Directory Systems

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Current »

Before you connect EmpowerID to an external directory, there are a number of prerequisite steps you need to take. You only need to perform these steps the first time you connect to an external directory. These steps are as follows:

  • Setting the server role for each of your EmpowerID servers — Server roles determine what EmpowerID jobs (back-end processes) and Web services are enabled on a particular server. EmpowerID categorizes server roles in the following way:

    • All-in-One-Server – The server role runs all front-end Web services and back-end processes. This role is designed to be used if you have a small environment with only one EmpowerID server.

    • Application Server Full – This server role runs all back-end processes, known as Jobs in EmpowerID. By default it does not run any Web services.

    • Application Server Light – This server role runs the minimum number of back-end processes. By default, it does not run any Web services.

    • Default – This server role has no Jobs or Web services associated with it. When you install EmpowerID on a server, EmpowerID assigns this role to the server. This is to ensure no Jobs or Web services run on a server not designated for those Jobs or Web services. You need to change this to the appropriate role for each EmpowerID server for that server to function as intended.

    • Web Front-End – This server role runs all Web services. By default it does not run any back-end processes.

  • Reviewing the Join and Provision Rules – When you connect EmpowerID to an external directory or other identity-aware application and turn on inventory, EmpowerID evaluates the accounts in those external systems to determine whether EmpowerID People should be provisioned from those accounts. The logic that determines this is specified by the Join and Provision Rules, as well as the filters in the Identity Warehouse. Thus, before turning on inventory, you should review these rules and filters and adjust them as needed.

 View Server Jobs

Attribute Flow - Directory Change Processor Job – Job hosted by the Worker Role service that takes the attribute changes from the attribute inbox that were discovered during inventory and processes them using the attribute flow rules to update the Person object. Changes to the Person object can then lead to changes being pushed to the attribute outbox that will flow to other systems. This job is scheduled per account store.

Account Lockout Detection Job – Job hosted by the Worker Role service that detects locked out user accounts.

Account Password Reset Inbox – Job hosted by the Worker Role service that performs the offline password resets.

Windows Service and AppPool Account Password Sync – Job hosted by the Worker Role service that synchronizes account password resets for accounts used by Windows Services and IIS App Pools.

Attestation Policy Compiler – Synchronizes account password resets for accounts used by Windows Services and IIS App Pools.

Attestation Processor – Not used - placeholder for customization.

Database Archiving Rule Processor – Job hosted by the Worker Role service that performs database archiving rules and processes.

Dynamic Hierarchy Generation Job – Job hosted by the Worker Role service that calculates which groups should be provisioned or deprovisioned in group hierarchy policies.

Dynamic Hierarchy Membership Inbox Processor Job – Job hosted by the Worker Role service that syncs the group membership for each group in the grou hierarchy membership inbox.

Dynamic Hierarchy Membership Recalculation Job – Job hosted by the Worker Role service that calculates which groups in group hierarchy policies should have their membership refreshed.

Dynamic Hierarchy Provision Inbox Processor – Job hosted by the Worker Role service that calculates which groups should be provisioned or deprovisioned in group hierarchy policies.

Group Membership Queue Processor Job – Job hosted by the Worker Role service that batch processes changes to group memberships.

Group Membership Reconciliation Job – Job hosted by the Worker Role service that evaluates the current "as is" membership of groups versus the "should be" state of who should be a member based upon dynamic RBAC assignments of the "Member" Resource Role in EmpowerID. This job is scheduled per Resource System or Account Store.

Inventory Job – Job hosted by the Worker Role service that claims inventory jobs for Resource Systems and Accounts stores on a scheduled basis and calls the inventory method for that system. For Account Stores, the inventory process is responsible for populating the attribute inbox and also it can run the initial Person provision process using the same Join and Provision Rule logic used by the Account Inbox One by One or Account Inbox Bulk permanent workflow. The actual implementation of how to inventory each system will be specific to the type of system and the implementation in its connector. This job is scheduled per Resource System or Account Store.

Office 365 Batch Processor – Job hosted by the Worker Role service that performs the batch processing for Exchange Online Office365 actions.

Permanent Workflow Job – Job hosted by the Worker Role service that ensure permanent EmpowerID workflows are kept in a continuously running state.

