In EmpowerID, you can create Provisioning policies, also known as "Resource Entitlements" or "RETS," to automate the provisioning, moving, disabling and de-provisioning of resources to users based on whether they belong to a specific:
Business Role and Location
Once a policy is created and enabled, EmpowerID continuously evaluates the policy to determine who should and should not have the resource as specified by the conditions of the policy.
This topic demonstrates how to create a RET policy that provisions ServiceNow accounts.
Before you can create a Provisioning policy for ServiceNow accounts, the following prerequisites need to be met:
RET provisioning and RET deprovisioning must be enabled on the ServiceNow account store.
To create a policy that provisions ServiceNow accounts
From the Navigation Sidebar, expand the Admin node, then Policies, and clickProvisioning Policies (RETS).
On theActionstab, click theCreate Provisioning Policytile.
In theChoose Typesection of thePolicy Detailsform that appears, selectDefaultfrom theObject Type To Provisiondrop-down.
In theGeneralsection of the form, enter the following settings.
For theNameandDisplay Namefields, enter a name.
For theResource Type, select User Account.
For theResource System, select ServiceNow.
For theObject Class, enter User.
For theCreation Path, search and select ServiceNow.
In theThrottling Settings, set these as required for your organization.
All Provisions Require Approval- Select to send provisioning for each RET specified by the policy for approval by a user delegated access to the Resource Entitlement Inbox.
All Deprovisions Require Approval- Select to send deprovisioning for each RET specified by the policy for approval by a user delegated access to the Resource Entitlement Inbox.
Require Approval if Provision Batch Larger Than Threshold- Set a numeric value for a single run of the Resource Entitlement Inbox before approval is required. If the threshold is reached, no accounts are provisioned until approval is granted.
Require Approval if Deprovision Batch Larger Than Threshold- Set a numeric value for a single run of the Resource Entitlement Inbox before approval is required. If the threshold is reached, no accounts are deprovisioned until approval is granted.
As a best practice, when testing provisioning policies, selectAll Provisions Require ApprovalandAll Deprovisions Require Approvalto become familiar with how EmpowerID processes RETs. Then, when moving to production, you can set the approval thresholds to a number that makes sense for your environment.
In theAdvancedsection of the form, enter the following settings.
LeaveOn Claim Actionset toDo Nothing.
SetOn Transform ActiontoMove.
SetOn Revoke ActiontoDeprovision. This tells EmpowerID to disable the ServiceNow account if the person no longer meets the criteria to receive the resource from the RET.
Leave theCreation Location Path Resolver AssemblyandCreation Location Path Resolver Typefields empty. These fields allow you to use a custom assembly to set where to create an account (or any RET that requires a path).
Back in the main form, clickSave.
Next, add Assignees to the policy you just created. Here you specify theBusiness Roles and Locations,Management Roles,Management Role Definitions,Query-Based Collections,Groups, orPeopleto assign to the policy. If Assignees are not set, EmpowerID assigns all users to the ServiceNow profile by default.
To set the Assignees
Click theFind Policiesbreadcrumb located at the top of the Policy Details page.
From thePoliciestab, search for the policy you just created and click theDisplay Namelink.
This opens theViewpage for the policy. View pages allow you to view and manage resources.
In the View page, click theAssigneesaccordion to expand it and then, in Business Roles and Locations, click theAdd (+)button.
Select aRole and Location, for example, All Employees in ServiceNow, and clickSelect, thenSave. EmpowerID uses this information to decide who gets provisioned an account in ServiceNow.
Next, assign the policy you just created to one or more targets as demonstrated below.
To assign the provisioning policy to users
Still in the Assignees accordion, scroll down toPeople, and click theAdd (+)button to add a person as an assignee to the policy. In the Person box, press ENTER to search, and select a person.
If you selectedAll Provisions Require Approval,Resource Entitlement Inbox, andResource Entitlement, you must manually approve each item in the Resource Entitlement Inbox for this policy before EmpowerID can provision the ServiceNow accounts. This is demonstrated in the next section.
To approve the resource entitlements
In the Navigation Sidebar, expandSystem Logs, thenPolicy Inbox Logsand selectProvisioning (RET) Inbox.
Click thePending Batchestab to see a batch for the ServiceNow Resource Entitlement. In our case, you can see the Person you assigned to the ServiceNow location on thePending Approvaltab.
To approve the batch or the person, click theApprovedrop-down and selectApprovefrom the menu.
Click the shopping cart icon at the top of the page, then type a reason for the approval in the cart dialog and then clickSubmit.
After the RET Inbox has provisioned the ServiceNow accounts, you can view and manage those accounts and the groups created for those accounts from theServiceNow Managerpage. To see it, in the Navigation Sidebar, expandPagesand clickServiceNow Manager. The tabs along the top give you access to Users, Roles and Groups, and Role and Group Changes.