The EmpowerID UltiPro connector allows organizations to bring the user data in their UltiPro system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. This topic demonstrates how to create the connector in EmpowerID.
Prerequisites: In order to connect EmpowerID to UltiPro, you must have an UltiPro account that is configured to interface with external systems. This means that you must have the following (provided by UltiPro):
User Access Key
Client Access Key
These values are used to authenticate EmpowerID to UltiPro. In addition, you must create a report as a Web service that specifies the fields you want to expose and then provide EmpowerID with the path to that service.
Additionally, you will need to create a report and expose it as a service. The report needs to have the below fields. Fields designated as required indicate that a value must be provided.
Preferred First Name
No *Required if Manager Name is provided
*Must be unique for each employee
*Yes for manager; No for non-manager
Date Of Birth
To connect EmpowerID to UltiPro
Log in to the EmpowerID Management Console as an administrator.
From the EmpowerID Management Console, click the EmpowerID icon, and select Configuration Manager from the menu.
In Configuration Manager, expand the User Directories node in the navigation tree, and then click Account Stores.
Click the Add New button above the grid.
In the Add New Security Boundary window that opens, select the UltiPro Security Boundary type from the drop-down list and then click OK.
In the Account Store Details window that appears, do the following:
Type a name for the connector in the Name field.
Type the Client Access Key in the Client Key field.
Type the User Access Key in the User Key field.
Type the path to the report in the ReportPath field.
Enter your UltiPro credentials in the UltiPro Credentials window and then click OK to close the window.
EmpowerID uses these credentials to connect to your UltiPro account. If the credentials are incorrect, the connection will fail and the account store will not be created.
EmpowerID creates the UltiPro account store and adds a record for it in the Account Stores and Resource Systems grids.
Click the Resource Systems node and locate the UltiPro resource system that EmpowerID created for the account store.
Double-click the record or right-click it and select Edit from the context menu.
This opens the Account Store Details screen for the UltiPro system. The use of this screen is discussed in the next section.
To configure EmpowerID settings for the account store
The Account Store Details screen contains two main panes—a General pane and an Inventory pane—each with settings for configuring a different aspect of the Ultipro account store you just created. To view reference information about a particular pane, expand the drop-down for that pane.
This pane is used to set general configuration information for the Account Store.
Account Store Name - This is the name you gave to the account store when you created it. To change this name, click the Edit button, enter a new name in the Account StoreFriendly Name window that appears and then click OK to close the window.
Resource System Name - This is the name of the Account Store resource system. To change this name, click the Edit button, enter a new name in the Resource System Friendly Name window and click OK.
BusinessRole Priority - This is an optional policy setting that can be used by provisioning workflows to determine which Account Store has priority when determining the roles and locations that should be assigned to a person. Account Stores with a higher value take precedence. To set an order, click the Edit button, enter a number in the Change Business Role Priority window and then click OK to close the window.
Icon - This is the image icon that represents this account store in the EmpowerID user interfaces.
Maximum Accounts per Person - This specifies the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.
Allow Person Provisioning - Allows or disallows EmpowerID Persons to be created from the user records discovered during inventory.
Enable Attribute Flow - Allows or disallows attribute changes to flow between EmpowerID and the account store.
This pane is used to enable or disable inventory of the Account Store as well as to set the run schedule for the EmpowerID Inventory Job.
Inventory Schedule - This is the time span that occurs before EmpowerID performs a complete inventory of the resource system. The default value is 10 minutes. You can change this at any time by clicking the Edit button.
Enable Inventory - This allows EmpowerID to inventory the Account Store. The Inventory Job must be enabled for inventory to occur. This is discussed further in the below section.
Inventory Provision Request Workflow - This is the request workflow that is initiated when new accounts are discovered via the inventory feature. If you set this workflow, the Allow Automatic Person Provision and Allow Automatic Join Provision flags described below are ignored. You can enable this feature by clicking the Edit button.
