Box
- Phillip Hanegan
Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include:
- Configuring the appropriate server roles for your EmpowerID servers
- Reviewing the Join and Provision Rules for your environment
- Reviewing the Join and Provision Filters for your environment
If you have already connected EmpowerID to another external directory, you can skip these prerequisites.
EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.
EmpowerID Box connector allows organizations to bring the user and group data in their Box system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:
- Account Management
- Inventory Box user accounts
- Create, Update and Delete Box user accounts
- Enable and Disable Box user accounts
- Group Management
- Inventory Box groups
- Inventory Box group memberships
- Create and Delete Box groups
- Add and Remove members to and from Box groups
- Attribute Flow
Users in Box are inventoried as accounts in EmpowerID. The below table shows the attribute mappings of Box user attributes to EmpowerID Person attributes.
Box Attribute | Box Table | Corresponding EmpowerID Attribute | Description |
---|---|---|---|
name | User | Name | Name of the user |
FirstName | User | FirstName | First name of the user |
LastName | User | LastName | Last Name of the user |
DisplayName | user | FriendlyName | Display name of the user |
login | User | Login | Login of the user |
status | User | Active | Specifies whether the user is active |
CompanyName | User | Company | Company name of the user |
Description | User | Description | Description of the user |
Language | User | PreferredLanguage | Language of the user |
Job_title | User | Title | Title of the user |
Phone | User | Telephone | Phone number of the user |
Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision Box accounts for any person within your organization based on your policy requirements.
Prerequisites
In order to connect EmpowerID to Box, the following prerequisites need to be met:
- Your organization must have an enterprise Box account.
- You must supply the credentials for the Box administrator account. EmpowerID uses this account as a connection proxy to manage Box on your behalf.
Before connecting EmpowerID to a directory system, you should determine whether you want EmpowerID to provision Person objects from the user accounts it discovers in the account store. If you do, then you should be able to answer the following questions before turning on inventory.
- When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time using the Account Inbox (recommended)?
- If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
- How many user accounts can one Person have in the account store?
- If people can have more than one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
- Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?
- If you have Resource Entitlement policies in place, do you want EmpowerID to apply them to the account store?
This topic demonstrates how to connect EmpowerID to Box and is divided into the following activities:
- Registering EmpowerID as an application in Box – This generates an API Key for managing the user and group information within Box.
- Creating a Box account store in EmpowerID – Account stores are objects in EmpowerID that you use to connect EmpowerID to external directories.
- Configuring Attribute Flow Rules for the Box Account Store – Attribute Flow Rules allow you to specify which system has greater authority for effecting changes to user attributes.
- Enabling EmpowerID to Inventory Box
- Turning on the Account Inbox Permanent Workflow – The Account Inbox is a permanent workflow that retrieves user accounts in external systems and either joins those user accounts to existing EmpowerID Persons or provisions new EmpowerID Persons from those user accounts based on the logic of the Join and Provision Rules.
- Monitoring Inventory
To register EmpowerID as an application in Box
- Login in https://app.box.com/developers/console.
- Click Dev Console and then click Create New App.
- Select Enterprise Integration and click Next.
- On the Authentication Method page, select OAuth 2.0 with JWT (Server Authentication) and then click Next.
- Name the app and then click Create App.
Box creates the app and generates developer token. Click View Your App.
This directs you to the Configuration page.- Under Application Access, select Enterprise.
- Under Application Scopes, select the options shown below.
- Under Advanced Features, select Perform Action as Users and Generate User Access Tokens.
Under Add and Manage Public Keys, click Generate a Public/Private Keypair.
When you click Generate a Public/Private Keypair, Box will send a Verification code to the mobile number linked to the account. To use this feature, Two-factor authentication must be enabled on Box.
- Enter the code sent to your mobile number.
Download the JSON file generated by “Generate a Public/Private Keypair.”
- Save your changes and then point your browser to https://app.box.com.
- Select Admin Console from sidebar.
- Select Enterprise Settings and then click the Apps tab.
- Under Custom Applications, click Authorize New App and wait about 10 minutes before proceeding to the next step.
- Copy the value for the ClientID of the application from the JSON file you downloaded above.
- Paste the ClientID in the API Key field of the App Authorization dialog and then click Next.
- Click Authorize.
After registering EmpowerID in Box, the next step is to create a Box account store in EmpowerID.
To create a Box account store in EmpowerID
- From the navigation sidebar of the EmpowerID Web interface, expand Admin > Applications and Directories and then click Account Stores and Systems.
- On the Account Stores page, click Create Account Store.
- Under System Types, search for Box.
- Click Box.com to select the type and then click Submit.
