Enabling SharePoint Profile Sync
If you have Microsoft SharePoint and are running the User Profile service, you can configure EmpowerID to synchronize the user profile properties in your SharePoint with the corresponding EmpowerID Person attributes for each SharePoint user with an EmpowerID Person identity. In this way, if a user changes a property for one of their attributes, that change can be brought into EmpowerID and pushed to any of your connected account stores, such as Active Directory. The number of SharePoint profile properties that EmpowerID can synchronize with and the naming convention used can be viewed by expanding the below drop-down.
- View Profile Properties
User Profile Sync Attribute Flow
Name of Person attribute in EmpowerID
Name of Profile property in SharePoint
AboutMe
AboutMe
BirthDay
SPS-Birthday
Department
Department
Description
Description
Display Name
PreferredName
Email
WorkEmail
Fax
Fax
FirstName
FirstName
HomePhone
HomePhone
JobTitle
Title
LastName
LastName
Location
SPS-Location
MailboxAlias
MailNickName
MobileNumber
CellPhone
OfficeLocation
Office
OriginalHireDate
SPS-HireDate
SIPAddress
SPS-SipAddress
Telephone
WorkPhone
URLPersonal
Url
The User Profile Service Application must be started in your SharePoint farm for EmpowerID Profile Sync to function correctly.
You determine how changes made to these properties in SharePoint affect EmpowerID by the settings you apply to the attribute flow rules for your SharePoint system. These rulesĀ are visually configured for each profile property and are always relative to the relationship between a user profile property in SharePoint and the corresponding EmpowerID Person attribute. In addition to setting attribute flow rules, you create a Resource Entitlement (RET) for a SharePoint User Profile and apply that policy to your SharePoint users in EmpowerID.
This topic explains how to enable profile sync for SharePoint and is divided into the following activities:
To create a SharePoint User Profile Resource Entitlement
In this example, we create a SharePoint User Profile Resource Entitlement and apply that entitlement to the Any Role Anywhere Business Role and Location. In this way, profile sync happens for anyone within the organization. You can be more selective in your RET application if desired, drilling down to specific Business Roles and Location, groups, Management Roles, and SetGroups.
From the EmpowerID Management Console, click the
application icon and then select
Role and Location Manager from the application menu.
From the
Business Roles tree to the left of Role and Location Manager, click
Any Role and in the
Locations tree to the right of Role and Location Manager, click
Anywhere.
In Role and Location Manager, select
Resource Entitlements for Selected Business Role and Location from the Policy drop-down located above the grid.
Click the
Add New button.
In the
Select Resource Entitlement Type window that appears, select
SharePoint User Profile from the drop-down list and then click
OK.
This opens the Resource Entitlement Details screen, which is where you enter the information to define your SharePoint User Profile RET.
In the Resource Entitlement Details screen, do the following:
- Type a name for the RET into the Name field.
- Type a friendly or display name for the RET into the Friendly Name field.
- Type a description for the RET into the Description field.
- Select SharePoint from the Resource System drop-down.
- Select DoNothing from the On Claim Action drop-down. This tells EmpowerID to mark any previous resources assigned to the user that match this RET as RET-managed resources and do nothing else.
- Select DoNothing from the On Transform Action drop-down. This tells EmpowerID to mark this resource with the new RET policy number and do nothing else.
- Select Deprovision from the On Revoke Action drop-down. This tells EmpowerID to delete the user profile if the person to whom the profile is connected is terminated.
- Type a desired value into the Priority field. This value entered here specifies a ranking for the RET and takes effect if a duplicate resource entitlement occurs inside the inheritance tree. The lower the number, the higher the priority.
- Ensure that Business Role and Location is selected from the Assign Policy To drop-down and that the Assignee is the appropriate Business Role and Location. If you selected the Any Role Anywhere Business Role and Location as described in step 2 above, you should see these fields populated with those values.
When you have completed entering your values, your screen should look similar to the following image:
Click
Save. You should now see the RET in the Role and Location Manger grid.
Next, we need to set the attribute flow rules for the SharePoint account store. We describe this below.
To set Attribute Flow Rules
From Role and Location Manager, click the EmpowerID icon and select Configuration Manager from the application menu.
In Configuration Manager, expand the
User Directories tree node and then click
Attribute Flow Rules.
Click the
Account Store drop-down located above the main panel of Configuration Manager and select your SharePoint account store.
Click the
Attribute Flow button located between the EmpowerID Person Attribute column and the Account Store Attributes column, and select a flow direction for each attribute from the context menu.
When setting the attribute flow rules, you can choose from one of the four options below for each attribute or property:
- No Sync - When this option is selected, changes to profile properties made in SharePoint will not flow to EmpowerID and changes to Person attributes made in EmpowerID will not flow to SharePoint.
- Bidirectional Flow - When this option is selected, changes made within SharePoint flow to EmpowerID and changes made in EmpowerID flow to SharePoint.
- Account Store Changes Only - When this option is selected, changes made in SharePoint will flow to EmpowerID, but changes made in EmpowerID will not flow to SharePoint.
- EmpowerID Changes Only - When this option is selected, changes made in EmpowerID will flow to SharePoint, but changes made in SharePoint will not flow to EmpowerID.
The attribute flow rule for the Email attribute must be set so that the flow occurs from EmpowerID to SharePoint. This means that changes to the person's Email attribute made in EmpowerID will flow to the WorkEmail attribute in SharePoint, but changes to the WorkEmail attribute in SharePoint will not flow to the Email attribute in EmpowerID.
The below image shows the attribute flow rules we have set for our environment. Notice that the attribute flow rule for Email is set to only flow from EmpowerID to SharePoint. All other attribute flow rules are set to bidirectional.
Next, we need to enable RET provisioning and de-provisioning, inventory and attribute flow for the SharePoint account store.
To enable RET provisioning and deprovisioning
From Configuration Manager, expand the
User Directories tree node and then click
Account Stores.
Double-click the SharePoint account store in the Configuration Manager grid or right-click it and select
Edit from the context menu.
In the
General Pane of the Account Store Details screen that appears, do the following:
- Toggle the Allow RET Provisioning button from a red sphere to a green check. This allows EmpowerID to apply the SharePoint User Profile RET to each person in the Business Role and Location you specified when you created the RET.
- Toggle the Allow RET De-Provisioning button from a red sphere to a green check. This allows EmpowerID to remove the SharePoint User Profile RET from a person when that person no longer meets the conditions for the RET.
- Toggle the Enable Attribute Flow button from a red sphere to a green check, if it is not already in that state. This allow attribute flow to occur according to the attribute flow rules applied to the SharePoint account store.
In the
Inventory Pane of the Account Store Details screen, toggle the
Enable Inventory button from a
red sphere to a
green check. This allows EmpowerID to inventory the user profile properties for each of your SharePoint users.
The Account Store Details screen should look like the below image:
At your next account store inventory run, you should see the user profiles in SharePoint.
Be sure to turn on the Resource Entitlement Inbox Processor Job and the Resource Entitlement Recalculation Job on one or more of your EmpowerID Web servers to ensure the SharePoint User Profile RET gets applied to your users. You turn these jobs on by checking the box beside the job on the appropriate Web servers within theEmpowerID Servers and Roles section of Configuration Manager.