Person Default Attributes Reinforcement Job – Job hosted by the Worker Role service that is responsible for making sure people have the mandatory attributes assigned by policy. It will also populate the outbox so accounts owned by the person are updated.

RBAC Maintenance Job – Job hosted by the Worker Role service to calculate RBAC assignments.

RBAC Security Compiler Job – Job hosted by the Worker Role service that is responsible for building the Location and Business Role trees. It also calculates the location of resource location and which security delegations will affect them. This job MUST run in only ONE server.

RBAC Security Person Business Role Compiler Job – Job hosted by the Worker Role service that is responsible for calculating what business roles and locations a person will have based on all possible assignments.

Resource Entitlement Inbox Processor Job – Job hosted by the Worker Role service that performs the actions specified by the Resource Entitlement Inbox entries (Provision, Deprovision, etc.).

Resource Entitlement Recalculation Job – Job hosted by the Worker Role service that evaluates the current "as is" status of Resource Entitlement policies (RETs) versus the "should be" state. This entails determining what Accounts, Home Folders, Exchange Mailboxes, etc., people currently own versus what they should own by policy. The delta to normalize what they have with what they should have is written to the Resource Entitlement Inbox as a series of actions to be performed (Provision, Disable, Move, De-provision).

Resource Role Reconciliation Job – Job hosted by the Worker Role service that manages the membership of EmpowerID Resource Role groups (RRGs). It determines who should currently be a member of those RRGs and then modifies the membership to match. This job is scheduled per Resource System or Account Store.

Search Tag Compilation – Job hosted by the Worker Role service that evaluates and prepares the tags needed for tag searching in EmpowerID, it calculates implicit tagging.

Rights Enforcement Job – Job hosted by the Worker Role service that adds or removes native permissions for resources in external systems based on the current state of RBAC delegations. The actual granting or revoking of rights for external systems can result in calls to other agents (e.g., the Exchange Agent) in order to complete the action. This job is scheduled per Resource System or Account Store.

Rights Inventory Job – Job hosted by the Worker Role service that inventories native permissions for external system resources. The actual inventory of rights for the external system in question can result in calls to other agents (e.g., SharePoint Agent) in order to complete the action.

Risk Factor and Stats Recalculation Job – Job hosted by the Worker Role service that is responsible for calculating the risk factor score for all EmpowerID actor types.

Role and Location Compiler – Job hosted by the Worker Role service that is responsible for determining a person's roles and locations from external data.

Role and Location Processor – Job hosted by the Worker Role service that is responsible for assigning roles and locations to a person, as determined by the compiler from external data.

Separation Of Duties Policy Compiler – Job hosted by the Worker Role service that evaluates separation of duties policies to discover violations and creates Separation of Duties (SoD) Violation tasks.

Separation Of Duties Violation Processor – Job hosted by the Worker Role service that performs default configured actions in response to SoD Violation tasks.

Set Compiler Job – Job hosted by the Worker Role service that evaluates saved searches or Sets against connected Account Stores. The results of these compiled search can be used for query-based assignment of Person objects to Business Roles and Locations.

 View Web Services

Exchange Management Web Service – WCF web service hosted by Worker Role Windows Service that can execute any of the PowerShell cmdlets for managing Microsoft Exchange 2007 or greater. This service must be enabled on a machine loaded with the Exchange Management Console tools.

LDAP Management Web Service – WCF web service hosted by IIS. This service must be enabled on a machine with connectivity to the LDAP directories that it manages.

Lotus Notes Web Service – WCF web service hosted by IIS. This service must be enabled on a machine with Lotus Notes.

Password Manager Web Service – WCF web service hosted by IIS specific for password management such as validation and also receives password change notification messages from the EmpowerID Password Change Detection Agent Window service.

Pipeline Service Web Service – WCF web service hosted by IIS. This service must be enabled for BRE applications to function correctly and to receive system wide alerts and notifications.

PowerShell Web Service – WCF web service hosted by IIS for executing any type of PowerShell cmdlets. This service will be used by workflows that execute PowerShell cmdlets. Applicable PowerShell snap-ins should be loaded on each server hosting this service.

Service Bus Management Web Service – WCF web service hosted by IIS and provides a distributed WCF endpoint hosting facilities for integrating external resource systems and applications with the rest of the EmpowerID platform. The ESB Agent easily extends the life of existing legacy applications through the deployment of legacy application connectors developed in BPM Studio and deployed as WCF services on a ESB Agent.

