Box

EmpowerID Box connector allows organizations to bring the user and group data in their Box system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:

• Account Management

  • Inventory Box user accounts

  • Create, Update and Delete Box user accounts

  • Enable and Disable Box user accounts
    
    
    

• Group Management

  • Inventory Box groups

  • Inventory Box group memberships

  • Create and Delete Box groups

  • Add and Remove members to and from Box groups
    
    
    

• Attribute Flow
  Users in Box are inventoried as accounts in EmpowerID. The below table shows the attribute mappings of Box user attributes to EmpowerID Person attributes.
  
  
  

Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision Box accounts for any person within your organization based on your policy requirements.

This topic demonstrates how to connect EmpowerID to Box and is divided into the following activities:

• Registering EmpowerID as an application in Box – This generates an API Key for managing the user and group information within Box. 

• Creating a Box account store in EmpowerID – Account stores are objects in EmpowerID that you use to connect EmpowerID to external directories.

• Configuring Attribute Flow Rules for the Box Account Store – Attribute Flow Rules allow you to specify which system has greater authority for effecting changes to user attributes.

• Enabling EmpowerID to Inventory Box

• Turning on the Account Inbox Permanent Workflow – The Account Inbox is a permanent workflow that retrieves user accounts in external systems and either joins those user accounts to existing EmpowerID Persons or provisions new EmpowerID Persons from those user accounts based on the logic of the Join and Provision Rules.

• Monitoring Inventory

To register EmpowerID as an application in Box

1. Login in https://app.box.com/developers/console.

2. Click Dev Console and then click Create New App.
   
   
   

   Open

   

   
   
   
   

3. Select Enterprise Integration and click Next.
   
   
   

   Open

   

   
   
   
   

4. On the Authentication Method page, select OAuth 2.0 with JWT (Server Authentication) and then click Next.
   
   
   

   Open

   

   
   
   
   

5. Name the app and then click Create App.
   
   
   

   Open

   

   
   
   Box creates the app and generates developer token.
   
   
   

   Open

   

   
   
   
   

6. Click View Your App.
   
   This directs you to the Configuration page.
   
   

   
   
   
   

7. Under Application Access, select Enterprise.
   
   
   

   Open

   

   
   
   
   

8. Under Application Scopes, select the options shown below.
   
   
   

   Open

   

9. Under Advanced Features, select Perform Action as Users and Generate User Access Tokens.

10. Under Add and Manage Public Keys, click Generate a Public/Private Keypair. 
    
    
    

    Open

    

11. Enter the code sent to your mobile number.

12. Download the JSON file generated by “Generate a Public/Private Keypair.”

13. Save your changes and then point your browser to https://app.box.com.

14. Select Admin Console from sidebar.

15. Select Enterprise Settings and then click the Apps tab.
    
    
    

    Open

    

    
    
    
    

16. Under Custom Applications, click Authorize New App and wait about 10 minutes before proceeding to the next step.

17. Copy the value for the ClientID of the application from the JSON file you downloaded above.

18. Paste the ClientID in the API Key field of the App Authorization dialog and then click Next.
    
    
    

    Open

    

    
    
    
    

19. Click Authorize.
    
    
    

    Open

    

    
    
    
    

After registering EmpowerID in Box, the next step is to create a Box account store in EmpowerID.

To create a Box account store in EmpowerID

1. From the navigation sidebar of the EmpowerID Web interface, expand Admin > Applications and Directories and then click Account Stores and Systems.

2. On the Account Stores page, click Create Account Store.
   
   
   

   Open

   

   
   
   
   

3. Under System Types, search for Box.

4. Click Box.com to select the type and then click Submit.
   
   
   

   Open

   

   
   
   
   

5. On the Box Settings page that appears, do the following:

   1. Enter a Name in the Name field.

   2. Enter a UPN Suffix in the UPN Suffix field.

   3. Click Choose File and upload the application JSON file you downloaded from Box.

   4. Click Submit.
      
      
      

      Open

      

      
      
      
      

To configure Attribute Flow rules

1. From the navigation sidebar, expand Admin > Applications and Directories and click Attribute Flow Rules.

2. From the Attribute Flow Rules page, click the Advanced Search drop-down button, enter the name of the Box account store and then click Search to filter the rules shown in the grid.
   
   

   
   
   
   
   

3. To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu.
   
   

   
   
   
   
   

4. To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.
   
   
   

Now that the attribute flow has been set, the next steps includes turning on and monitoring inventory.

To turn on inventory

1. Back on the Account Stores page, search for the Box account store you just created.

2. From the grid, click the Account Store link for your Box account store.
   
   
   

   Open

   

   
   
   
   

3. On the Account Store Details page that appears, click the Edit icon.
   
   
   

   Open

   

   
   
   This opens the edit page for the Box account store. This page allows you to specify the account proxy used to connect EmpowerID to your Box account as well as how you want EmpowerID to handle the user information it discovers in Box during inventory.
   
   
   

   Open

   

   
   
   
   
   

4. From the Inventory tab, check Inventory Enabled. 
   
   
   

   Open

   

   
   
   
   

5. Click the Save button at the bottom of the page.

If you are using the Account Inbox to provision or join the user accounts in Box to Empower Persons, you need to turn on the Account Inbox. This is demonstrated in the below section.

To enable the Account Inbox permanent workflow

1. From the Navigation Sidebar of the EmpowerID Web interface, expand Admin > EmpowerID Servers and Settings and click Permanent Workflows.

2. From the Permanent Workflows page, click the Display Name link for Account Inbox.
   
   
   

   Open

   

   
   
   
   

3. From the View One page for the workflow that appears, click the edit link for the workflow.
   
   
   

   Open

   

   
   
   
   

4. From the Permanent Workflow Details form that appears, select Enabled and then click Save. Based on the default settings applied to the workflow, EmpowerID will process 1000 of the user accounts in the Account Inbox every ten minutes, provisioning Person objects from those user accounts and joining them together based on the Join and Provision rules applied to the account store.
   
   
   

   Open

   

To monitor inventory

1. From Navigation Sidebar, expand System Logs > Policy Inbox Logs and click Account Inbox.
   
   The Account Inbox page appears. This page provides tabbed views of all information related to processing new user accounts discovered in a connected account store during inventory. An explanation of these tabs follows.
   
   
   

   Open

   

• Dashboard - This tab provides a quick summary of account inbox activity.

• Not Processed - This tab displays a grid view of all inventoried user accounts not yet used to provision a new EmpowerID Person or joined to an existing Person. Any accounts that fail to meet the Join and Provision rules are displayed here as well.

• Failed - This tab displays a grid view of any account joining or provisioning failures.

• Ignored - This tab displays a grid view of all accounts ignored by the account inbox. Accounts are ignored if they do not qualify as user accounts.

• Joined - This tab displays a grid view of all accounts joined to an EmpowerID Person. Joins occur based on the Join rules applied to the account store.

• Processed - This tab displays a grid view of all accounts that have been used to either provision a new EmpowerID Person or joined to an existing EmpowerID Person.

• Provisioned - This tab displays a grid view of all accounts that have been used to provision an EmpowerID Person. Provisioning occurs based on the Provision rules applied to the account store.

• Orphans - This tab displays a grid view of all user accounts without an EmpowerID Person.

• All - This tab displays a grid view of all user accounts and the status of those accounts in relation to the Account Inbox.