Entitlements (Provisioning)

EmpowerID supports automated provisioning and deprovisioning of birthright account identities in external target directories and applications through the configuration of provisioning policies. These policies can be assigned or scoped using any RBAC assignment point such as Business Role and Location, Query-Based Collection, or Management Role membership. 

• Also commonly known as Resource Entitlements or RETs

• Resource Entitlements (RETs) are policies that govern how resources, such as an Active Directory account or an Exchange mailbox, are given to people and when they are revoked.

• RET policies can be assigned to any EmpowerID Actor Type (Person, Business Role and Location, etc.)

• RETs can be triggered manually in specific workflows using a workflow shape or can be automatic using the EmpowerID Jobs.

  Open

  

   

Prerequisites

• Each Account Store has a setting to Allow RET Provisioning and one to Allow RET De-Provisioning

• These settings are all that is required for manual workflow-triggered RET processing

• For automated background RET processing:

  • At least one Worker role container must be running

  • The RET Inbox Processor Job and Recalculation Job must be enabled for at least one of these containers

RET Actions/Events

• Claim – Occurs when EmpowerID discovers a person with a resource that matches a RET to which they are assigned, but the resource is not marked as having been provisioned by a RET.

• Transform – Occurs when a person with a resource provisioned by one RET policy receives an equivalent RET from a different policy.

• Revoke – Occurs when a person who received a resource via a RET no longer receives the RET policy.

On Claim Action

The four options and outcomes are:

• Do Nothing – No changes are made.

• Move – In the case of user accounts, moves the user object to the OU specified by the RET or as determined through the mapping of OUs to Business Roles and Locations.

• Delete and Recreate – In the case of user accounts, deletes and recreates the user.

• Register Event – Raises the event specified.

On Transform Action

The four options and outcomes are:

• Do Nothing - No changes are made.

• Move - In the case of user accounts, moves the user object to the OU specified by the RET or as determined through the mapping of OUs to Business Roles and Locations.

• Delete and Recreate - In the case of user accounts, deletes and recreates the user.

• Register Event - Raises the event specified.

On Revoke Action

The four options and outcomes are:

• Do Nothing - No changes are made to the resource.

• De-provision - Deletes the resource.

• Disable - Disables the resource.

• Register Event - Raises the event specified.

Register Event Option

• This is an optional setting that allows you to enter the name of a predefined EmpowerID event registration.

• The RET action will "fire" this event, which then triggers all workflows that subscribe to the event.

• The specified event workflows must have an input property of the type Resource named "resource" (case sensitive).

• The RET process will pass in the resource of the Person's RET (Account, Home Folder, Exchange Mailbox, etc.) that triggered the event for further processing by the custom workflow(s).

• The custom workflows can be used to implement more advanced processes for deprovisioning or other events.

AD/LDAP Account Creation Location Logic

When provisioning users automatically via provisioning policies into AD or LDAP directories, EmpowerID must determine into which OU a person’s account should be provisioned. The default logic is to follow the RBAC mapping for the Location portion of a Person’s Business Role and Location to create the account in the Account Store OU mapped to that EmpowerID Location. In some cases, this default logic is not desired, and a custom rule should be implemented. For these cases, EmpowerID allows the creation of a plugin in Workflow Studio to handle this unique RET AD/LDAP Account Creation Location logic.

RET Throttling Settings