General Pane

This pane is used to set general configuration information for the Account Store and includes the following:

Account Store Name — This is the name of the inventoried account store. This field is populated with the value supplied during the initial forest discovery process. To change this name, click the Edit
button, enter a new name in the Account StoreFriendly Name window that appears and then click OK to close the window.
Resource System Name — This is the name of the Account Store resource system. To change this name, click the Edit
button, enter a new name in the Resource System Friendly Name window that appears and click OK.
Password Manager Policy — This allows you to specify a Password Manager policy for all people provisioned from the account store. To specify a Password Manager policy, click the Edit
button and choose the applicable policy. If you do not select a policy, EmpowerID applies the Default Password Manager policy to the account store. Please note that in order to select another Password Manager policy other than the Default policy, you must first create one or more new policies. For more information, see Setting up Password Manager Polices.
LDAP Agent — This is the name of the server(s) on which the LDAP Management Web Service is running. The LDAP Management Web Service is an EmpowerID Job hosted in IIS that maintains all communication between any LDAP server (such as AD) and EmpowerID. You selected the server when you first connected EmpowerID to the Account Store; however, you can change the server at any time by clicking the Edit
button.
Connection Account — This is the proxy account you entered above when you first connected EmpowerID to the Account Store. This account is used for inventorying, provisioning, making password resets, and enforcing permissions, so the information entered here must be an account with the appropriate privileges. You can change the connection account at any time by clicking the Edit
button and entering the appropriate information in the Proxy Connection Account window.
Credential Proxy — This allows you to specify a credential with a password that has been vaulted in EmpowerID. The credential must belong to an account that has the necessary privileges. If you select a Credential Proxy, EmpowerID uses that account and not the Connection Account. You can select a Credential Proxy at any time by clicking the Edit button and selecting the appropriate controller in the Change Domain Controller window.
Monitored Domain Controller — This is the preferred domain controller that EmpowerID monitors for changes. This needs to be a reliable domain controller with good connectivity to the EmpowerID servers performing the Inventory job. During the initial forest scan, EmpowerID discovers each domain controller and sets them to disabled by default. EmpowerID maintains a list of the last change seen on all domain controllers in case this setting needs to be changed, but only one is monitored at any given time in order to optimize performance. You can change the domain controller that EmpowerID monitors at any time by clicking the Edit
button and selecting the appropriate controller in the Change Domain Controller window.
Resource System Type — This is the resource system type (such as Active Directory Domain Services) for the Account Store you set when you first connected EmpowerID to it.
Default User Creation Path — This is the creation location of last resort for user accounts in the event that one is not selected in a workflow process.
Default Group Creation Path — This is the creation location of last resort for groups in the event that one is not selected in a workflow process.
EmpowerID Group Creation Path — This is the creation location for the Domain Local groups used by EmpowerID for granting native AD permissions assignments. For an overview of EmpowerID Groups and native permissions assignments, see Understanding Projection and Enforcement.
Maximum Accounts Per Person — This specifies the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.
Business Role Priority — This is an optional policy setting that can be used by provisioning workflows to determine which Account Store has priority when determining the roles and locations that should be assigned to a person. Account Stores with a higher value take precedence.
Icon - This is the image icon that represents this domain in the EmpowerID user interfaces.
Enable Pass-Through Authentication — This allows domain authentication to be used for logging in to EmpowerID. Unless Simple Search is enabled, the domain\username format needs to be used.
Enable Simple Username Search for Pass-Through Authentication — Simple search works in conjunction with pass-through authentication to allow users to log in without specifying a domain name. When this is enabled, EmpowerID first checks to see if the user name entered exists within its Identity Warehouse and if so attempts to authenticate as that user. If a matching logon name exists but the login fails, EmpowerID then searches through all Accounts Stores where simple username search is enabled to find the correct user name and password combination. To enable this function, click the Enable Simple Username Search button to the left of the line and toggle it so that the green check is visible.
Allow Password Sync — Enables or disables the synchronization of password changes to user accounts in the domain based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows. To enable this function, click the Allow Password Sync button to the left of the line and toggle it so that the green check is visible.
Allow Person Provisioning — Allows or disallows EmpowerID Persons to be created from the user accounts discovered during inventory.
Allow Create Account On Membership Request — Select to allow users without accounts to request group membership and automatically have an account created.
Allow RET Provisioning — Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.
Allow RET De-Provisioning — Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.
Enable Attribute Flow — Allows or disallows attribute changes to flow between EmpowerID and the account store.
Recertify All Group Changes

Inventory Pane

This pane is used to enable or disable inventory of the Account Store as well as to set the run schedule for the EmpowerID Inventory Job.

