You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Managing Partner Delegations
- Phillip Hanegan
If your organization has partners that access your system to manage the IT resources you have allocated to them, you can quickly set up your environment to manage those partners using the built-in partner roles and locations.
This topic demonstrates how to manage partner delegations by creating two fictitious partners named "Hendriks Hardware" and "Acme Anvils." We then create two test partner admins and log in to EmpowerID as those partner admins. The purpose of this is to test the delegations. You can follow along, creating these test partners or supply your own. To follow along, replace these two organizations with your actual partners.
If the environment has been correctly configured, the partner admins should only be able to see their locations; they should not be able to see your IT infrastructure or those of any other of your partners. The partner admins should also be able to manage their partner users outside of your intervention.
To create partner locations
- In the Navigation Sidebar, expand Role Management and click Business Roles.
- From the Business Role and Location management page, select the Actions tab and then click Create Location.
- In the Location Details form that appears, do the following:
- Type a name, display name and description for the Location in the Name, Display Name and Description fields, respectively.
- Tick Is Assignable so that the option is enabled.
- Underneath Parent Location, click the EmpowerID System link to open the Location Selector.
- From the Location Selector, search for and select Partner and then click Save to close the Location Selector.
- Select Organization from the Location Type drop-down.
- Back in the main form, click Save to create the Location.
- Repeat steps 3 and 4 above to create locations for each of your remaining partners.
To create test partner admins
- Log in to the EmpowerID Web application as an administrator.
- From the Navigation Sidebar, expand Identity Administration and click People.
- In Person Manager, click Create Person Simple Mode underneath the Actions pane.
- In the Create Person Request form that appears, do the following:
- Type a first name and last name for the person in the Last Name and Last Name fields, respectively.
- Underneath Primary Business Role and Location, click the Select a Role and Location link to open the Business Role and Location (BRL) Selector.
- From the Business Role pane of the BRL Selector, search for and select Partner Admin.
- Click Location to show the Location pane of the BRL Selector.
- From the Location pane, search for and select the appropriate partner location and then click Select.
- Back in the main form, click Save.
- Repeat steps 3 and 4 above to create test partner admins for each of your remaining partner locations.
- Reset the passwords for each of your test users. For information on resetting passwords, see Reset Passwords.
To test the partner delegations
- Log out of the EmpowerID Web application and log back in as one of the partner admins.
- Enroll for password self-service reset. This occurs the first time you log in as a new person.
- Click the Global Search drop-down at the top of the page. You should only see search options for People, Groups and User Accounts.
- Search for people by clicking in the Global Search field and pressing ENTER. Since your organization does not yet have any partners, you should see no results.
- Repeat by searching for groups and user accounts. Again, you should see no results.
- Expand Identity Administration. You should only see menu items for People (Person Manager), Groups (Group Manager) and User Accounts (Account Manager).
- Click People to navigate to the Find Person Page page, and click the Create Person Advanced action. This action allows partner admins to create a new partner user, and an Active Directory account for that person, in their partner location.
- From the General tab of the Create Person form that appears do the following:
- Type a first name, last name and display name for the person in the First Name, Last Name and Display Name fields, respectively.
- Type a login in the Login field or click the Login Suggestion button, shown below, to have EmpowerID fill the field with a suggested login.
- Underneath Primary Business Role and Location, click the Select a Role and Location link to open the Business Role and Location (BRL) Selector.
- From the Business Role pane of the BRL Selector, press ENTER to have EmpowerID return all Business Roles the partner admin can select. You should only see Partner and Partner Admin.
- Click Partner to select the role and then click Location to expand the Location pane.
- From the Location pane of the BRL Selector, press ENTER to have EmpowerID return all locations the partner admin can see. You should only see the partner location in which the person is the partner admin. You should see no other partner locations or your internal IT structure.
- Click the partner location to select it and then click Select to close the BRL Selector.
- Click Save to create the new partner. Because partner admins have the delegations to create people in their respective locations, you should see a message stating that the person was successfully created.
- Repeat as desired, creating as many test partners as you want.
- Reset the password for each of the test partners you created. For information on resetting passwords, see Reset Passwords.
- Log out of the Web application as the partner admin.
- Log back in to the Web application as one of the test partners and enroll for password self-service reset.
Expand the nodes in the Navigation Sidebar. You should see that you have few options and cannot even view other people in your organization.
Optional exercises
Repeat the above steps, creating as many partner users and partner admins as desired. Your test results should be consistent across the board.
In a non-production environment, do the following to have EmpowerID automatically provision user accounts for the partners:
- As an administrator, create test OUs for the partner locations you created above.
For a general example on creating OUs, see Create Organizational Units - Map those locations to the appropriate OUs.
For a general example on mapping locations to OUs, see Role and Location Mapper - Create a Provisioning Policy that provisions an Active Directory user account in the appropriate OU for each person assigned to the Partner in Partners Business Role and Location. This policy will provision an AD Account for all partner and partner admins in any location under the Partners location.
For a general example, see Active Directory User Account Provisioning Policies. - Log in to the Web application as one of the partner admins and search for user accounts. You should see one user account for each partner you created.