Connecting to Active Directory

EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system. In this article, we demonstrate how to use the EmpowerID Active Directory connector to connect to Active Directory. Doing so entails the following:

  1. Reviewing the Join and Provision rules for your environment. These rules are SQL statements that specify the conditions for creating EmpowerID Persons and joining those Persons to the user accounts in your external account store. For more information on Join and Provision rules, see Understanding the Account Inbox and Reviewing Join and Provision Rules.
  2. Creating an account store in EmpowerID for Active Directory.
  3. Configuring EmpowerID settings for the account store connection, including whether to provision EmpowerID Persons during inventory or in batches using the Account Inbox permanent workflow.
  4. Reviewing and configuring the attribute flow rules for the account store.
  5. Mapping your external roles and locations to corresponding EmpowerID Business Roles and Locations.
  6. Turning on inventory.
  7. Enabling the Account Inbox Permanent Workflow when ready—if you are using batch processing to provision Person objects from the inventoried user accounts. This is the recommended method.
  8. Monitoring Inventory.
Before connecting EmpowerID to a directory system like Active Directory, you should determine whether you want EmpowerID to provision Person objects from the user accounts it discovers in the account store. If you do, then you should be able to answer the following questions before turning on inventory.
  1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
  2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
  3. How many user accounts can one Person have in the account store?
  4. If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
  5. Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?
  6. If you have Resource Entitlement policies in place, do you want EmpowerID to apply them to the account store?
If you are connecting to an Active Directory Forest with multiple domains, you must first create an account store for the forest root domain before creating account stores for other domains in the forest. The proxy account used when adding your AD account store, must have read access to the AD Configuration Partition in order for topology discovery to succeed. Errors will occur if this process and its required access are not followed.
You do not need to enable inventory on the account store created for the forest root domain.

To create an account store for Active Directory

  1. Log in to the EmpowerID Management Console as an administrator.
  2. From the EmpowerID Management Console, navigate to Configuration Manager by clicking the EmpowerID icon and selecting Configuration Manager from the menu.
  3. In Configuration Manager, expand the User Directories node in the application navigation tree to the left and click Account Stores.
  4. Click the Add New button above the grid and in the Add New Security Boundary window that opens, select Active Directory Domain Services from the Security Boundary Type drop-down and then click OK to close the window.
  5. This opens the Discover AD Forest window, which is where you enter the identifying information about your Active Directory to allow EmpowerID to discover and connect to it.

  6. In the Discover AD Forest window, do the following:
    1. Type the fully qualified domain name of the AD forest in the FQDN of Forest text field.
    2. If you are using LDAPS, you type the Subject name of the certificate for the domain controller to which you are connecting followed by port 636 in the FQDN of Forest field. Thus, if the Subject name is "dc01.eiddoc.com," you type dc01.eiddoc.com:636.
    3. Type the proxy information into the fields of the Proxy Information panel.
    4. The user account entered here is saved as the default proxy account (connection credential) used when managing the selected domains; therefore this account must have read access to the Active Directory configuration partition that holds the list of all of the domains in the forest (and to the Exchange Organization, if present). You can change this at any time.
      If you are connecting to a child domain, you type that domain in the NetBIOS Name field.
    5. Click the Choose button below the Proxy Information panel to open the Choose Servers window. This window provides the interface for selecting the server(s) with the EmpowerID Web Role service installed.
    6. In the Choose Servers window, toggle the Server button from a red sphere to a green checkbox for one or more servers running the EmpowerID Web Role service, where the LDAP Management Host WCF Service is enabled. (The LDAP Management Host WCF Service is responsible for LDAP communications and is enabled by default on each server running the EmpowerID Web Role service.)
    7. Each server selected must be in the same forest and able to communicate with the Active Directory over LDAP port TCP 389. Please note that the EmpowerID Web Role service must be started on a given server before that server will show in the Choose Servers window.

    8. Click OK to close the Choose Servers window.
    9. This returns you to the Discover AD Forest window, which should now look similar to the following image.

    10. Click OK to close the Discover AD Forest window and open the Discover Active Directory Domains window.
  7. In the Discover Active Directory Domains window, select the AD domains you want EmpowerID to manage and then click OK to close the window.
  8. After several moments to perform the requested action, EmpowerID opens the Account Store Details screen for the new account store. This screen provides access to the configuration options for the various jobs that EmpowerID performs against managed domains and is divided into three tabs, the Details tab, the Directory Servers tab, and the UPN Suffixes tab. Of these three tabs, the Details tab is where the majority of the configuration occurs. A general overview of these settings is provided in the drop-downs below. Step-by-step guidance for configuring this screen during your initial configuration follows in the next section.

