In EmpowerID, Provisioning policies, also known as "Resource Entitlements" or "RETs," are policies that can be created to automate the provisioning, moving, disabling and de-provisioning of resources to users based on their meeting certain qualifying criteria, such as belonging to a specific group, Management Role, Business Role and Location, or Query-Based Collection. Once a policy is created and enabled, EmpowerID continuously evaluates the policy to determine who should and should not have the resource as specified by the conditions of the policy.
This topic demonstrates how to create a RET policy that provisions Salesforce accounts.
EmpowerID must first be connected to Salesforce. For details, see Connecting to Salesforce. RET provisioning and RET deprovisioning must be enabled on the Salesforce account store. |
Require Approval if Deprovision Batch Larger Than Threshold - This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the deprovisions. If the threshold is reached, EmpowerID will not deprovision any of the accounts until approval is granted.
As a best practice, when testing provisioning policies, select All Provisions Require Approval and All Deprovisions Require Approval to become familiar with how EmpowerID processes RETs. Then, when moving to production, you can set the approval thresholds to a number that makes sense for your environment. |
In our example, we have selectedAll Provisions Require ApprovalandAll Deprovisions Require Approval, meaning that the provisioning and deprovisioning of all accounts must be approved before those accounts will be processed by RET Inbox.
Next, add Configuration Parameters to the policy you just created. These parameters allow you to specify the Salesforce profile and role each user created by the policy is to be assigned. If Configuration Parameters are not set, EmpowerID assigns all users to the Chatter Free profile by default.
Type ProfileId in the Name field and the name of the Salesforce profile in the ConfigurationValue field and then click Save. EmpowerID sends this information to Salesforce. If you do not set a ProfileId, EmpowerID passes the Chatter Free User profile to Salesforce by default.
The ConfigurationValue must match the name of the corresponding Profile in Salesforce. |
Next, assign the policy you just created to one or more targets as demonstrated below.
Scroll to the Policy Assigned To section of the policy's Edit page and click the Add (+) button below the specific target type to which you want to assign the RET. In our example, we are assigning the policy to the Intern in Corporate Business Role and Location so we are clicking the Add (+) button in the Business Role and Locations pane of the section.
This opens the Add Entry pane, which is where you select the specific actor you want to assign the policy to. Because we are assigning the policy to a Business Role and Location, the Add Entry pane is contextualized for that actor type.
Click the Location tab and then search for and select the Location. In our example, we want the policy to be applied to all Interns in or below the Corporate location, so we have selected Corporate.
If you selected Approve All Provisions and the Resource Entitlement Inbox and Resource Entitlement , you must manually approve each item in the Resource Entitlement Inbox for this policy before EmpowerID will provision the Salesforce accounts. This is demonstrated in the next section.
Next, assign the policy you just created to one or more targets as demonstrated below.
After the RET Inbox has provisioned the Salesforce accounts, you can view and manage those accounts and the groups created for those accounts from the Salesforce Management page. Navigate to the Salesforce Management page by expanding Pages in the Navigation Sidebar and clicking Salesforce Manager. |