Reviewing Join and Provision Rules
When you connect EmpowerID to a user directory or other identity-aware application and turn on inventory, EmpowerID evaluates the accounts in those directories to determine whether EmpowerID People should be provisioned from those accounts. The logic that determines this is specified by the Join and Provision Rules, as well as the Join and Provision Filters in the Identity Warehouse. Thus, before turning on inventory, you should review these and adjust them as needed. This article shows you how.
To review the Join and Provision rules for your environment
- From the Navigation Sidebar of the EmpowerID Web application, expand Admin, then EmpowerID Servers and Settings, and click EmpowerID System Settings.
- Search for AccountInbox.
A number of Account Inbox Join and Provision rules and filters appear, such as the AccountInboxJoinByBirthDateFirstNameLastName rule highlighted below.
These Join rules work in conjunction with the Join and Provision filters to specify the conditions that must be met for EmpowerID to join newly discovered user accounts to an EmpowerID Person. The default logic of these Join Rules is to join an inventoried user account to an EmpowerID Person if the account store allows for Person joining and the applicable attributes on the user account match the corresponding attributes on an existing EmpowerID Person. For example, the above highlighted Join rule instructs EmpowerID to attempt to join newly discovered accounts to people if the Birth Date, First Name and Last Name attributes match.
In addition to the above rule, EmpowerID includes the following Join Rules:
- AccountInboxJoinByCustomMatch - This an empty rule that you can use to customize the attribute matches required to join an inventoried user account to an EmpowerID Person.
- AccountInboxJoinByEmailFirstNameLastName - This rule instructs EmpowerID to attempt to join newly discovered accounts to people if the Email, First Name and Last Name attributes on a given user account match that of an existing EmpoweID Person.
- AccountInboxJoinByEmployeeIDFirstNameLastName - This rule instructs EmpowerID to attempt to join newly discovered accounts to people if the EmployeeID, First Name and Last Name attributes on a given user account match that of an existing EmpoweID Person.
- AccountInboxJoinByPersonalEmailFirstNameLastName - This rule instructs EmpowerID to attempt to join newly discovered accounts to people if the PersonalEmail, First Name and Last Name attributes on a given user account match that of an existing EmpoweID Person.
By default, each of the above Join rules are enabled (except for the Custom Join rule). You can disable any of these rules from the EmpowerID System Settings page by doing the following:
- Locate the rule you want to disable and click the Edit button for that rule.
- In the Value field of the dialog that appears, replace true with false and click Save.
To review the Join and Provision filters for your environment
- From the Navigation Sidebar of the EmpowerID Web application, expand Admin, then EmpowerID Servers and Settings, and click EmpowerID System Settings.
- Search for AccountInbox.
- Select the filter you want to edit and click the Edit button for that filter.
- In the Value field of the dialog that appears, add any additional logic to the filter and then click Save.
In our example, we edited the JoinAndProvisionFilter to specify that in addition to the default conditions, user accounts must also have an Employee Type of Permanent.
As the AccountJoinAndProvision filter is used to target which account are eligible for both joining and provisioning, the filter should only be customized in situations where the custom criteria applies to accounts that are both join and provision targets.