Enabling SharePoint Profile Sync

If you have Microsoft SharePoint and are running the User Profile service, you can configure EmpowerID to synchronize the user profile properties in your SharePoint with the corresponding EmpowerID Person attributes for each SharePoint user with an EmpowerID Person identity. In this way, if a user changes a property for one of their attributes, that change can be brought into EmpowerID and pushed to any of your connected account stores, such as Active Directory. The number of SharePoint profile properties that EmpowerID can synchronize with and the naming convention used shown in the below table.

User Profile Sync Attribute Flow

User Profile Sync Attribute Flow

User Profile Sync Attribute Flow

Name of Profile property in SharePoint

AboutMe

AboutMe

BirthDay

SPS-Birthday

Department

Department

Description

Description

DisplayName

PreferredName

Email

WorkEmail

Fax

Fax

FirstName

FirstName

HomePhone

HomePhone

JobTitle

Title

LastName

LastName

Location

SPS-Location

MailboxAlias

MailNickName

MobileNumber

CellPhone

OfficeLocation

Office

OriginalHireDate

SPS-HireDate

SIPAddress

SPS-SipAddress

Telephone

WorkPhone

URLPersonal

Url

The User Profile Service Application must be started in your SharePoint farm for EmpowerID Profile Sync to function correctly.

You determine how changes made to these properties in SharePoint affect EmpowerID by the settings you apply to the attribute flow rules for your SharePoint system. These rules are visually configured for each profile property and are always relative to the relationship between a user profile property in SharePoint and the corresponding EmpowerID Person attribute. In addition to setting attribute flow rules, you create a Resource Entitlement (RET) for a SharePoint User Profile and apply that policy to your SharePoint users in EmpowerID.

In this example, we create a SharePoint User Profile Resource Entitlement and apply that entitlement to the Any Role Anywhere Business Role and Location. In this way, profile sync happens for anyone within the organization. You can be more selective in your RET application if desired, drilling down to specific Business Roles and Location, groups, Management Roles, and SetGroups.

Step 1 – Create a SharePoint User Profile Resource Entitlement

  1. On the navbar, expand Identity Lifecycle and click Provisioning Policies (RETs)

  2. On the Policies page, click the Add button at the top of the grid.


    This opens the Policy Details form, which is where you enter settings for Resource Entitlement policy.

     

  3. Enter the following information in the Policy Details form:

    • Object Type To Provision — Select SharePoint User Profile.

    • Name — Enter a name for the policy.

    • Description — Enter a description for the policy.

    • SharePoint System — Select your SharePoint.

    • All Provisions Require Approval — If this option is selected, the provisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.

    • All Deprovisions Require Approval — If this option is selected, the deprovisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.

    • Require Approval if Provision Batch Larger Than Threshold — This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the provisions. If the threshold is reached, EmpowerID will not provision any of the SharePoint User Profiles until approval is granted.

    • Require Approval if Deprovision Batch Larger Than Threshold — This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the deprovisions. If the threshold is reached, EmpowerID will not deprovision any of the SharePoint User Profiles until approval is granted.

    • On Revoke Action — Select one of the below options:

      • Do Nothing — No action occurs.

      • Publish Workflow Event — Executes custom workflow code.

  4. Click Save to create the policy.

  5. After EmpowerID creates the policy, you should be directed to the completed Policy Details page for the policy.

Next, assign the policy you just created to one or more targets as demonstrated below.

Step 2 – Assign the policy

  1. On the Policy Details page, click the Find Policies breadcrumb. 

  2. Search for the policy you just created and then click the Display Name link for it.


    This directs you to the View page for the policy. This page allows you to manage the policy as needed. 

     

  3. On the View page, click the Assignees accordion to expand it. This accordion allows you to assign the policy to any or the following EmpowerID actor types:

    • Business Roles and Locations – All people in the selected Business Role and Location combinations receive the resource granted by the policy.

    • Management Roles – All people in the selected Management Roles receive the resource granted by the policy.

    • Management Role Definitions – All Management Roles that are children of the selected Management Role Definition receive the resource granted by the policy.

    • Query-Based Collections (SetGroup) – All people in the selected collection receive the resource granted by the policy.

    • Groups – All people in the selected groups receive the resource granted by the policy.

    • People – All people selected receive the resource granted by the policy.

  4. From the Assignees accordion, click the Add button for the assignee type to which you are making the assignment. In the drop-down, the assignee is a Business Role and Location.

  1. Click the Add button in the Business Roles and Locations grid.

     

  2. In the Add Entry pane that appears, click Select a Role and Location to open the Business Role and Location selector.

     

  3. Search for the appropriate Business Role and then click the node for that role to select it.

     

  4. Click Location.

  5. Search for the appropriate Location and then click the node for that location to select it.

     

  6. Click Select to select the Business Role and Location combination.

     

  7. Enter a number to specify the priority for the RET policy in the Priority field. This value is used to determine the priority of the RET if the user qualifies for the same RET via another assignment, such as being a member of a group that has the same policy. The lower the number, the higher the priority. 

     

  8. Click Save.

  9. Repeat for as many Business Role and Location combinations as needed.

  10. When done assigning the policy click Save in the main form.