- User Provisioning
- Connecting to Directory Systems
- Current: Enabling SharePoint Profile Sync
Enabling SharePoint Profile Sync
If you have Microsoft SharePoint and are running the User Profile service, you can configure EmpowerID to synchronize the user profile properties in your SharePoint with the corresponding EmpowerID Person attributes for each SharePoint user with an EmpowerID Person identity. In this way, if a user changes a property for one of their attributes, that change can be brought into EmpowerID and pushed to any of your connected account stores, such as Active Directory. The number of SharePoint profile properties that EmpowerID can synchronize with and the naming convention used can be viewed by expanding the below drop-down.
- View Profile Properties
User Profile Sync Attribute Flow Name of Person attribute in EmpowerID Name of Profile property in SharePoint
BirthDaySPS-Birthday Department Department Description Description
Display NamePreferredName Email WorkEmail Fax Fax FirstName FirstName HomePhone HomePhone JobTitle Title LastName LastName Location SPS-Location MailboxAlias MailNickName MobileNumber CellPhone OfficeLocation Office OriginalHireDate SPS-HireDate SIPAddress SPS-SipAddress Telephone WorkPhone URLPersonal Url
You determine how changes made to these properties in SharePoint affect EmpowerID by the settings you apply to the attribute flow rules for your SharePoint system. These rules are visually configured for each profile property and are always relative to the relationship between a user profile property in SharePoint and the corresponding EmpowerID Person attribute. In addition to setting attribute flow rules, you create a Resource Entitlement (RET) for a SharePoint User Profile and apply that policy to your SharePoint users in EmpowerID.
This topic explains how to enable profile sync for SharePoint and is divided into the following activities:
- Creating a SharePoint User Profile Resource Entitlement
- Setting your Attribute Flow Rules
- Enabling RET provisioning and deprovisioning for the SharePoint farm
To create a SharePoint User Profile Resource Entitlement
This opens the Resource Entitlement Details screen, which is where you enter the information to define your SharePoint User Profile RET.In the Resource Entitlement Details screen, do the following:
- Type a name for the RET into the Name field.
- Type a friendly or display name for the RET into the Friendly Name field.
- Type a description for the RET into the Description field.
- Select SharePoint from the Resource System drop-down.
- Select DoNothing from the On Claim Action drop-down. This tells EmpowerID to mark any previous resources assigned to the user that match this RET as RET-managed resources and do nothing else.
- Select DoNothing from the On Transform Action drop-down. This tells EmpowerID to mark this resource with the new RET policy number and do nothing else.
- Select Deprovision from the On Revoke Action drop-down. This tells EmpowerID to delete the user profile if the person to whom the profile is connected is terminated.
- Type a desired value into the Priority field. This value entered here specifies a ranking for the RET and takes effect if a duplicate resource entitlement occurs inside the inheritance tree. The lower the number, the higher the priority.
- Ensure that Business Role and Location is selected from the Assign Policy To drop-down and that the Assignee is the appropriate Business Role and Location. If you selected the Any Role Anywhere Business Role and Location as described in step 2 above, you should see these fields populated with those values.
When you have completed entering your values, your screen should look similar to the following image:Click Save. You should now see the RET in the Role and Location Manger grid. Next, we need to set the attribute flow rules for the SharePoint account store. We describe this below.
To set Attribute Flow RulesFrom Role and Location Manager, click the EmpowerID icon and select Configuration Manager from the application menu. In Configuration Manager, expand the User Directories tree node and then click Attribute Flow Rules. Click theAccount Store drop-down located above the main panel of Configuration Manager and select your SharePoint account store. Click the Attribute Flow button located between the EmpowerID Person Attribute column and the Account Store Attributes column, and select a flow direction for each attribute from the context menu.
When setting the attribute flow rules, you can choose from one of the four options below for each attribute or property:
- No Sync - When this option is selected, changes to profile properties made in SharePoint will not flow to EmpowerID and changes to Person attributes made in EmpowerID will not flow to SharePoint.
- Bidirectional Flow - When this option is selected, changes made within SharePoint flow to EmpowerID and changes made in EmpowerID flow to SharePoint.
- Account Store Changes Only - When this option is selected, changes made in SharePoint will flow to EmpowerID, but changes made in EmpowerID will not flow to SharePoint.
- EmpowerID Changes Only - When this option is selected, changes made in EmpowerID will flow to SharePoint, but changes made in SharePoint will not flow to EmpowerID.
The below image shows the attribute flow rules we have set for our environment. Notice that the attribute flow rule for Email is set to only flow from EmpowerID to SharePoint. All other attribute flow rules are set to bidirectional.
Next, we need to enable RET provisioning and de-provisioning, inventory and attribute flow for the SharePoint account store.
To enable RET provisioning and deprovisioningFrom Configuration Manager, expand theUser Directories tree node and then clickAccount Stores. Double-click the SharePoint account store in the Configuration Manager grid or right-click it and selectEdit from the context menu. In theGeneral Pane of the Account Store Details screen that appears, do the following:
- Toggle the Allow RET Provisioning button from a red sphere to a green check. This allows EmpowerID to apply the SharePoint User Profile RET to each person in the Business Role and Location you specified when you created the RET.
- Toggle the Allow RET De-Provisioning button from a red sphere to a green check. This allows EmpowerID to remove the SharePoint User Profile RET from a person when that person no longer meets the conditions for the RET.
- Toggle the Enable Attribute Flow button from a red sphere to a green check, if it is not already in that state. This allow attribute flow to occur according to the attribute flow rules applied to the SharePoint account store.
The Account Store Details screen should look like the below image:
At your next account store inventory run, you should see the user profiles in SharePoint.
Be sure to turn on the Resource Entitlement Inbox Processor Job and the Resource Entitlement Recalculation Job on one or more of your EmpowerID Web servers to ensure the SharePoint User Profile RET gets applied to your users. You turn these jobs on by checking the box beside the job on the appropriate Web servers within theEmpowerID Servers and Roles section of Configuration Manager.