Managing Partner Delegations
If your organization has partners that access your system to manage the IT resources you have allocated to them, you can quickly set up your environment to manage those partners using the built-in partner roles and locations.
This topic demonstrates how to manage partner delegations by creating a fictitious partner named "Hendriks Hardware." We then create a test partner admin and a test partner user and log in to EmpowerID as those users. The purpose of this is to test the delegations. You can follow along, creating these test partners or supplying your own.
If the environment has been correctly configured, the partner admins should only be able to see their locations; they should not be able to see your IT infrastructure or those of any other of your partners. The partner admins should also be able to manage their partner users outside of your intervention.
Step 1 – Create a partner location
On the navbar, expand Role Management and click Business Roles and Locations.
Select the Actions tab and then click Create Location.
This opens the Location Details form.Â
Do the following in the form:
Name – Name of the partner location. It is recommended the name matches the partner organization.
Display Name – Name of the partner location users to see in the EmpowerID UI.
Description – Short characterization of the location
Tick Is Assignable so that the option is enabled.
Underneath Parent ID, click the X to delete the EmpowerID System location and then click the Select a Location link to open the Location Selector.
Search for and select Partners.
Â
Select Organization - Security Container as the Location Type.
Â
Leave the other fields as is and click Save to create the Location.
Repeat the above steps to create locations for each of your remaining partners.
Step 2 – Create a test partner admin
On the navbar, expand Identity Administration and click People.
Click the Onboard Person action to initiate the Onboard Person workflow.
Select Simple Mode as the Person Creation Mode and click Next to proceed to the Person Details step fo the workflow.
Â
Enter a First Name and Last Name for the partner admin.
Enter Email and Personal Email addresses for the partner admin.
Underneath Primary Business Role and Location, click the Select a Role and Location link to open the Business Role and Location (BRL) Selector.
From the Business Role pane of the BRL Selector, search for and select Partner Admin.
Â
Click Location to show the Location pane of the BRL Selector.
From the Location pane, search for and select one of the partner locations you created above, and then click Select.
Â
Click Next to proceed to the Additional Information section of the workflow.
Review the summary information and click Submit.
Â
Repeat the above steps to create additional test partner admins as needed.
Reset the passwords for each of your test partner admins. For information on resetting passwords, see .
Step 3 – Create a test partner user
On the navbar, expand Identity Administration and click People.
Click the Create Identity action.
This opens the Create Identity form.Â
Fill in the following required fields and click Save.
Field | Description | Example |
---|---|---|
First Name | First name of the user | Frank |
Last Name | Last name of the user | Emu |
Login | EmpowerID login for the user | frank.emu |
Primary Role and Location | Business Role and Location for the user. For partners, the Business Role is Partners and the location is the location for the partner organization. | Partner in Henrik Hardware Procedure:
|
4. Repeat the above steps to create additional test partner users as needed.
5. Reset the passwords for each of your test partner users. For information on resetting passwords, see Reset Passwords.
Step 3 – Test the partner delegations
Log out of the EmpowerID Web application and log back in as a partner user.
If prompted to protect access to your identity, select None.
Â
Click the Global Search drop-down at the top of the page. You should only see search options for People.
Search for people by clicking in the Global Search field and pressing ENTER. You should only see the people in the partner organization.
View the navbar. You should see the navigation items:
Navigation Item | Purpose |
---|---|
Dashboards | View personal home dashboard |
Password Management | Access to following features:
|
My Identity | Directs the user to the My Identity app |
IAM Shop | Directs the user to the IAM Shop app |
Business Requests and Tasks | Directs the user to the My Tasks app |
Identity Administration | Directs the user to the Resource Admin app |
Â
Step 3 – Test the partner admin delegations
Log out of the EmpowerID Web application and log back in as a partner admin.
If prompted to protect access to your identity, select None.
Â
You should see the same navigation and search options as the partner user, with the exception that you can access the Find People page from the navbar.
From the navbar, expand Identity Administration and click People.
You should see that you have access to the actions shown below.Â
Optional exercises
Repeat the above steps, creating as many partner users and partner admins as desired. Your test results should be consistent across the board.
In a non-production environment, do the following to have EmpowerID automatically provision user accounts for the partners:
As an administrator, create test OUs for the partner locations you created above.
For a general example of creating OUs, see Create Organizational Units.Map those locations to the appropriate OUs.
For a general example of mapping locations to OUs, see Role and Location Mapper.Create a Provisioning Policy that provisions an Active Directory user account in the appropriate OU for each person assigned to the Partner in Partners Business Role and Location. This policy will provision an AD Account for all partner and partner admins in any location under the Partners location.
For a general example, see Active Directory User Account Provisioning Policies.Log in to the Web application as one of the partner admins and search for user accounts. You should see one user account for each partner you created.