Creating a Two-Level Attribute Nested Groups Dynamic Hierarchy Policy

EmpowerID provides the capability for you to create Dynamic Hierarchy policies that allow nested groups to be dynamically generated based on the value of any two specified Person attributes, such as the State and City attributes. When the policy runs, EmpowerID creates a top-level group for the first attribute specified and a nested group under that top-level group for the second attribute specified. EmpowerID then places any Person accounts with those matching attributes in those groups, depending on how you configure the policy. You can configure the policy to place people in both the top-level and nested group or only in the nested group. In addition, you can configure the policy to create top-level groups only if the condition for the nested group exists.

The Extension Attribute 1 and Extension Attribute 2 values for each group created by a Dynamic Hierarchy policy are internally managed by EmpowerID and should not be altered.
Before creating a Dynamic Hierarchy Policy, you need to start each Dynamic Hierarchy job on at least one EmpowerID server. To start the jobs, open the EmpowerID Management Console and navigate to Configuration Manager. From Configuration Manager, click the EmpowerID Servers and Roles node and then enable each job by checking the box beside it so that it looks like the below image.

To create a Two-Level Attribute Nested Groups Dynamics Hierarchy Policy

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Dynamic Hierarchies find page by expanding Admin > Policies and clicking Dynamic Hierarchies.
  2. From the Dynamic Hierarchies find page, click the Add (+) button.
  3. In the Choose Type section of the Policy Details form that appears, select Two level attribute nested groups from the Select a Policy Type drop-down.
  4. In the General section of the Create Dynamic Hierarchy Policy form, do the following:
    1. Type a name and description for the policy in the Name and Description fields, respectively.
    2. Select the appropriate account store where the groups are to be created from the Directory drop-down.
  5. In the Hierarchy Generation section of the Policy Details form, do the following:
    1. Tick Hierarchy Generation Enabled so that the option is enabled. Doing so allows EmpowerID to generate the dynamic group hierarchies.
    2. Click the Hierarchy Generation Next Run field and in the calendar control that appears, specify the date and time for the next run of the Hierarchy Generation job.
    3. Optionally, underneath Hierarchy Generation Schedule, click the Start and End fields and in the calendar control that appears for each field, specify the respective start and end dates for hierarchy generation to occur.
    4. The default values for these fields is a start schedule of one day before the current day and an end date of 97 years from the start date. If you change these values, the Start date should be set to one day before the date specified in the Hierarchy Generation Next Run field to ensure the generation occurs as expected.
    5. Specify the interval the hierarchy generation should occur from the Interval pane. When doing so, you have the following options:
      • Once - Hierarchy generation occurs one time.
      • Minute Interval - Hierarchy generation occurs "X" times every "Y" minutes as specified in the Run Indefinitely, Iterations and Interval fields. So, for example, if you select an iteration of 2 and an interval of 24, hierarchy generation will occur twice. The first occurrence will be at the date and time specified in the Hierarchy Generation Next Run field and the second occurrence will be 24 minutes after the first run completes. However, if you select Run Indefinitely, and then select an Interval of 24, hierarchy generation will once every 24 minutes, indefinitely.
      • Hour Interval - Hierarchy generation occurs "X" times every "Y" hours as specified in the Run Indefinitely, Iterations and Interval fields. So, for example, if you select an iteration of 2 and an interval of 24, hierarchy generation will occur twice. The first occurrence will be at the date and time specified in the Hierarchy Generation Next Run field and the second occurrence will be 24 hours after the first run completes. However, if you select Run Indefinitely, and then select an Interval of 24, hierarchy generation will once every 24 hours, indefinitely.
      • Daily - Hierarchy generation occurs once every "X" days at a designated time as specified in the Run Indefinitely, Iterations and Times fields. So, for example, if you select an iteration of 2, hierarchy generation will occur twice. The first occurrence will be at the date and time specified in the Hierarchy Generation Next Run field and the second occurrence will be on the following day at the time specified in the Times field. However, if you select Run Indefinitely, hierarchy generation will occur on a daily basis at the time specified in the Times field.
  6. In the Membership Recalculation section of the Policy Details form, do the following:
    1. Tick Membership Recalculation Enabled so that the option is enabled. Doing so allows EmpowerID to update group membership as specified.
    2. Click the Membership Recalculate Next Run field and in the calendar control that appears, specify the date and time for the next run of the Dynamic Hierarchy Membership Recalculation job.
    3. Optionally, underneath Membership Recalculation Schedule, click the Start and End fields and in the calendar control that appears for each field, specify the respective start and end dates for hierarchy generation to occur.
    4. The default values for these fields is a start schedule of one day before the current day and an end date of 97 years from the start date. If you change these values, the Start date should be set to one day before the date specified in the Membership Recalculate Next Run field to ensure the generation occurs as expected.
    5. Specify the interval the hierarchy generation should occur from the Interval pane. When doing so, you have the following options:
      • Once - Membership recalculation occurs one time.