Inventory Schedule — This is the time span that occurs before EmpowerID performs a complete inventory of the resource system. The default value is 10 minutes. You can change this at any time by clicking the Edit
button.
Enable Inventory — This allows EmpowerID to inventory the Account Store. The Inventory Job must be enabled for inventory to occur. This is discussed further in the below section.
Inventory Provision Request Workflow — This is the request workflow that is initiated when new accounts are discovered via the inventory feature. If you set this workflow, the Allow Automatic Person Provision and Allow Automatic Join Provision flags described below are ignored. You can enable this feature by clicking the Edit
button.
Allow Automatic Person Provision on Inventory — This allows EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the provisioning criteria specified by the AccountInboxJoinAndProvisionFilter and AccountInboxProvisionFilter scalar functions. For more information on these, see Understanding the Account Inbox.
Allow Automatic Person Join on Inventory — This allows EmpowerID to join newly discovered accounts to people during the inventory process if they meet the joining criteria specified by the AccountInboxJoinAndProvisionFilter and AccountInboxJoinFilter scalar functions and the enabled Join rules discussed above. For more information on the scalar functions, see Understanding the Account Inbox.
RBAC-Assign Initial Group Membership On First Inventory — This converts each user account in an Active Directory group to a Resource Role Assignment for the person who owns the user account.
Re-Inventory — Enabling this option sets the usn to 0 and re-inventories all changes.

Rights Enforcement for Resource Role Groups Pane

This pane is used to enable or disable and schedule rights enforcement for Resource Role Groups for the domain. This process ensures that the domain local groups used to grant native Active Directory permissions, such as read or write access for the group member attribute, are created in EmpowerID and granted the proper native permissions. For more information on enforcement in EmpowerID, see Understanding Projection and Enforcement.

Resource Enforcement Type — This specifies how EmpowerID is to enforce rights in native systems. The types available include:
- No Action — No rights enforcement action occurs.
- Projection with No Enforcement — Changes to rights within EmpowerID occur only within EmpowerID; they are not passed on to the native environment.
- Projection with Enforcement — Changes to rights within EmpowerID occur within EmpowerID and are enforced within the native environment.
- Projection with Strict Enforcement — EmpowerID overrides any changes made in the native environment. All changes made must occur within EmpowerID to be accepted.
Enforcement Schedule — This is the time span that occurs before EmpowerID runs the Rights Enforcement Job. The default value is 10 minutes. You can change this at any time by clicking the Edit
button.
Re-Enforcement Frequency in Minutes — This is the time span that occurs before EmpowerID runs the a complete re-enforcement of all rights on all native resources. The default value is 1440 minutes. You can change this at any time by clicking the Edit
button.
Enable this Functionality — Enables and disables rights enforcement on the Account Store.

Resource Role Group Membership Pane

This pane is used to enable or disable and schedule Resource Role Group reconciliation for EmpowerID Resource Role Groups for the domain. This process is known in EmpowerID as "Projection." For an overview of this process, see Understanding Projection and Enforcement.

Projection Schedule — This is the time span that occurs before EmpowerID runs the Resource Role Reconciliation Job. The default value is 10 minutes. You can change this at any time by clicking the Edit
button.
Re-Enforcement Frequency in Minutes — This is the time span that occurs before EmpowerID runs the a complete re-enforcement of all rights on all native resources. The default value is 1440 minutes. You can change this at any time by clicking the Edit
button.
Enable this Functionality — Enables and disables rights enforcement on the Account Store.

Group Membership Reconciliation Pane

This pane is used to enable or disable and schedule group membership reconciliation for the domain. When this function is enabled, EmpowerID dynamically manages the membership of the Account Store's groups, adding and removing users to and from groups based upon policy-based assignment rules.

Membership Schedule — This is the time span that occurs before EmpowerID runs the Group Membership Reconciliation Job. The default value is 10 minutes. You can change this at any time by clicking the Edit
button.
Enable this Functionality — Enables and disables group membership reconciliation on the Account Store.

Browser not supported