    • General Pane

      This pane is used to set general configuration information for the Account Store.

      • Account Store Name - This is the name of the inventoried account store. This field is populated with the value supplied during the initial forest discovery process. To change this name, Click the Edit button, enter a new name in the Account StoreFriendly Name window that appears and then click OK to close the window.
      • Resource System Name - This is the name of the Account Store resource system. To change this name, Click the Edit button, enter a new name in the Resource System Friendly Name window that appears and click OK.
      • LDAP Agent - This is the name of the server(s) on which the LDAP Management Web Service is running. The LDAP Management Web Service is an EmpowerID Job hosted in IIS that maintains all communication between any LDAP server (such as AD) and EmpowerID. This job must be running on a machine with connectivity to the LDAP directories that it manages. ( The job is enabled by default on each server running the EmpowerID Web Role service.) You selected the server when you first connected EmpowerID to the Account Store; however, you can change the server at any time by clicking the Edit button.
      • Connection Account - This is the proxy account you entered above when you first connected EmpowerID to the Account Store. This account is used for inventorying, provisioning, making password resets, and enforcing permissions, so the information entered here must be an account with the appropriate administrative privileges. You can change the connection account at any time by clicking the Edit button and entering the appropriate information in the Proxy Connection Account window.
      • Monitored Domain Controller - This is the preferred domain controller that EmpowerID monitors for changes. This needs to be a reliable domain controller with good connectivity to the EmpowerID servers performing the Inventory job. During the initial forest scan, EmpowerID discovers each domain controller and sets them to disabled by default. EmpowerID maintains a list of the last change seen on all domain controllers in case this setting needs to be changed, but only one is monitored at any given time in order to optimize performance. You can change the domain controller that EmpowerID monitors at any time by clicking the Edit button and selecting the appropriate controller in the Change Domain Controller window.
      • Resource System Type - This is the resource system type (such as Active Directory Domain Services) for the Account Store you set when you first connected EmpowerID to it.
      • Default User Creation Path - This is the creation location of last resort for user accounts in the event that one is not selected in a workflow process.
      • Default Group Creation Path - This is the creation location of last resort for groups in the event that one is not selected in a workflow process.
      • EmpowerID Group Creation Path - This is the creation location for the Domain Local groups used by EmpowerID for granting native AD permissions assignments. For an overview of EmpowerID Groups and native permissions assignments, see Understanding Projection and Enforcement.
      • Maximum Accounts Per Person - This specifies the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.
      • Role and Location Re-Eval Order - his is an optional policy setting that can be used by provisioning workflows to determine which Account Store has priority when determining the roles and locations that should be assigned to a person. Account Stores with a higher value take precedence. You must enable the Allow Business Role and Location Recalculation option in this pane as well.
      • Icon - This is the image icon that represents this domain in the EmpowerID user interfaces.
      • Enable Pass-Through Authentication - This allows domain authentication to be used for logging in to EmpowerID. Unless Simple Search is enabled, the domain\username format needs to be used.
      • Enable Simple Username Search for Pass-Through Authentication - Simple search works in conjunction with pass-through authentication to allow users to log in without specifying a domain name. When this is enabled, EmpowerID first checks to see if the user name entered exists within its Identity Warehouse and if so attempts to authenticate as that user. If a matching logon name exists but the login fails, EmpowerID then searches through all Accounts Stores where simple username search is enabled to find the correct user name and password combination. To enable this function, click the Enable Simple Username Search button to the left of the line and toggle it so that the green check is visible.
      • Simple search can cause long delays during the login process in environments with a large number of domains.
      • Allow Password Sync - Enables or disables the synchronization of password changes to user accounts in the domain based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows. To enable this function, click the Allow Password Sync button to the left of the line and toggle it so that the green check is visible.
      • Allow Person Provisioning - Allows or disallows EmpowerID Persons to be created from the user accounts discovered during inventory.
      • Allow RET Provisioning - Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.
      • Allow RET De-Provisioning - Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.
      • Enable Attribute Flow - Allows or disallows attribute changes to flow between EmpowerID and the account store.
    • Inventory Pane

      This pane is used to enable or disable inventory of the Account Store as well as to set the run schedule for the EmpowerID Inventory Job.