Inventory Provision Request Workflow is not enabled by default and should be used only where customization of the process is required.
Allow Automatic Person Provision on Inventory - This allows EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure. For more information on implementing the rule, see Reviewing Join and Provision Rules.
Allow Automatic Person Join on Inventory - This allows EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure. For more information on implementing the rule, see Reviewing Join and Provision Rules.
RBAC-Assign Initial Group Membership On First Inventory - This setting pertains to Active Directory account stores only.
Re-Inventory - Enabling this option re-inventories all changes.
Allow Business Role and Location Recalculation - Allows or disallows the Account Store to be used by the Role and Location Compiler and Role and Location Processor to determine the Business Roles and Locations that should be associated with a person. You can enable this feature by toggling the button to the left of the line from a red sphere to a green check.
To use this feature, you must also enable the Role and Location Compiler and Role and Location Processor jobs within the
EmpowerID Servers and Roles interface of Configuration Manager.
Before configuring EmpowerID to manage the account store, you should determine whether or not you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, then you should be able to answer the following questions before turning on inventory.
When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
How many user accounts can one Person have in the account store?
If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?
From the General pane of the Account Store Details screen, do the following:
Optionally, click the Edit button to the right of Business Role Priority and specify the priority for the account store when determining the Business Role of the people.
Click the Edit button to the right of Maximum Accounts Per Person and specify the maximum number of accounts from the domain that a Person can have linked to them. Setting this prevents the possibility of a runaway error caused by a wrongly configured Join rule.
Toggle Allow Person Provisioning to reflect your policy for the account store (red sphere for disable and green checkbox for enable). If enabled, EmpowerID provisions a Person object for each user discovered in the account store.
Toggle Enable Attribute Flow to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, changes occurring to user attributes in the account store will occur in EmpowerID and vice-versa depending on how you have set up your attribute flow rules. The default flow for most user attributes for active directory is bi-directional. You can change these as needed.
From the Inventory pane of the Account Store Details screen, do the following:
Toggle Allow Automatic Person Provision On Inventory to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled (and Allow Person Provisioning is enabled for the account store), EmpowerID will provision Person objects for all new accounts discovered during inventory in real-time, if they meet the conditions of your Provision rules.
When provisioning people during inventory, you have the following options that can be set:
Business Role for New Inventory Provision - This allows you to select an EmpowerID Business Role for all Persons provisioned during inventory. By default, EmpowerID assigns these people to the Temporary Business Role; however, you can pick others by clicking the Edit button to the right of the line and selecting the desired Business Role from the
Business Role Selector window that appears. If you pick another and wish to remove it in favor of the default, you can do so by clicking on the red sphere to the right of the Edit button.
The following image shows the Business Role Selector window with Standard Employee selected. This means that each person provisioned will given the Standard Employee Business Role rather than the default Temporary Role.
EmpowerID includes the Standard Employee and Temporary Role Business Roles out of the box; however, if you wish to assign new Persons to another Business Role before inventory occurs, you can easily do so. You simply need to create them first. Once created, those additional Business Roles will appear in the Business Role Selector. For information on creating Business Roles see Creating Business Roles.
Location for New Inventory Provision - This allows you to select the location that is to be the primary location for the each Person provisioned during inventory.
Toggle Allow Automatic Person Join On Inventory to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled (and Allow Person Provisioning is enabled for the account store), EmpowerID will attempt to join any new accounts discovered during inventory if it finds one that matches the conditions of the Join rules for the account store. If this setting is not enabled, EmpowerID will not join secondary accounts to an EmpowerID Person, but will instead provision new EmpowerID Persons for each of those additional accounts.
The last action to perform on this screen is to enable inventory. However, before doing so, it is important to review the attribute flow rules for the account store. Once you are satisfied with the rules, turn on inventory by toggling the button th the left of the line from a red sphere to a green check.