SharePoint Management Web Service – WCF web service hosted by IIS that can execute any of the SharePoint object model calls required for managing Microsoft SharePoint.

Federation Server Web Service – WCF web service hosted by IIS. Provides a distributed Claim based STS for the EmpowerID platform.

Windows Server Management Web Service – WCF web service hosted by IIS that can execute any of the local Windows server OS management actions required for shared folder creation or other system management tasks. This service must be enabled on a machine that is the intended target for management.

Workflow Server Web Service – WCF web service hosted by IIS. Provides a secure service extension host to the workflow server.

Step 1 – Configure the server roles for each of your EmpowerID servers

  1. On the navbar, expand Infrastructure Admin > EmpowerID Servers and Settings and select EmpowerID Servers.

  2. On the EmpowerID Servers page, click the EmpowerID Servers tab and search for the server whose role you want to configure.

  3. Click the Edit button for that server.


  4. In the dialog that appears, select the appropriate role from the EmpowerID Server Role drop-down.

  5. Click Save to save the role and close the dialog.

Step 2 – Review the Join and Provision rules for your environment

  1. On the navbar, expand Identity Lifecycle, and click Settings.

  2. This directs you to the Account Inbox Settings page, which contains settings that determine how EmpowerID should handle Joiner and Leaver processes in your environment. A description of the settings follows the image.


    Account Inbox Settings

    Setting

    Description

    Join and Provision Filter

    This setting is used to set the filtering logic for joining and provisioning people from accounts inventoried in an external, connected user directory. The default shipping logic ensures that for joining or provisioning, an inventoried account must meet the following criteria:

    • The account is not currently owned by a Person (The account's PersonID field IS NULL)

    • The account is active (The account's Disabled and Deleted fields are 0)

    • The account is not an Active Directory contact account or a non-personal account (The AccountTypeID field is not equal to 2 and the AccountUsageTypeID equals 1).

    • The account has valid FirstName and LastName values (The length of each field is greater than 0)

    If the account passes the filter logic, the below rules specify the criteria for joining the account to an EmpowerID Person.

    Join by Birth Date and First Name and Last Name

    Specifies that inventoried accounts be joined to an EmpowerID Person when the birth date, first name and last name of the account match that of an existing EmpowerID Person.

    Join by Email and First Name and Last Name

    Specifies that inventoried accounts be joined to an EmpowerID Person when the first name and last name of the account match that of an existing EmpowerID Person.

    Join by EmployeeID and First Name and Last Name

    Specifies that inventoried accounts be joined to an EmpowerID Person when the EmployeeID, first name and last name of the account match that of an existing EmpowerID Person.

    Join by Personal Email and First Name and Last Name

    Specifies that inventoried accounts be joined to an EmpowerID Person when the personal email, first name and last name of the account match that of an existing EmpowerID Person.

    Join by Custom Match

    Allows you to extend the existing join rules with custom logic.

    Join Rule

    Specifies whether joining an inventoried account to an EmpowerID Person is allowed.

    Provision Rule

    The default shipping logic ensures that for provisioning an EmpowerID Person from an inventoried account, the following conditions must be met:

    • Person provisioning is allowed (A.AllowProvision = 1)

    • An account store exists in EmpowerID for an external system

    • Person provisioning is allowed on the account store with the accounts

    If the above conditions are met, EmpowerID will provision an EmpowerID Person for each user account in a connected user directory that does not currently have a Person linked to it (based on the Join Filter and rules specified above).

    Core Identity Inbox Settings

    Join by First Name and Last Name

    Specifies that Person objects be joined to the same core identity when the first name and the last name attributes of the Person objects are the same.

    Join by Birth Date and First Name and Last Name

    Specifies that Person objects be joined to the same core identity when the birth date, first name and the last name attributes of the Person objects are the same.

    Join based on this list of comma separated attributes

    In addition to the above join rules, allows you to specify one or more custom Person attributes that must be the same in order for the Person objects to be joined to the same core identity.

    Core Identity Provision Rule

    Allows you to write custom provision rule for creating core identities.

    Planned Leaver Settings

    Planned Leaver Grace Period (Days)

    Specifies the number of days after a person has left the organization before the account is terminated.

    Initiator for Terminate Person Advanced Workflow (To Require or Avoid Approval)

    Specifies the Person object responsible for initiating the Terminate Person Advanced workflow.

