Box

EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.

EmpowerID Box connector allows organizations to bring the user and group data in their Box system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:

  • Account Management
    • Inventory Box user accounts
    • Create, Update and Delete Box user accounts
    • Enable and Disable Box user accounts

  • Group Management
    • Inventory Box groups
    • Inventory Box group memberships
    • Create and Delete Box groups
    • Add and Remove members to and from Box groups

  • Attribute Flow
    Users in Box are inventoried as accounts in EmpowerID. The below table shows the attribute mappings of Box user attributes to EmpowerID Person attributes.

Box AttributeBox TableCorresponding EmpowerID AttributeDescription
nameUserNameName of the user
FirstNameUserFirstNameFirst name of the user
LastNameUserLastNameLast Name of the user
DisplayNameuserFriendlyNameDisplay name of the user
loginUserLoginLogin of the user
statusUserActiveSpecifies whether the user is active
CompanyNameUserCompanyCompany name of the user
DescriptionUserDescriptionDescription of the user
LanguageUserPreferredLanguageLanguage of the user
Job_titleUserTitleTitle of the user
PhoneUserTelephonePhone number of the user

Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision Box accounts for any person within your organization based on your policy requirements.


This topic demonstrates how to connect EmpowerID to Box and is divided into the following activities:

To register EmpowerID as an application in Box

  1. Login in https://app.box.com/developers/console.
  2. Click Dev Console and then click Create New App.



  3. Select Enterprise Integration and click Next.



  4. On the Authentication Method page, select OAuth 2.0 with JWT (Server Authentication) and then click Next.



  5. Name the app and then click Create App.



    Box creates the app and generates developer token.



  6. Click View Your App.

    This directs you to the Configuration page.



  7. Under Application Access, select Enterprise.



  8. Under Application Scopes, select the options shown below.

  9. Under Advanced Features, select Perform Action as Users and Generate User Access Tokens.
  10. Under Add and Manage Public Keys, click Generate a Public/Private Keypair





  11. Enter the code sent to your mobile number.
  12. Download the JSON file generated by “Generate a Public/Private Keypair.”

  13. Save your changes and then point your browser to https://app.box.com.
  14. Select Admin Console from sidebar.
  15. Select Enterprise Settings and then click the Apps tab.



  16. Under Custom Applications, click Authorize New App and wait about 10 minutes before proceeding to the next step.
  17. Copy the value for the ClientID of the application from the JSON file you downloaded above.
  18. Paste the ClientID in the API Key field of the App Authorization dialog and then click Next.



  19. Click Authorize.



After registering EmpowerID in Box, the next step is to create a Box account store in EmpowerID.

To create a Box account store in EmpowerID

  1. From the navigation sidebar of the EmpowerID Web interface, expand Admin > Applications and Directories and then click Account Stores and Systems.
  2. On the Account Stores page, click Create Account Store.



  3. Under System Types, search for Box.
  4. Click Box.com to select the type and then click Submit.



  5. On the Box Settings page that appears, do the following:
    1. Enter a Name in the Name field.
    2. Enter a UPN Suffix in the UPN Suffix field.
    3. Click Choose File and upload the application JSON file you downloaded from Box.
    4. Click Submit.




To configure Attribute Flow rules

  1. From the navigation sidebar, expand Admin > Applications and Directories and click Attribute Flow Rules.
  2. From the Attribute Flow Rules page, click the Advanced Search drop-down button, enter the name of the Box account store and then click Search to filter the rules shown in the grid.




  3. To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu.




  4. To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.

Now that the attribute flow has been set, the next steps includes turning on and monitoring inventory.

To turn on inventory

  1. Back on the Account Stores page, search for the Box account store you just created.
  2. From the grid, click the Account Store link for your Box account store.



  3. On the Account Store Details page that appears, click the Edit icon.



    This opens the edit page for the Box account store. This page allows you to specify the account proxy used to connect EmpowerID to your Box account as well as how you want EmpowerID to handle the user information it discovers in Box during inventory.




  4. From the Inventory tab, check Inventory Enabled



  5. Click the Save button at the bottom of the page.

If you are using the Account Inbox to provision or join the user accounts in Box to Empower Persons, you need to turn on the Account Inbox. This is demonstrated in the below section.

To enable the Account Inbox permanent workflow

  1. From the Navigation Sidebar of the EmpowerID Web interface, expand Admin > EmpowerID Servers and Settings and click Permanent Workflows.
  2. From the Permanent Workflows page, click the Display Name link for Account Inbox.



  3. From the View One page for the workflow that appears, click the edit link for the workflow.



  4. From the Permanent Workflow Details form that appears, select Enabled and then click Save. Based on the default settings applied to the workflow, EmpowerID will process 1000 of the user accounts in the Account Inbox every ten minutes, provisioning Person objects from those user accounts and joining them together based on the Join and Provision rules applied to the account store.


To monitor inventory

  1. From Navigation Sidebar, expand System Logs > Policy Inbox Logs and click Account Inbox.

    The Account Inbox page appears. This page provides tabbed views of all information related to processing new user accounts discovered in a connected account store during inventory. An explanation of these tabs follows.


  • Dashboard - This tab provides a quick summary of account inbox activity.
  • Not Processed - This tab displays a grid view of all inventoried user accounts not yet used to provision a new EmpowerID Person or joined to an existing Person. Any accounts that fail to meet the Join and Provision rules are displayed here as well.
  • Failed - This tab displays a grid view of any account joining or provisioning failures.
  • Ignored - This tab displays a grid view of all accounts ignored by the account inbox. Accounts are ignored if they do not qualify as user accounts.
  • Joined - This tab displays a grid view of all accounts joined to an EmpowerID Person. Joins occur based on the Join rules applied to the account store.
  • Processed - This tab displays a grid view of all accounts that have been used to either provision a new EmpowerID Person or joined to an existing EmpowerID Person.
  • Provisioned - This tab displays a grid view of all accounts that have been used to provision an EmpowerID Person. Provisioning occurs based on the Provision rules applied to the account store.
  • Orphans - This tab displays a grid view of all user accounts without an EmpowerID Person.
  • All - This tab displays a grid view of all user accounts and the status of those accounts in relation to the Account Inbox.


In this article