      • Inventory Schedule - This is the time span that occurs before EmpowerID performs a complete inventory of the resource system. The default value is 10 minutes. You can change this at any time by clicking the Edit button.
      • Enable Inventory - This allows EmpowerID to inventory the Account Store. The Inventory Job must be enabled for inventory to occur. This is discussed further in the below section.
      • Inventory Provision Request Workflow - This is the request workflow that is initiated when new accounts are discovered via the inventory feature. If you set this workflow, the Allow Automatic Person Provision and Allow Automatic Join Provision flags described below are ignored. You can enable this feature by clicking the Edit button.
      • Inventory Provision Request Workflow is not enabled by default and should be used only where customization of the process is required.

      • Allow Automatic Person Provision on Inventory - This allows EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the provisioning criteria specified by the AccountInboxJoinAndProvisionFilter and AccountInboxProvisionFilter scalar functions. For more information on these, see Understanding the Account Inbox.
      • Allow Automatic Person Join on Inventory - This allows EmpowerID to join newly discovered accounts to people during the inventory process if they meet the joining criteria specified by the AccountInboxJoinAndProvisionFilter and AccountInboxJoinFilter scalar functions and the enabled Join rules discussed above. For more information on the scalar functions, see Understanding the Account Inbox.
      • RBAC-Assign Initial Group Membership On First Inventory - This converts each user account in an Active Directory group to a Resource Role Assignment for the person who owns the user account.
      • Enabling this function is not recommended in most cases as it removes the ability to manage groups in Active Directory. A consequence of this is that if a user account is removed from an Active Directory group, EmpowerID puts the account back in the group.

      • Re-Inventory - Enabling this option sets the usn to 0 and re-inventories all changes.
    • Rights Enforcement for Resource Role Groups Pane

      This pane is used to enable or disable and schedule rights enforcement for Resource Role Groups for the domain. This process ensures that the domain local groups used to grant native Active Directory permissions, such as read or write access for the group member attribute, are created in EmpowerID and granted the proper native permissions. For more information on enforcement in EmpowerID, see Understanding Projection and Enforcement.

      • Resource Enforcement Type - This specifies how EmpowerID is to enforce rights in native systems. The types available include:
        • No Action - No rights enforcement action occurs.
        • Projection with No Enforcement - Changes to rights within EmpowerID occur only within EmpowerID; they are not passed on to the native environment.
        • Projection with Enforcement - Changes to rights within EmpowerID occur within EmpowerID and are enforced within the native environment.
        • Projection with Strict Enforcement - EmpowerID overrides any changes made in the native environment. All changes made must occur within EmpowerID to be accepted.
        • Strict Enforcement only applies to AD Groups.

      • Enforcement Schedule - This is the time span that occurs before EmpowerID runs the Rights Enforcement Job. The default value is 10 minutes. You can change this at any time by clicking the Edit button.
      • Re-Enforcement Frequency in Minutes - This is the time span that occurs before EmpowerID runs the a complete re-enforcement of all rights on all native resources. The default value is 1440 minutes. You can change this at any time by clicking the Edit button.
      • Enable this Functionality - Enables and disables rights enforcement on the Account Store.
    • Resource Role Group Membership Pane

      This pane is used to enable or disable and schedule Resource Role Group reconciliation for EmpowerID Resource Role Groups for the domain. This process is known in EmpowerID as "Projection." For an overview of this process, see Understanding Projection and Enforcement.

      • Projection Schedule - This is the time span that occurs before EmpowerID runs the Resource Role Reconciliation Job. The default value is 10 minutes. You can change this at any time by clicking the Edit button.
      • Re-Enforcement Frequency in Minutes - This is the time span that occurs before EmpowerID runs the a complete re-enforcement of all rights on all native resources. The default value is 1440 minutes. You can change this at any time by clicking the Edit button.
      • Enable this Functionality - Enables and disables rights enforcement on the Account Store.
    • Group Membership Reconciliation Pane

      This pane is used to enable or disable and schedule group membership reconciliation for the domain. When this function is enabled, EmpowerID dynamically manages the membership of the Account Store's groups, adding and removing users to and from groups based upon policy-based assignment rules.

      • Membership Schedule - This is the time span that occurs before EmpowerID runs the Group Membership Reconciliation Job. The default value is 10 minutes. You can change this at any time by clicking the Edit button.
      • Enable this Functionality - Enables and disables group membership reconciliation on the Account Store.

To configure EmpowerID settings for the account store

The Account Store Details screen is divided into three tabs, the Details tab, the Directory Servers tab, and the UPN Suffixes tab. Of these three tabs, the Details tab provides the functionality for configuring how you want EmpowerID to manage the account store and the user accounts it finds therein.

