EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.
EmpowerID Box connector allows organizations to bring the user and group data in their Box system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:
Inventory Box user accounts
Create, Update and Delete Box user accounts
Enable and Disable Box user accounts
Inventory Box groups
Inventory Box group memberships
Create and Delete Box groups
Add and Remove members to and from Box groups
Attribute Flow Users in Box are inventoried as accounts in EmpowerID. The below table shows the attribute mappings of Box user attributes to EmpowerID Person attributes.
Corresponding EmpowerID Attribute
Name of the user
First name of the user
Last Name of the user
Display name of the user
Login of the user
Specifies whether the user is active
Company name of the user
Description of the user
Language of the user
Title of the user
Phone number of the user
Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision Box accounts for any person within your organization based on your policy requirements.
This topic demonstrates how to connect EmpowerID to Box and is divided into the following activities:
Turning on the Account Inbox Permanent Workflow – The Account Inbox is a permanent workflow that retrieves user accounts in external systems and either joins those user accounts to existing EmpowerID Persons or provisions new EmpowerID Persons from those user accounts based on the logic of the Join and Provision Rules.
Select Enterprise Settings and then click the Apps tab.
Under Custom Applications, click Authorize New App and wait about 10 minutes before proceeding to the next step.
Copy the value for the ClientID of the application from the JSON file you downloaded above.
Paste the ClientID in the API Key field of the App Authorization dialog and then click Next.
After registering EmpowerID in Box, the next step is to create a Box account store in EmpowerID.
To create a Box account store in EmpowerID
From the navigation sidebar of the EmpowerID Web interface, expand Admin > Applications and Directories and then click Account Stores and Systems.
On the Account Stores page, click Create Account Store.
Under System Types, search for Box.
Click Box.com to select the type and then click Submit.
On the Box Settings page that appears, do the following:
Enter a Name in the Name field.
Enter a UPN Suffix in the UPN Suffix field.
Click Choose File and upload the application JSON file you downloaded from Box.
To configure Attribute Flow rules
From the navigation sidebar, expand Admin > Applications and Directories and click Attribute Flow Rules.
From the Attribute Flow Rules page, click the Advanced Search drop-down button, enter the name of the Box account store and then click Search to filter the rules shown in the grid.
To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu.
To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.
Now that the attribute flow has been set, the next steps includes turning on and monitoring inventory.
To turn on inventory
Back on the Account Stores page, search for the Box account store you just created.
From the grid, click the Account Store link for your Box account store.
On the Account Store Details page that appears, click the Edit icon.
This opens the edit page for the Box account store. This page allows you to specify the account proxy used to connect EmpowerID to your Box account as well as how you want EmpowerID to handle the user information it discovers in Box during inventory.
From the Inventory tab, check Inventory Enabled.
Click the Save button at the bottom of the page.
If you are using the Account Inbox to provision or join the user accounts in Box to Empower Persons, you need to turn on the Account Inbox. This is demonstrated in the below section.
To enable the Account Inbox permanent workflow
From the Navigation Sidebar of the EmpowerID Web interface, expand Admin > EmpowerID Servers and Settings and click Permanent Workflows.
From the Permanent Workflows page, click the Display Name link for Account Inbox.
From the View One page for the workflow that appears, click the edit link for the workflow.
From the Permanent Workflow Details form that appears, select Enabled and then click Save. Based on the default settings applied to the workflow, EmpowerID will process 1000 of the user accounts in the Account Inbox every ten minutes, provisioning Person objects from those user accounts and joining them together based on the Join and Provision rules applied to the account store.
To monitor inventory
From Navigation Sidebar, expand System Logs > Policy Inbox Logs and click Account Inbox.
The Account Inbox page appears. This page provides tabbed views of all information related to processing new user accounts discovered in a connected account store during inventory. An explanation of these tabs follows.
Dashboard - This tab provides a quick summary of account inbox activity.
Not Processed - This tab displays a grid view of all inventoried user accounts not yet used to provision a new EmpowerID Person or joined to an existing Person. Any accounts that fail to meet the Join and Provision rules are displayed here as well.
Failed - This tab displays a grid view of any account joining or provisioning failures.
Ignored - This tab displays a grid view of all accounts ignored by the account inbox. Accounts are ignored if they do not qualify as user accounts.
Joined - This tab displays a grid view of all accounts joined to an EmpowerID Person. Joins occur based on the Join rules applied to the account store.
Processed - This tab displays a grid view of all accounts that have been used to either provision a new EmpowerID Person or joined to an existing EmpowerID Person.
Provisioned - This tab displays a grid view of all accounts that have been used to provision an EmpowerID Person. Provisioning occurs based on the Provision rules applied to the account store.
Orphans - This tab displays a grid view of all user accounts without an EmpowerID Person.
All - This tab displays a grid view of all user accounts and the status of those accounts in relation to the Account Inbox.