Unable to render embedded object: File (Emp18Notice.png) not found.

Skip to end of banner
Go to start of banner

enablingprofilesync

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

---title: Enabling SharePoint Profile Sync---

Enabling SharePoint Profile Sync

If you have Microsoft SharePoint and are running the User Profile service, you can configure EmpowerID to synchronize the user profile properties in your SharePoint with the corresponding EmpowerID Person attributes for each SharePoint user with an EmpowerID Person identity. In this way, if a user changes a property for one of their attributes, that change can be brought into EmpowerID and pushed to any of your connected account stores, such as Active Directory. The number of SharePoint profile properties that EmpowerID can synchronize with and the naming convention used can be viewed by expanding the below drop-down.

  • View Profile Properties
    User Profile Sync Attribute Flow Name of Person attribute in EmpowerID Name of Profile property in SharePoint

    AboutMe

    AboutMe

    BirthDay

    SPS-Birthday Department Department Description Description

    Display Name

    PreferredName Email WorkEmail Fax Fax FirstName FirstName HomePhone HomePhone JobTitle Title LastName LastName Location SPS-Location MailboxAlias MailNickName MobileNumber CellPhone OfficeLocation Office OriginalHireDate SPS-HireDate SIPAddress SPS-SipAddress Telephone WorkPhone URLPersonal Url
The User Profile Service Application must be started in your SharePoint farm for EmpowerID Profile Sync to function correctly.

You determine how changes made to these properties in SharePoint affect EmpowerID by the settings you apply to the attribute flow rules for your SharePoint system. These rulesĀ are visually configured for each profile property and are always relative to the relationship between a user profile property in SharePoint and the corresponding EmpowerID Person attribute. In addition to setting attribute flow rules, you create a Resource Entitlement (RET) for a SharePoint User Profile and apply that policy to your SharePoint users in EmpowerID.

This topic explains how to enable profile sync for SharePoint and is divided into the following activities:

To create a SharePoint User Profile Resource Entitlement

In this example, we create a SharePoint User Profile Resource Entitlement and apply that entitlement to the Any Role Anywhere Business Role and Location. In this way, profile sync happens for anyone within the organization. You can be more selective in your RET application if desired, drilling down to specific Business Roles and Location, groups, Management Roles, and SetGroups.
From the EmpowerID Management Console, click the application icon and then select Role and Location Manager from the application menu. From the Business Roles tree to the left of Role and Location Manager, click Any Role and in theLocations tree to the right of Role and Location Manager, click Anywhere. In Role and Location Manager, select Resource Entitlements for Selected Business Role and Location from the Policy drop-down located above the grid. Click the Add New button. In the Select Resource Entitlement Type window that appears, select SharePoint User Profile from the drop-down list and then click OK.

This opens the Resource Entitlement Details screen, which is where you enter the information to define your SharePoint User Profile RET.

In the Resource Entitlement Details screen, do the following:
  • Type a name for the RET into the Name field.
  • Type a friendly or display name for the RET into the Friendly Name field.
  • Type a description for the RET into the Description field.
  • Select SharePoint from the Resource System drop-down.
  • Select DoNothing from the On Claim Action drop-down. This tells EmpowerID to mark any previous resources assigned to the user that match this RET as RET-managed resources and do nothing else.
  • Select DoNothing from the On Transform Action drop-down. This tells EmpowerID to mark this resource with the new RET policy number and do nothing else.
  • Select Deprovision from the On Revoke Action drop-down. This tells EmpowerID to delete the user profile if the person to whom the profile is connected is terminated.
  • Type a desired value into the Priority field. This value entered here specifies a ranking for the RET and takes effect if a duplicate resource entitlement occurs inside the inheritance tree. The lower the number, the higher the priority.
  • Ensure that Business Role and Location is selected from the Assign Policy To drop-down and that the Assignee is the appropriate Business Role and Location. If you selected the Any Role Anywhere Business Role and Location as described in step 2 above, you should see these fields populated with those values.

When you have completed entering your values, your screen should look similar to the following image:

Click Save. You should now see the RET in the Role and Location Manger grid. Next, we need to set the attribute flow rules for the SharePoint account store. We describe this below.

To set Attribute Flow Rules

From Role and Location Manager, click the EmpowerID icon and select Configuration Manager from the application menu. In Configuration Manager, expand the User Directories tree node and then click Attribute Flow Rules. Click theAccount Store drop-down located above the main panel of Configuration Manager and select your SharePoint account store. Click the Attribute Flow button located between the EmpowerID Person Attribute column and the Account Store Attributes column, and select a flow direction for each attribute from the context menu.

When setting the attribute flow rules, you can choose from one of the four options below for each attribute or property:

  • No Sync - When this option is selected, changes to profile properties made in SharePoint will not flow to EmpowerID and changes to Person attributes made in EmpowerID will not flow to SharePoint.
  • Bidirectional Flow - When this option is selected, changes made within SharePoint flow to EmpowerID and changes made in EmpowerID flow to SharePoint.
  • Account Store Changes Only - When this option is selected, changes made in SharePoint will flow to EmpowerID, but changes made in EmpowerID will not flow to SharePoint.
  • EmpowerID Changes Only - When this option is selected, changes made in EmpowerID will flow to SharePoint, but changes made in SharePoint will not flow to EmpowerID.
The attribute flow rule for the Email attribute must be set so that the flow occurs from EmpowerID to SharePoint. This means that changes to the person's Email attribute made in EmpowerID will flow to the WorkEmail attribute in SharePoint, but changes to the WorkEmail attribute in SharePoint will not flow to the Email attribute in EmpowerID.

The below image shows the attribute flow rules we have set for our environment. Notice that the attribute flow rule for Email is set to only flow from EmpowerID to SharePoint. All other attribute flow rules are set to bidirectional.


Next, we need to enable RET provisioning and de-provisioning, inventory and attribute flow for the SharePoint account store.

To enable RET provisioning and deprovisioning

From Configuration Manager, expand theUser Directories tree node and then clickAccount Stores. Double-click the SharePoint account store in the Configuration Manager grid or right-click it and selectEdit from the context menu. In theGeneral Pane of the Account Store Details screen that appears, do the following:
  • Toggle the Allow RET Provisioning button from a red sphere to a green check. This allows EmpowerID to apply the SharePoint User Profile RET to each person in the Business Role and Location you specified when you created the RET.
  • Toggle the Allow RET De-Provisioning button from a red sphere to a green check. This allows EmpowerID to remove the SharePoint User Profile RET from a person when that person no longer meets the conditions for the RET.
  • Toggle the Enable Attribute Flow button from a red sphere to a green check, if it is not already in that state. This allow attribute flow to occur according to the attribute flow rules applied to the SharePoint account store.
In the Inventory Pane of the Account Store Details screen, toggle the Enable Inventory button from a red sphere to agreen check. This allows EmpowerID to inventory the user profile properties for each of your SharePoint users.

The Account Store Details screen should look like the below image:

At your next account store inventory run, you should see the user profiles in SharePoint.

Be sure to turn on the Resource Entitlement Inbox Processor Job and the Resource Entitlement Recalculation Job on one or more of your EmpowerID Web servers to ensure the SharePoint User Profile RET gets applied to your users. You turn these jobs on by checking the box beside the job on the appropriate Web servers within theEmpowerID Servers and Roles section of Configuration Manager.

  • No labels