Before configuring EmpowerID to manage the account store, you should determine whether or not you want EmpowerID to provision Person objects from the user accounts it discovers in the account store. If so, then you should be able to answer the following questions before turning on inventory.
  1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
  2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
  3. How many user accounts can one Person have in the account store?
  4. If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
  5. Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?
  6. If you have Resource Entitlement policies in place, do you want EmpowerID to apply them to the account store?
  1. From the General pane of the Details tab, do the following:
    1. Click the Edit button to the right of Default User Creation Path and select a default location within your directory where EmpowerID is to create users in the event that one is not selected in a workflow process.
    2. Click the Edit button to the right of Default Group Creation Path and select a default location within your directory where EmpowerID is to create groups in the event that one is not selected in a workflow process.
    3. Click the Edit button to the right of EmpowerID Group Creation Path and select a default location within your directory where EmpowerID is to create the Domain Local groups it uses for granting native AD permissions assignments.
    4. Click the Edit button to the right of Maximum Accounts Per Person and specify that maximum number of accounts from the domain that a Person can have linked to them. Setting this prevents the possibility of a runaway error caused by a wrongly configured Join rule.
    5. If you are managing other account stores in addition to this one, click the Edit button to the right of Role and Location Re-Eval Order and enter a number to specify the priority of the account store for determining the Business Roles and Locations that should be assigned to a Person. Account Stores with a higher value take precedence.
    6. Toggle Enable Pass-Through Authentication to reflect your policy for the account store (red sphere for disable and green checkbox for enable). Pass-through Authentication allows domain authentication to be used for logging in to EmpowerID. Unless Simple Search is enable, the domain\username format needs to be used.
    7. Toggle Enable Simple Username Search for Pass-Through Authentication to reflect your policy for the account store (red sphere for disable and green checkbox for enable). Simple search works in conjunction with pass-through authentication to allow users to log in without specifying a domain name. When this is enabled, EmpowerID first checks to see if the user name entered exists within its Identity Warehouse and if so attempts to authenticate as that user. If a matching logon name exists but the login fails, EmpowerID then searches through all account stores where simple search is enabled to find the correct user name and password combination.
    8. Simple search can cause long delays during the login process in environments with a large number of domains.
    9. Toggle Allow Password Sync to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID synchronizes password changes to user accounts in the domain based on password changes for the joined Person or changes on another account owned by the Person.
    10. Toggle Allow RET Provisioning to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID auto-provisions accounts for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.
    11. This setting only applies if you have RET policies in place for the account store. For task-based help on setting up Resource Entitlement polices, see Configuring Provisioning Policies.
    12. Toggle Allow RET De-Provisioning to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID auto de-provisions accounts for users who have RET policy-assigned user accounts, but no longer receive a policy that grants them those user accounts in the domain.
    13. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.
    14. Toggle Enable Attribute Flow to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, changes occurring to user attributes in the account store will occur in EmpowerID and vice-versa depending on how you have set up your attribute flow rules. The default flow for most user attributes for active directory is bi-directional. You can change these as needed.
  2. From the Inventory pane of the Account Store Details screen, do the following:
    1. Toggle Allow Automatic Person Provision On Inventory to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled (and Allow Person Provisioning is enabled for the account store), EmpowerID will provision Person objects for all new accounts discovered during inventory in real-time, if they meet the conditions of your Provision rules.
    2. When provisioning people during inventory, the following options can be set:

      • Business Role for New Inventory Provision - This allows you to select an EmpowerID Business Role for all Persons provisioned during inventory. By default, EmpowerID assigns these people to the Temporary Business Role; however, you can pick others by clicking the Edit button to the right of the line and selecting the desired Business Role from the Business Role Selector window that appears. If you pick another and wish to remove it in favor of the default, you can do so by clicking the red sphere to the right of the Edit button.

        The following image shows the Business Role Selector window with Standard Employee selected. This means that each Person provisioned will given the Standard Employee Business Role rather than the default Temporary Role.

        EmpowerID includes the Standard Employee and Temporary Role Business Roles out of the box; however, if you wish to assign new Persons to another Business Role before inventory occurs, you can easily do so. You simply need to create them first. Once created, those additional Business Roles will appear in the Business Role Selector.

