Provisioning Policies allow you to automate the provisioning, moving, disabling, and de-provisioning of resources for users based on their roles, memberships and locations within your organization.

This topic demonstrates how to create a Provisioning policy that provisions AD user accounts.

Prerequisites

EmpowerID must first be connected to Active Directory. For details, see Connecting to Active Directory.
RET provisioning and RET deprovisioning must be enabled on the Active Directory account store.

To create a provisioning policy that provisions AD user accounts

In the Navigation Sidebar of the EmpowerID Web interface, expand Admin, then Policies, and click Provisioning Policies (RETs).
From the Provisioning Policies management page, click the Actions tab and then click the Create Provisioning Policy tile.
In the Choose Type section of the Policy Details form that appears, select AD Account from the Object Type To Provision drop-down.
In the General section of the form, do the following:
1. Type a name and display name in the Name and Display Name fields, respectively. These fields are required.
2. Optionally, type a description in the Description field.
3. Select User from the Object Class drop-down.
4. Select your Active Directory domain in which the accounts are to be provisioned from the Directory drop-down.
  
  The General section of the form looks similar to the image below.
In the Throttling Settings section of the form, specify the provisioning and deprovisioning thresholds for the policy. These settings are as follows:
- All Provisions Require Approval - If this option is selected, the provisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
- All Deprovisions Require Approval - If this option is selected, the deprovisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
- Require Approval if Provision Batch Larger Than Threshold - This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the provisions. If the threshold is reached, EmpowerID will not provision any of the accounts until approval is granted.
- Require Approval if Deprovision Batch Larger Than Threshold - This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the deprovisions. If the threshold is reached, EmpowerID will not deprovision any of the accounts until approval is granted.
  
  As a best practice, when testing provisioning policies, you should select All Provisions Require Approval and All Deprovisions Require Approval to become familiar with how EmpowerID processes RETs. Then, when moving to production, you can set the approval thresholds to a number that makes sense for your environment.
  
  In our example, we have selected All Provisions Require Approval and All Deprovisions Require Approval, meaning that the provisioning and deprovisioning of all accounts must be approved before those accounts will be processed by RET Inbox.
In the Advanced section of the form, do the following:
1. Select a desired option from the On Claim Action drop-down. You have the following options:
  - Do Nothing - No action occurs.
  - Delete and Recreate - The user account is deleted and recreated.
  - Move - Marks any previous resources assigned to the user that match the RET as RET-managed resources and moves the user object to the OU specified by the RET policy.
  - Publish Workflow Event - Executes custom workflow code.
2. Select a desired option from the On Transform Action drop-down. You have the following options:
  - Do Nothing - No action occurs.
  - Delete and Recreate - The user account is deleted and recreated.
  - Move - Marks this resource with the new RET policy number and moves the user object to the OU specified by the RET policy
  - Publish Workflow Event - Executes custom workflow code.
3. Select a desired option from the On Revoke Action drop-down. You have the following options:
  - Do Nothing - No action occurs.
  - Deprovision - The user account is deleted if the person no longer meets the criteria to receive the resource from the RET.
  - Disable - The user account is disabled if the person no longer meets the criteria to receive the resource from the RET.
  - Disable and Move - The user account is disabled and moved to the OU specified in the OU to Move Disabled Users field if the person no longer meets the criteria to receive the resource from the RET.
  - Publish Workflow Event - Executes custom workflow code.
4. Leave the Creation Location Path Resolver Assembly and Creation Location Path Resolver Type fields empty. These fields allow you to use a custom assembly to set where an account (or any RET that requires a path) should be created.
Back in the main form, click Save.

Next, assign the policy you just created to one or more targets as demonstrated below.

To assign the provisioning policy to users

Scroll to the Policy Assigned To section of the Policy Details form and click the Add (+) button underneath the specific target type to which you want to assign the RET. In our example, we are assigning the policy to the Contractor in All Business Locations Business Role and Location so we are clicking the Add (+) button in the Business Role and Locations pane of the section. In this way, each Person who has the Contractor Business Role in any location will receive an AD user account.

This opens the Add Entry pane, which is where you select the specific actor you want to assign the policy to. Because we are assigning the policy to a Business Role and Location, the Add Entry pane is contextualized for that actor type.
From the Add Entry pane, click the Select a Role and Location link.
In the Business Role and Location selector that appears, do the following:
1. Search for and select the Business Role to which you want to assign the policy. In our example, we are assigning the policy to the Contractor Business Role, so we have selected Contractor.
2. Click the Location tab and then search for and select the Location. In our example, we want the policy to be applied to all contractors within any business location of the default organization regardless of their location, so we have selected Anywhere.
Click Select to close the Business Role and Location selector.
Type a number to specify the priority for the RET policy in the Priority field. This value is used to determine the priority of the RET if the user qualifies for the same RET by virtue of another assignment, such as being a member of a group that has the same policy.
Click Save.
Back in the main form, click Save.

To approve the resource entitlements

In the Navigation Sidebar, expand System Logs and click Provisioning (RET) Inbox.
Click the Pending Approval tab. You should see a list of all RETs requiring approval.

If you do not see a list of RETS pending approval, allow several minutes for EmpowerID to process the RET policy and then press the Search button.
To approve a RET, click the Approval drop-down and select Approve from the menu.
Repeat for each RET you want to approve.
When finished with approvals, click the shopping cart at the top of the page, type a reason for the approval in the cart dialog and then click Submit.
Back in the RET Inbox, click the Approved or Rejected tab and press ENTER. You should see the RETs you approved in the grid.

Active Directory User Accounts