XSUAA Account Provisioning Policies

Owned by Phillip Hanegan
Aug 15, 2024
6 min read

Provisioning Policies allow you to automate the provisioning, moving, disabling, and de-provisioning of resources for users based on their roles, memberships, and locations within your organization.

When using Provisioning policies with XSUAA, “origin” must be added to the policy as a configuration parameter. If you need to provision users for multiple origins, you need to create multiple policies with the origin parameter set to the appropriate value.

This topic demonstrates the following:

  • How to create a provisioning policy that provisions XSUAA user accounts

  • How to assign the provisioning policy to an EmpowerID actor type

Prerequisites

  • EmpowerID must first be connected to XSUAA. For details, see Connect to SAP BTP XSUAA.

  • RET provisioning and RET deprovisioning must be enabled on the XSUAA account store.

Provisioning policies can be targeted against any number or combination of Management Roles, groups, Business Roles and Locations, Query-Based collections, as well as individual people.

Procedure

Step 1 - Create the provisioning policy

  1. On the navbar, expand Identity Lifecycle and select Provisioning Policies (RETs).

  2. On the Policies page, click the Add button at the top of the grid.

    image-20240815-181705.png

     

  3. Under Choose Type, select Default from the Object Type To Provision drop-down.

    image-20240815-183023.png

  4. In the General section of the form, fill in the following fields:

    1. Name – Enter a name for the policy.

    2. Description – Enter a description for the policy.

    3. Resource Type – Select User Account.

    4. Resource System – Select your inventoried XSUAA resource system.

    5. Object Class – Enter User.

  5. In the Throttling Settings section of the form, specify the provisioning and deprovisioning thresholds for the policy. These settings are as follows:

    • All Provisions Require Approval – If this option is selected, the provisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.

    • All Deprovisions Require Approval – If this option is selected, the deprovisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.

    • Require Approval if Provision Batch Larger Than Threshold – This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver is required to approve the provisions. If the threshold is reached, EmpowerID will not provision any user accounts until approval is granted.

    • Require Approval if Deprovision Batch Larger Than Threshold – This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver is required to approve the deprovisions. If the threshold is reached, EmpowerID will not deprovision any user accounts until approval is granted.

  6. In the Advanced section of the form, do the following:

    1. Select a desired option from the On Claim Action drop-down. You have the following options:

      • Do Nothing – No action occurs. This tells EmpowerID to simply mark any previous resources assigned to the user that match this policy as RET-managed resources. For example, if the user already has an XSUAA user account and is placed in a Management Role targeted by the RET policy, EmpowerID marks that user's XSUAA account as RET managed.

      • Delete and Recreate – The user account is deleted and recreated.

      • Move – Marks any previous resources assigned to the user that match the RET as RET-managed resources and moves the user object to the location specified by the RET policy.

      • Publish Workflow Event – Executes custom workflow code.

    2. Select a desired option from the On Transform Action drop-down. You have the following options:

      • Do Nothing – No action occurs.

      • Delete and Recreate – The user account is deleted and recreated.

      • Move – Marks this resource with the new RET policy number and moves the user object to the location specified by the RET policy

      • Publish Workflow Event – Executes custom workflow code.

    3. Select a desired option from the On Revoke Action drop-down. You have the following options:

      • Do Nothing – No action occurs.

      • Deprovision—The user account is deleted if the person no longer meets the criteria to receive the resource from the RET, such as if the person was terminated or moved to a Business Role and Location without a RET policy for the specified resource.

      • Disable – The user account is disabled if the person no longer meets the RET's criteria for receiving the resource.

      • Disable and Move—If the person no longer meets the criteria to receive the resource from the RET, the user account is disabled and moved to the location specified in the OU to Move Disabled Users field.

      • Publish Workflow Event – Executes custom workflow code.

    4. Leave the Creation Location Path Resolver Assembly and Creation Location Path Resolver Type fields empty. These fields allow you to use a custom assembly to set where an account (or any RET that requires a path) should be created.

  7. Click Save to create the policy.

Now that the policy has been created, the next step is to add "origin" as a configuration parameter.

Step 2 - Add ‘origin’ as a configuration parameter

  1. Return to the Find page for resource entitlements and search for the policy you created.

  2. Click the Display Name link for the policy.


    This directs you to the View page for the policy.

     

  3. Expand the Configuration Parameters accordion and click the Add New button.

  4. Enter origin in the Name field and the appropriate origin value in the Configuration Value field.

     

  5. Click Save.

Next, assign the policy you created to one or more targets, as demonstrated below.

Step 3 – Assign the policy

  1. Click the Assignees accordion on the policy's View page to expand it. This accordion allows you to assign the policy to any or the following EmpowerID actor types:

    • Business Roles and Locations – The policy grants the resource to everyone in the selected Business Role and Location combinations.

    • Management Roles – All people in the selected Management Roles receive the resources the policy grants.

    • Management Role Definitions – The policy grants the resource to All Management Roles that are children of the selected Management Role Definition.

    • Query-Based Collections (SetGroup) – All people in the selected collection receive the resource the policy grants.

    • Groups – All people in the selected groups receive the resources the policy grants.

    • People – All people selected receive the resources granted by the policy.

  2. From the Assignees accordion, click the Add button above the assignee type to which you are making the assignment.

  3. In the Add Entry pane that appears, search for and select the appropriate assignee.

  4. In the Priority field, enter a number to specify the priority for the RET policy. This value is used to determine the priority of the RET if the user qualifies for the same RET via another assignment, such as being a group member with the same policy. The lower the number, the higher the priority. 

     

  5. Click Save.

  6. Repeat as needed.