- On the Box Settings page that appears, do the following:
- Enter a Name in the Name field.
- Enter a UPN Suffix in the UPN Suffix field.
- Click Choose File and upload the application JSON file you downloaded from Box.
- Click Submit.
To configure Attribute Flow rules
EmpowerID supports the configuration of attribute synchronization rules for flowing attribute changes between directories and the EmpowerID Identity Warehouse. Attribute Flow rules are visually configured and are always relative to the relationship between an attribute in a directory and the corresponding attribute in the EmpowerID Identity Warehouse. Attribute Flow rules define the specific fields and attributes that are synchronized between the EmpowerID Identity Warehouse person objects and the external user accounts to which they are linked. Additionally, Attribute Flow rules can be weighted by account store. For example, if you have connected EmpowerID to an HR system as well as Active Directory, and you want any changes made to an attribute in the HR system to take priority over changes made in Active Directory or EmpowerID (while allowing changes to be made in any system), you would give a higher score for each CRUD operation originating from the HR account store and correspondingly lower scores for the Active Directory account store.
The following flow rules are available:
- No Sync - When this option is selected, no information flows between EmpowerID and the native system.
- Bidirectional Flow - When this option is selected, changes made within EmpowerID update the native system and vice-versa. For most attributes, this is the default setting.
- Account Store Changes Only - When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.
- EmpowerID Changes Only - When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.
The following CRUD operations are available:
- Create - This operation is used to create an attribute value for an existing attribute when the value of that attribute is null.
- Update - This operation is used to update the value of an attribute.
- Delete - This operation is used to delete the value of an attribute.
- From the navigation sidebar, expand Admin > Applications and Directories and click Attribute Flow Rules.
From the Attribute Flow Rules page, click the Advanced Search drop-down button, enter the name of the Box account store and then click Search to filter the rules shown in the grid.
The attributes from the EmpowerID Person object are displayed in the left column with the corresponding attributes from the account store displayed in the right column.
To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu.
To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.
EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID, such as would be the case if an HR System and Box were being inventoried by EmpowerID.
To turn on inventory
- Back on the Account Stores page, search for the Box account store you just created.
- From the grid, click the Account Store link for your Box account store.
- On the Account Store Details page that appears, click the Edit icon.
This opens the edit page for the Box account store. This page allows you to specify the account proxy used to connect EmpowerID to your Box account as well as how you want EmpowerID to handle the user information it discovers in Box during inventory. - From the Inventory tab, check Inventory Enabled.
- Click the Save button at the bottom of the page.
If you are using the Account Inbox to provision or join the user accounts in Box to Empower Persons, you need to turn on the Account Inbox. This is demonstrated in the below section.
To enable the Account Inbox permanent workflow
- From the Navigation Sidebar of the EmpowerID Web interface, expand Admin > EmpowerID Servers and Settings and click Permanent Workflows.
- From the Permanent Workflows page, click the Display Name link for Account Inbox.
- From the View One page for the workflow that appears, click the edit link for the workflow.
- From the Permanent Workflow Details form that appears, select Enabled and then click Save. Based on the default settings applied to the workflow, EmpowerID will process 1000 of the user accounts in the Account Inbox every ten minutes, provisioning Person objects from those user accounts and joining them together based on the Join and Provision rules applied to the account store.
To monitor inventory
- From Navigation Sidebar, expand System Logs > Policy Inbox Logs and click Account Inbox.
The Account Inbox page appears. This page provides tabbed views of all information related to processing new user accounts discovered in a connected account store during inventory. An explanation of these tabs follows.
- Dashboard - This tab provides a quick summary of account inbox activity.
- Not Processed - This tab displays a grid view of all inventoried user accounts not yet used to provision a new EmpowerID Person or joined to an existing Person. Any accounts that fail to meet the Join and Provision rules are displayed here as well.
- Failed - This tab displays a grid view of any account joining or provisioning failures.
- Ignored - This tab displays a grid view of all accounts ignored by the account inbox. Accounts are ignored if they do not qualify as user accounts.
- Joined - This tab displays a grid view of all accounts joined to an EmpowerID Person. Joins occur based on the Join rules applied to the account store.
- Processed - This tab displays a grid view of all accounts that have been used to either provision a new EmpowerID Person or joined to an existing EmpowerID Person.
- Provisioned - This tab displays a grid view of all accounts that have been used to provision an EmpowerID Person. Provisioning occurs based on the Provision rules applied to the account store.
- Orphans - This tab displays a grid view of all user accounts without an EmpowerID Person.
- All - This tab displays a grid view of all user accounts and the status of those accounts in relation to the Account Inbox.