      • Minute Interval - Membership recalculation occurs "X" times every "Y" minutes as specified in the Run Indefinitely, Iterations and Interval fields. So, for example, if you select an iteration of 2 and an interval of 24, membership recalculation will occur twice. The first occurrence will be at the date and time specified in the Membership Recalculate Next Run field and the second occurrence will be 24 minutes after the first run completes. However, if you select Run Indefinitely, and then select an Interval of 24, membership recalculation will once every 24 minutes, indefinitely.
      • Hour Interval - Membership recalculation occurs "X" times every "Y" hours as specified in the Run Indefinitely, Iterations and Interval fields. So, for example, if you select an iteration of 2 and an interval of 24, membership recalculation will occur twice. The first occurrence will be at the date and time specified in the Membership Recalculate Next Run field and the second occurrence will be 24 hours after the first run completes. However, if you select Run Indefinitely, and then select an Interval of 24, membership recalculation will once every 24 hours, indefinitely.
      • Daily - Membership recalculation occurs once every "X" days at a designated time as specified in the Run Indefinitely, Iterations and Times fields. So, for example, if you select an iteration of 2, membership recalculation will occur twice. The first occurrence will be at the date and time specified in the Membership Recalculation Next Run field and the second occurrence will be on the following day at the time specified in the Times field. However, if you select Run Indefinitely, membership recalculation will occur on a daily basis at the time specified in the Times field.
  7. In the Policy Settings section of the Policy Details form, do the following:
    1. Select the appropriate attribute from the First Attribute To Group By drop-down.
    2. Select the appropriate attribute from the Second Attribute To Group By drop-down.
    3. Select whether to Add Users as Members at All Levels and Do No Nest Groups. If this option is selected and you have for example, selected State as the first attribute to group by and City as the second attribute to group by, EmpowerID adds people with State and City attributes to both the State group created and the City group created. If this option is not selected, EmpowerID adds people to the nested group (in this case, the State-City group) only.
    4. Select whether to Create level 1 Groups Even if No Level 2. If this option is selected, EmpowerID creates the top-level group if the condition specified for it exists—regardless of whether the condition specified for the nested group exists. For example, in the case of a State City Nested Groups policy, if this option is selected, EmpowerID will create a State group if a Person has a State attribute value (such as Massachusetts), but will not create a State-City group within that State group if no one has a City attribute value for that state (such as Boston).
    5. Select whether to Claim Matching Group. If this option is selected and the group already exists in the specified OU, EmpowerID will claim that group as a Dynamic Hierarchy group instead of creating a new one. If an existing group is claimed, EmpowerID will fully manage the membership of that group, adding and removing users from those groups based on the criteria set for group membership.
    6. When selecting this option, be aware that any people in the group who do not match the criteria for group membership will be removed from that group, unless those people have been added to the group as an RBAC delegation.
      You can add people using RBAC policies, but you cannot remove people from them using RBAC policies.
    7. Select whether to Create OU For Level 1. If this option is selected, EmpowerID will create an OU, such as the state of Massachusetts, if one does already exist. If this option is not selected, EmpowerID places the level 1 and level 2 groups in the same OU.
    8. Select whether to Claim Matching OU. If this option is selected and Create OU for Level 1 is selected—and the OU already exists in the specified directory—EmpowerID will claim that OU as a Dynamic Hierarchy OU instead of creating a new one. If an existing OU is claimed, EmpowerID will fully manage the groups in that OU, adding and removing them based on the criteria set by the policy.
    9. Select whether to Mail-Enable Level 1 Groups. Please note that Exchange or Office 365 is required for this setting.
    10. Select whether to Mail-Enable Level 2 Groups. Please note that Exchange or Office 365 is required for this setting.
    11. Select the type of group you wish EmpowerID to create from the Group Type drop-down.
    12. Select the appropriate action for EmpowerID to take if a group is empty from the Empty Group Action drop-down.
    13. In the Delay Removal of Membership by X Days field, specify the number of days EmpowerID should wait before removing people who no longer meet the criteria for group membership. If the value is left blank, EmpowerID immediately removes all people no longer meeting the criteria for group membership.
    14. In the Level 1 Naming Convention - {Value1} field, at a minimum enter {Value1}. EmpowerID uses this value to dynamically create a distinct first-level group based on the value, adding to the group each person or user account meeting the criteria for the group.
    15. In the Level 2 Naming Convention - {Value1} and {Value2} field, at a minimum enter {Value1} {Value2}. EmpowerID uses these values to dynamically create a distinct second-level group based on value combination, adding to the group each person or user account meeting the criteria for the group.
    16. Click Select an OU and then select an OU where EmpowerID should provision the dynamically generated groups. If you do not pick a location, EmpowerID creates these groups in the default group creation location selected for the account store.
    17. After completing the above, the Policy Settings section of the form should look similar to the following image:

  8. In the Alerts section, select or deselect Alerts based on the action taken:
    • Create OU Alert Active: Tick this box if you wish an alert to be sent when an OU is created based on the dynamic group hierarchy policy settings.
    • Create OU Alert: Search and select the alert to be sent when an OU is created by the policy.
    • Create Group Alert Active: Tick this box if you wish an alert to be sent when a group is created based on the dynamic group hierarchy policy settings.
    • Create Group Alert: Search for and select the alert to be sent when a group is created by the policy.
    • Delete Group Alert Active: Tick this box if you wish an alert to be sent when a group is deleted based on the dynamic group hierarchy policy settings. The specific setting that governs whether or not a group is automatically deleted is the Empty Group Action setting. If that field is set to Delete, the only time a dynamic group is deleted is when there are no members in the group.
    • Delete Group Alert: Search for and select the alert to be sent when a group created by the policy is deleted by the policy.
    • Membership Change Alert Active: Tick this box if you wish an alert to be sent when the membership of the dynamic group hierarchy changes.
    • Membership Change Alert: Search for and select the alert to be sent when the membership of a group created by the policy is changed by the policy.
      EmpowerID includes default Alert email templates that are automatically selected for each type of Alert, but custom email alerts can be defined and selected as needed. To do so, click the Remove button to the right of the alert you wish to replace and then search for and select the appropriate alert. If you click the link for the alert rather than the Remove button, EmpowerID will direct your browser to the View One page for the alert.

      The following image shows what the Alerts section looks like with all Alerts selected.

  9. Click Save.
  10. After the Dynamic Hierarchy Policy runs, you will be able to see the new groups provisioned by the policy in a Group search. You can also view the Dynamic Hierarchy Membership Inbox and Dynamic Hierarchy Provision Inbox by expanding System Logs and clicking Dynamic Hierarchy Inbox on the Navigation Sidebar.

    You can view the people who have been dynamically added to the group by clicking on the Display Name link for that group and expanding the Resultant Members accordion on the View One page for the group that appears.