Creating Default Attribute Values Policies

Default Attribute Values policies are policies that allow you to automate the attribute values of any Person and flow those attributes to that Person's linked accounts in external account stores belonging to a target of the policy. (Policy targets can include any Management Roles, groups, Query Based Collections or Set Groups, individual people and Business Role and Location combinations.) For example, if you create Default Attributes Values policy that specifies that the Title attribute be set to "Contractor" for anyone assigned to the policy and then you assign the policy to a "Contractors" group, EmpowerID will set the Title attribute to Contractor for each Person in that group and then flow those changes to the corresponding attribute on each Person's user account.

This topic demonstrates how to create and assign a Default Attribute Values policy in EmpowerID and is divided into the following activities:

Prerequisites: In order to create a Default Attribute Values policy, the following prerequisites must be met:
  • EmpowerID must be connected to Active Directory. For more details, see Connecting to Active Directory.
  • The Person Default Attributes Reinforcement Job must be enabled on at least one EmpowerID Server
    • To enable the Person Default Attributes Job
      1. Log in to the EmpowerID Management Console as an administrator.
      2. From the EmpowerID Management Console, navigate to Configuration Manager by clicking the EmpowerID icon and selecting Configuration Manager from the drop-down menu.
      3. In Configuration Manager, click the EmpowerID Server and Roles node and locate the Person Default Attributes Reinforcement Job.
      4. Enable the job on at least one EmpowerID Server by checking the box underneath the desired server(s).
  • To allow any attribute changes occurring in EmpowerID via the policy to flow to the external account store, the Attribute Flow Rules configured for the account store must be set accordingly. For more information, see Configuring Attribute Flow Rules.

To create the Default Attribute Values Policy

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Default Attribute Values management page by expanding Admin > Policies and clicking Default Attribute Values.
  2. From the Default Attribute Values management page, click the Create Default Attribute Value button.
  3. In the Policy Details form that appears, do the following:
    1. Type a name and display name for the policy in the Name and Display Name fields, respectively.
    2. From the Person Attribute drop-down, select the attribute for the Person that you want to be set by the policy.
    3. In the Default Value field, type the default value for the selected attribute.
    4. Select or deselect Always Reapply Policy as appropriate for the policy. If selected (the default), EmpowerID will revert any changes made to the attribute value on an affected person back to the value specified by the policy.
    5. Click Save.
    6. EmpowerID creates the policy and opens the Edit page for it. From this page, you can assign the policy to any EmpowerID Actor, such as a Group or Business Role and Location.

To assign the Default Attribute Policy

  1. From the Policy Assigned To section of the Policy Details form for the policy you just created, do the following:
    1. Click the Add (+) button on the grid that represents the Actor type to whom you are assigning the policy. In our example, we are assigning the policy to a group so we clicked the Add (+) button on the Groups grid.
    2. Type the name of the specific actor to whom you are assigning the policy in the <Actor Type> field and then click the tile for that actor. In our example, we are assigning the policy to the Contractors group.
    3. Type a numeric value from 1 to 100 for the policy in the Priority field. The priority value determines how EmpowerID should treat the users affected by the policy if those users have other Default Attribute Values policies. The lower the number, the higher the priority.
    4. Click Save.
    5. If desired, repeat steps 1b through 1d for any other specific actors of the selected Actor type.
  2. Repeat step 1 above for each additional Actor type you want to add to the policy. For example, if you wanted to add a Business Role and Location to the policy, you click the Add (+) button on the Business Role and Location grid, select the specific Business Role and Location and assign a priority for the policy.
  3. Default Attribute Values policies only apply to Primary Business Roles and Location. For example, if you assign a policy to a Business Role and Location and a Person has that Business Role and Location as a secondary Business Role and Location, the policy will have no effect on that Person's attributes.

To verify the attribute value in Active Directory

  1. On an server with the Active Directory module for PowerShell installed, run the following PowerShell cmdlet, substituting the attribute with that specified by your policy.
  2. Get-ADUser -Filter {Title -eq "Contractor"}

    You should see a record returned for each user account affected by the policy.