    Disable Accounts with Mailboxes

    Specifies whether accounts with mailboxes should be disabled.

    Disable Accounts with Same Primary Person

    Specifies whether accounts linked to the same primary person should be disabled.

    Disable Accounts with Same CoreIdentity

    Specifies whether accounts of all the people linked to the same core identity should be disabled.

    Disable Primary Person Object

    Specifies whether all people claimed by the termination process should have their primary person accounts disabled.

    Disable People with Same CoreIdentity

    Specifies whether all people linked to the same core identity should have their person accounts disabled.

    Reset Password for Accounts with Same Primary Person

    Specifies whether to reset the passwords of all the people linked to the same core identity of the primary person via the “PasswordManagerPolicyName” policy setting. 

    Reset Password for Accounts with Same CoreIdentity

    Specifies whether to reset the passwords of all accounts belonging people linked to the same core identity of the primary person via the “PasswordManagerPolicyName” policy setting. 

    Reset Password for Person Objects with Same CoreIdentity

    Specifies whether to reset the passwords of all the people linked to the same core identity of the primary person via the “PasswordManagerPolicyName” policy setting. 

    Reset Primary Person Password

    Specifies whether to reset the primary person password via the “PasswordManagerPolicyName” policy setting. 

    Enable Responsibility Transfer

    Specifies whether responsibility transfer activities in the process should occur or be bypassed.

    Terminate Person Objects with Same Core Identity

    Specifies whether all people claimed by the termination process linked to the same core identity of the primary person should have their person accounts terminated.

    Terminate Accounts Owned By Primary Person Before RET

    Specifies whether accounts linked to the primary person’s accounts should be deleted. If set to true, the process used the value of “TerminateAccountsSameCoreIdentity” to determine whether to delete the accounts of linked people. 

    Terminate Accounts with Same Core Identity

    Specifies whether accounts linked to the same core identity of the primary person should have their accounts terminated.

    Password Manager Policy Name

    Specifies the Password Manager Policy name.

    Pre Leaver Threshold On Person

    Specifies the maximum number of person accounts that can be claimed for pre-leaver processing.

    Leaver Threshold On Person

    Specifies the maximum number of person accounts that can be claimed for leaver processing.

    Planned Leaver - Who to Terminate (Query-Based Collections)

    Leaver Termination Pre Termination SetGroup

    Specifies the Query-Based collection used to claim people to be processed for pre-termination.

    Leaver Termination People to Terminate SetGroup

    Specifies the Query-Based collection used to claim people to be processed for termination.

    Leaver Termination People to Reactivate SetGroup

    Specifies the Query-Based collection used to claim people to process reactivation from termination.

    Planned Leaver - Email Notifications

    Email Template Person Pre Termination Notification

    Specifies the email template used when sending notifications to people selected for pre-termination.

    Email Template Manager Pre Termination Notification

    Specifies the email template used when sending notifications to the managers of people when their direct reports have been selected for pre-termination.

    Email Template Admin Pre Termination Notification

    Specifies the email template used when sending notifications to administrators of all people selected for pre-termination.

    Admin Management Role GUIDs (For Notifications)

    Specifies the Management Roles needing to receive planned leaver notifications. All people belonging to the roles receive the notifications.

    Email Template Person Termination Notification

    Specifies the email template used when sending notifications to people who have been terminated by the Planned Leaver process.

    Email Template Manager Termination Notification

    Specifies the email template used when sending notifications to the managers of people who have been terminated by the Planned Leaver process.

    Email Template Admin Termination Notification

    Specifies the email template used when sending notifications to administrators whenever people have been terminated by the Planned Leaver process.

    Email Template Person Reactivated Notification

    Specifies the email template used when sending notifications to previously terminated people who have been reactivated.

    Email Template Manager Reactivated Notification

    Specifies the email template used when sending notifications to managers of previously terminated people who have been reactivated.

    Email Template Admin Reactivated Notification

    Specifies the email template used when sending notifications to administrators whenever previously terminated people who have been reactivated.


  3. Make any changes to the default settings as needed and then click Save.

As the AccountJoinAndProvision filter is used to target which accounts are eligible for both joining and provisioning, the filter should only be customized in situations where the custom criteria apply to accounts that are both join and provision targets.

  • No labels