Skip to main content

EmpowerID Admin Lab 12: Tracking Only Provisioning Policy

Purpose

This lab guides you through creating a provisioning policy for a Tracking Only account store, specifically for the Sales Management System. Tracking Only account stores are used to represent external systems where no direct connection exists.

Prerequisites

  1. Access to the EmpowerID training environment.
  2. A Tracking Only account store (e.g., Sales Management System) already created.

Steps

1. Disable Resource Entitlement Processing

  1. Navigate to Infrastructure Admin > EmpowerID Servers > Server Roles.
  2. Locate the All-In-One Server Role.
  3. Search for the Resource Entitlement Inbox Processor Job and remove it from the server role.
    • This ensures that when the policy is created, records are calculated but not processed immediately.
  4. Navigate to IM Shop > Self-Service Workflows > Recycle Service Environment and execute it to recycle the services and stop the job.

2. Create a Provisioning Policy

  1. Navigate to Identity Lifecycle > Provisioning Policies.
  2. Click the + button to create a new policy.
  3. Configure the policy:
    • Object Type: Tracking Only Account
    • Name: Sales Management System Account
    • Description: Sales Management System Account
    • Directory: Select the Sales Management System account store.
    • Leave throttling settings as default.
    • On Claim Action: Do Nothing.
    • On Revoke Action: Deprovision (delete accounts when no longer needed).
  4. Save the provisioning policy.

3. Scope the Provisioning Policy

  1. Open the newly created policy.
  2. Configure the assignees:
    • Scope Type: Business Role and Location
    • Business Roles: Select All Employee Roles.
    • Locations: Select Sales and Trading Department under Investment Banking.
    • This ensures only employees in Sales and Trading receive access.
  3. Save the scope settings.

4. Monitor Resource Entitlement Evaluation

  1. Navigate to Provisioning Inbox > RET Inbox.
  2. Wait for the resource entitlement recalculation job to populate records.
  3. Verify the job status in Admin > Account Stores and Systems > Job History:
    • Search for Resource Entitlement Recalculation Job.
    • Confirm it runs successfully.
  4. Once records appear in the inbox, verify that policies are assigned correctly.

5. Enable Resource Entitlement Processing

  1. Navigate back to Infrastructure Admin > EmpowerID Servers > Server Roles.
  2. Add the Resource Entitlement Inbox Processor Job back to the All-In-One Server Role.
    • Note: No need to recycle the environment when adding jobs.
  3. Allow the job to process the records automatically.

6. Verify Results

  1. Navigate to Provisioning Inbox and confirm records are processed.
  2. Validate account creations:
    • Check System Logs > New Objects to confirm new EntraID accounts, if applicable.
  3. Ensure existing records are processed correctly, with no unnecessary new accounts created.

Notes

  • Disabling the Resource Entitlement Recalculation Job ensures calculations occur without immediate processing.
  • Scope the policy accurately to avoid assigning accounts to unintended users.
  • Monitor job statuses and logs to ensure smooth processing.

Completion

Once all provisioning records are processed and accounts are created or updated correctly, this lab is complete. Proceed to the next lab for additional EmpowerID configurations and features.

Video Walk-thru

View a video walk-thru of this lab exercise.