Connecting to Custom Directories

The EmpowerID Universal Connector allows organizations to use their own internal DB resources to easily create both simple and advanced connectors for their directories and applications. In this topic, we demonstrate how to perform the administrative tasks necessary for using the Universal Connector to connect to an external system. These tasks include the following:

To create the Universal Connector database, you will need the following SQL scripts:
  • SchemaGeneration.sql - This script generates the tables, stored procedures and other database objects used by EmpowerID to store and maintain the identity information imported into the intermediary database from an external data store. You can download the script here.
  • If you are using an older version of the Universal Connector, instead of running the SchemaGeneration.sql, you need to upgrade the schema for the existing Universal Connector database. To do so, download the upgrade script here and execute it against the database.
  • DataGeneration.sql - This script generates data that is used by EmpowerID to explain the type of changes that have occurred to any of the business objects in the Universal Connector database via an EmpowerID workflow. You can download this script here.
  • The DataGeneration script is only necessary if you are using the Changelog to batch process changes. When possible, EmpowerID recommends real-time processing over batch processing.

To create the Universal Connector database

  1. From any EmpowerID server with SQL Management tools installed, open Microsoft SQL Server Management Studio (SSMS).
  2. From SSMS, right-click Databases and select New Database... from the context menu.
  3. In the New Database window that opens, type a name for the database in the Database name field, set the Initial Size to 100 MB and then click OK.
  4. From the new Universal Connector database, open the SchemaGeneration.sql file you received from EmpowerID and execute the script.
  5. This generates the tables EmpowerID uses to maintain the identity information you import into EmpowerID as well as a number of stored procedures for querying and manipulating the data in those tables.

  6. Next, if you plan to use the ChangeLog for batch processing instead of real-time processing of the changes to your data, open the DataGeneration.sql script you received from EmpowerID and execute the script to populate the ChangeLogObjectType and ChangeLogObjectType tables of the Universal Connector database. These tables work in conjunction with the ChangeLog table to explain the types of changes that have occurred to objects in EmpowerID, when the Universal Connector is operating in batch mode.

To set up the Universal Connector account store

  1. Log in to the EmpowerID Management Console as an administrative user.
  2. From the EmpowerID Management Console, click the EmpowerID application icon and select Configuration Manager from the menu.
  3. In Configuration Manager, expand the User Directories node in the navigation tree and then click Account Stores.
  4. Click the Add New button above the Account Stores grid.
  5. In the Add New Security Boundary window that opens, select Universal Connector from the Security Boundary Type drop-down and then click OK.
  6. In the Security Boundary Details screen that appears, type an appropriate Name and Display Name for the Universal Connector account store and then click Save.
  7. Back in the Account Stores grid, right-click the Universal Connector account store you just created and select Edit from the context menu.
  8. In the General panel of the Universal Connector Details screen that appears, click the Edit button beside SQL Database
  9. In the Data Link Properties dialog that appears, do the following:
    1. On the Provider tab, select Microsoft OLE DB Provider for SQL Server.
    2. On the Connection tab, select your server, enter the information to log on to the server, and then select the Universal Connector database you created earlier.
    3. Click OK to close the Data Link Properties dialog.
  10. Back in the General pane of the Universal Connector Details screen, enable the following options as needed:
    • Use ChangeLog to batch calls - Enable this option if you want EmpowerID to batch send (as opposed to real-time sending) changes that have occurred to your inventoried objects as the result of workflows or provisioning policies being executed against them in EmpowerID. When this option is enabled, EmpowerID writes these changes to the ChangeLog table of the Universal Connector database.
    • Use Location Parent Name - Enable this option when using the name of a Location's parent to identify that parent. If disabled, the ID of the parent location is used.
    • Use BusinessRole Parent Name - Enable this option when using the name of a Business Role's parent to identify that parent. If disabled, the ID of the parent Business Role is used.
    • Use Manager Parent Name - Enable this option when using the name of user's manager to identify that manager. If disable, the ID of the user's manager is used.
    • Allow Password Sync - Enables or disables the synchronization of password changes to user accounts in the account store based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows.
    • Allow Person Provisioning - If enabled, EmpowerID provisions a Person object for each user discovered in the account store.
    • Allow RET Provisioning - If enabled, EmpowerID applies any Resource Entitlements policies to each person provisioned from an inventoried AWS account if those people are placed in a Business Role and Location that is targeted by a Resource Entitlement Policy.
    • Allow RET De-Provisioning - Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.
    • Enable Attribute Flow - Allows or disallows attribute changes to flow between EmpowerID and the Universal Connector account store
  11. From the Inventory pane of the Universal Connector Details screen, do the following:
    1. Select whether you want EmpowerID to automatically provision Person objects on inventory by toggling the button to the left of the field to a green check (enable) or a red sphere (disable).
    2. If you have opted to have EmpowerID provision Person objects on inventory, then click the Edit button to the right of the Business Role for New Inventory Provision field and select the Business Role that EmpowerID should assign to each new Person from the Business Role Selector that appears. If you leave this field empty, then EmpowerID will place each Person in the "Any Role" Business Role by default.
    3. If you have opted to have EmpowerID provision Person objects on inventory, then click the Edit button to the right of the Location for New Inventory Provision field and select the Location that EmpowerID should assign to each new Person from the Location Selector that appears. If you leave this field empty, then EmpowerID will place each Person in the location of the account container in the external system.
    4. Enable inventory by toggling the Enable Inventory button from a red sphere to a green check box. Please note that the Universal Connector database must be populated with the business objects in your application before inventory. In addition, if you want to map the locations in your external system to EmpowerID logical locations to aid in delegations, you should map the locations before you inventory the external system. For general information on location mapping, see Mapping Locations.