        For information on creating Business Roles see Creating Business Roles.
      • Location for New Inventory Provision - This allows you to select the location that is to be the primary location for the each Person provisioned during inventory. By default, EmpowerID uses the Active Directory OU of the user object as the primary location. If you map these locations to EmpowerID locations before turning on inventory (recommended), the Person objects will be provisioned in the mapped locations. This makes it easier to manage users as the EmpowerID locations mirror your external locations. We discuss mapping locations in the next section below.

    3. Toggle Allow Automatic Person Join On Inventory to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled (and Allow Person Provisioning is enabled for the account store), EmpowerID will attempt to join any new accounts discovered during inventory if it finds one that matches the conditions of the Join rules for the account store. If this setting is not enabled, EmpowerID will not join secondary accounts to an EmpowerID Person, but will instead provision new EmpowerID Persons for each of those additional accounts.

    The last action to perform on this screen is to enable inventory. However, before doing so, it is important to review the attribute flow rules for the account store and to map your directory locations to corresponding EmpowerID locations as these will be used for initial Business Role and Location placement of all provisioned Person objects. We discuss these in the next two sections.

To configure Attribute Flow rules

When configuring attribute flow rules, the following options are available:

  • No Sync - When this option is selected, no information flows between EmpowerID and the native system.
  • Bidirectional Flow - When this option is selected, changes made within EmpowerID update the native system and vice-versa.
  • Account Store Changes Only - When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.
  • EmpowerID Changes Only - When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.
By default, EmpowerID retrieves attribute values for each user account in a connected account store and maps them value for value to the corresponding Person attributes stored in the EmpowerID Identity Warehouse. In this way, if the value of "State" for an AD user account is "Massachusetts" then the value of "State" for that account's Person object in EmpowerID is "Massachusetts." However, EmpowerID allows you to create your own Attribute Flow Handlers to customize these values. You do this by creating a class library in Workflow Studio that inherits from the DefaultAttributeflowHandler class and by overriding the method specific to the account store (external or EmpowerID) you wish to effect. For more information on customizing Attribute Flow, see Creating Custom Attribute Flow Handlers in the Developer's Guide.

To configure Attribute Flow rules:

  1. While leaving the Account Store Details screen open, open a new tab in the EmpowerID Management Console by clicking the New Tab (+) button located at the top left of the console.

  2. From the new tab, navigate to Configuration Manager by clicking the EmpowerID icon and selecting Configuration Manager from the context menu.
  3. In Configuration Manager, expand User Directories in the navigation tree and then click Attribute Flow Rules.

  4. Select the appropriate account store for your directory from the drop-down list at the top of the screen.
  5. The attributes from the EmpowerID Person object are displayed in the left column with the corresponding attributes from the account store displayed in the right column.
  6. Click the Attribute Flow button located between the EmpowerID Person Attribute column and the Account Store Attributes column and select the desired flow direction from the context menu.
  7. The Mail attribute should always flow from Exchange to EmpowerID.

  8. Next, click the EmpowerID Servers and Roles node in the Configuration Manager tree and turn on the Attribute Flow - Directory Change Processor Job on at least one EmpowerID server hosting the Worker Role service by ticking the check box for the job. This job is responsible for taking the attribute changes occurring to user accounts (discovered during inventory) from the attribute inbox and processing them to update the corresponding attributes on the Person object (in accordance with the attribute flow rules set for the account store).


Next, map the OUs containing user accounts and other managed objects in your account store to corresponding EmpowerID locations as described in the next section. This ensures that the location of an object in EmpowerID reflects the location of the object in Active Directory. In environments with multiple directories or domains, location mapping allows administrators and business users to see one condensed view of the organizations and have policies applied in one spot.

To map locations

EmpowerID Role and Location mappings allow multiple AD, LDAP or other external directory containers to be visually mapped to one or more logical locations in EmpowerID for unified and easy management. When a mapping occurs, all the resources or objects located in the directory container are assigned to a corresponding EmpowerID location, allowing you to use those locations for delegating user access and setting default policy settings. If you create these mappings before your first inventory, all new people discovered by EmpowerID during the inventory process will be provisioned in EmpowerID locations (instead of directory locations), and those EmpowerID locations will be assigned to them as the "Location" portion of their Business Role and Location (BRL). For example, if you have a user named "Barney Smythe" in a London > Contractors OU and a user named "Chris Emerick" in a London > Employees OU and you map both of those London OUs to a single London location in EmpowerID, when you turn on your inventory the Location portion of the BRL for both Barney Smythe and Chris Emerick would be the EmpowerID location and not the external OUs.

To map locations:

  1. From the new tab you opened above, click the EmpowerID icon and select Role and Location Mapper from the context menu.

