EmpowerID Admin Lab 10: Create Active Directory Provisioning Policy
Purpose
This lab guides you through creating provisioning policies to generate Active Directory (AD) accounts in a connected Active Directory account store, mapping organizational units (OUs) to business locations, and managing the server jobs required to process the provisioning policies.
Prerequisites
- Access to the EmpowerID training environment.
- An Active Directory account store already connected.
Steps
1. Disable Resource Entitlement Processing
- Navigate to Infrastructure Admin > EmpowerID Servers > Server Roles.
- Locate the All-In-One Server Role.
- Search for the Resource Entitlement Inbox Processor Job and remove it from the server role.
- This ensures that when the policy is created, records are calculated but not processed immediately.
- Navigate to IM Shop > Self-Service Workflows > Recycle Service Environment and execute it to recycle the services and stop the job.
2. Create a Provisioning Policy
- Navigate to Identity Lifecycle > Provisioning Policies.
- Click the + button to create a new policy.
- Configure the policy:
- Object Type: AD Account
- Name: AD Domain Account
- Directory: Select the connected AD domain directory.
- Object Class: User
- Leave the external location field blank to use mappings.
- Set the On Claim Action and On Transform Action to Move.
- Set the On Revoke Action to Disable.
- Save the provisioning policy.
3. Map OUs to Business Locations
- Navigate to Role and Location Mapper.
- Select the Location Mapper tab.
- Filter the External locations on the left by selecting the AD domain directory.
- Expand the divisions business locations in the Right Business Locations tree to expose the Department locations
- Map corresponding Division OUs in the AD External Locations to the divisions and departments in the Business Locations on the right.
- Example:
- Select the checkbox for Investment Banking AD OU on the left and the Investment Banking division and its department checkboxes on the right and click Save.
- Repeat for the other three divisions
- Save each mapping.
- Verify mappings under the All Mappings section, filtered by account store.
4. Scope the Provisioning Policy
- Return to the Provisioning Policies page and open the created policy.
- In the Assignees section at the bottom of the page, assign the scope:
- Scope Type: Business Role and Location
- Select All Employee Roles under HR flat file locations.
- Select All Business Locations for locations.
- Leave the priority as 100.
- Save the scope settings.
5. Monitor Resource Entitlement Evaluation
- Navigate to Provisioning Inbox > RET Inbox.
- Wait for the resource entitlement recalculation job to populate records.
- Verify the job status in Admin > Account Stores and Systems > Job History:
- Search for Resource Entitlement Recalculation Job.
- Confirm it runs successfully.
- Once records appear in the inbox, verify that policies are assigned correctly.
6. Enable Resource Entitlement Processing
- Navigate back to Infrastructure Admin > EmpowerID Servers > Server Roles.
- Add the Resource Entitlement Inbox Processor Job back to the All-In-One Server Role.
- Note: No need to recycle the environment when adding jobs.
- Allow the job to process the records automatically.
7. Verify Results
- Navigate to Provisioning Inbox and confirm records are processed.
- Validate account creations:
- Check System Logs > New Objects to confirm new AD accounts, if applicable.
- Ensure existing records are processed correctly, with no unnecessary new accounts created.
Notes
- Disabling the Resource Entitlement Inbox Processor Job before creating the policy ensures calculations occur without immediate processing.
- Map OUs to business locations accurately to avoid misplacements.
- Monitor job statuses and logs to ensure smooth processing.
Completion
Once all provisioning records are processed and accounts are created or updated correctly, this lab is complete. Proceed to the next lab for additional EmpowerID configurations and features.