  2. In Role and Location Mapper, press the CTRL key, and while holding the key down drag the OUs containing your users from the External Locations pane and drop them onto the All Business Locations node in the EmpowerID Locations pane. You can drag and drop locations one at a time or you can select a parent node to drag-and-drop the parent and all child nodes under the parent.

    The below image shows what the drag-and-drop operation looks like in our environment.

    Notice the blue rectangle around the All Business Locations node as well as the plus (+) symbol by the cursor icon. The blue rectangle indicates that the will be mapped to the node, while the plus (+) symbol indicates that EmpowerID locations will be created. If you do not see the blue rectangle or the symbol no mapping will occur.

  3. Click Yes to indicate that you want to create mappings.
  4. EmpowerID creates the EmpowerID locations, mapping the external OUs to those locations. You can view these by expanding the nodes in each locations tree and pressing F4. Doing so will paint green lines on the screen to indicate which EmpowerID locations are mapped to which external locations.

    If more than one OU or container is mapped to an EmpowerID location, setting the IsPrimary property determines which mapping should be authoritative when used for various policies, such as creating accounts by RET and assigning primary Business Roles and Locations. You can set the IsPrimary property on any mapping by right-clicking the map line and selecting IsPrimary from the context menu.

Now that the mappings and attribute flow have been configured, you can enable inventory for the account store as demonstrated below.

To turn on inventory

  1. From Role and Location Mapper, navigate to Configuration Manager by clicking the EmpowerID icon and selecting Configuration Manager from the context menu.

  2. From the new Configuration Manager tab, click the EmpowerID Servers and Roles node.

  3. From the Jobs grid, locate the Inventory Job. It should be enabled (checked) on at least one EmpowerID Server. If the job is not enabled, tick the box so that a check mark appears.

  4. Now that the Inventory job is enabled, close the Configuration Manager tab displaying the jobs by right-clicking it and selecting Close from the context menu.

    This returns you to the Account Store Details screen.

  5. Look over your settings one last time and when satisfied, turn on inventory by toggling the Enable Inventory button from a red sphere to a green check box.


If you want EmpowerID to provision Persons from the user accounts in your Active Directory, you need to enable the Account Inbox permanent workflow. This is demonstrated below.

To enable the Account Inbox permanent workflow

  1. From the Navigation Sidebar of the Web application, navigate to the Permanent Workflows management page by expanding Admin > Miscellaneous and clicking Permanent Workflows.
  2. From the Permanent Workflows management page, click the Display Name link for Account Inbox.
  3. This opens the View One page for the workflow. This page allows you to view information about the workflow and manage it as needed.

  4. From the View One page, click the edit link for the workflow. Edit links have the Pencil icon.
  5. From the Permanent Workflow Details form that appears, select Enabled and then click Save. Based on the default settings applied to the workflow, EmpowerID will process 1000 of the user accounts in the Account Inbox every ten minutes, provisioning Person objects from those user accounts and joining them together based on the Join and Provision rules applied to the account store.
  6. The Max Items To Process In Loop field contains no value because this property is set in code on the AccountInbox workflow. As this is the case, the Account Inbox will ignore any values entered into this field. If desired, you can alter this value in the workflow itself.

To monitor inventory

  1. From the Navigation Sidebar of the Web application, navigate to the Account Inbox by expanding System Logs and clicking Account Inbox.
  2. The Account Inbox page appears. This page provides tabbed views of all information related to processing new user accounts discovered in a connected account store during inventory. An explanation of these tabs follows.

    • Dashboard - This tab provides a quick summary of account inbox activity.
    • Not Processed - This tab displays a grid view of all inventoried user accounts not yet used to provision a new EmpowerID Person or joined to an existing Person.
    • Failed - This tab displays a grid view of any account joining or provisioning failures.
    • Ignored - This tab displays a grid view of all accounts ignored by the account inbox. Accounts are ignored if they do not qualify as user accounts.
    • Joined - This tab displays a grid view of all accounts joined to an EmpowerID Person. Joins occur based on the Join rules applied to the account store.
    • Processed - This tab displays a grid view of all accounts that have been used to either provision a new EmpowerID Person or joined to an existing EmpowerID Person.
    • Provisioned - This tab displays a grid view of all accounts that have been used to provision an EmpowerID Person. Provisioning occurs based on the Provision rules applied to the account store.
    • Orphans - This tab displays a grid view of all user accounts without an EmpowerID Person.
    • All - This tab displays a grid view of all user accounts and the status of those accounts in relation to the Account Inbox.