Creating Provisioning Policies for Microsoft Dynamics Users

In EmpowerID, Provisioning policies, also known as "Resource Entitlements" or "RETS," are policies that can be created to automate the provisioning, moving, disabling and de-provisioning of resources to users based on their meeting certain qualifying criteria, such as belonging to a specific group, Management Role, Business Role and Location, or Query-Based Collection. Once a policy is created and enabled, EmpowerID continuously evaluates the policy to determine who should and should not have the resource as specified by the conditions of the policy.

Dynamics AX (DAX) has two types of users, Active Directory users and Claims users. By default, DAX provisions all users as Claims Users. Thus, to create both types of users through RET policies, EmpowerID recommends you create a RET policy for both. The difference between these two types of policies is demonstrated below.

This topic demonstrates how to create a RET policy that provisions Microsoft Dynamics AX (DAX) users and is divided into the following activities:

Prerequisites

Before you can create a Provisioning policy for DAX users, the following prerequisites need to be met:

  • EmpowerID must first be connected to DAX. For the details, see Connecting to Microsoft Dynamics AX.
  • RET provisioning and RET deprovisioning must be enabled on the DAX account store.
    • To Enable RET Provisioning and Deprovisioning
      1. From the Navigation Sidebar, navigate to Account Store Manager by expanding Admin > Applications and Directories and clicking Account Stores.
      2. In Account Store Manager, search for your Microsoft Dynamics User account store and click the Account Store link for the record returned.
      3. This directs you to the View page for the account store. View pages allow you to view information about the account store and also provide an Edit link for editing the settings.

      4. On the View page, click the Edit link. Edit links are notated with pencil icons.
      5. From the Edit page, locate the Features section and verify that the AllowProvisioning and AllowDeProvisioning features are enabled (checked). If they are not enabled, click each one so that they have a checkmark and then click Save.
  • Optional - If your organization wants the ability to approve or deny DAX user RETs on either a case-by-case basis or in batches, then you must enable both the Resource Entitlement Inbox Processor Job and the Resource Entitlement Recalculation Job on at least one EmpowerID server. If these jobs are not enabled, the default RET Provisioning and Transforming workflows will auto-provision all RETs. No approval processes will be involved.
    • To Enable RET Jobs
      1. From the Account Store Details screen, click the Configuration Manager button to return to the main screen of Configuration Manager.
      2. From the main screen of Configuration Manager, click EmpowerID Servers and Roles node in the application navigation tree and then check the Resource Entitlement Recalculation Job and Resource Entitlement Recalculation Job on at least one EmpowerID Server.

To create a provisioning policy for DAX user accounts

  1. From the Navigation Sidebar, navigate to the Resource Entitlements/Provisioning Policies Management page by expanding Admin > Policies and clicking Provisioning Policies (RETS).
  2. From the Resource Entitlements/Provisioning Policies Management page, click the Actions tab and then click the Create Provisioning Policy tile.
  3. In the Choose Type section of the Policy Details form that appears, select Default from the Object Type To Provision drop-down.
  4. In the General section of the form, do the following:

    1. Type a name in the Name field.
    2. Optionally, type a description in the Description field.
    3. Select User Acount from the Resource Type drop-down.
    4. Select your DAX user resource system from the Resource System drop-down.
    5. Type user in the ObjectClass drop-down.
    6. After completing the above, the General section of the form should look similar to the following image.

  5. In the Throttling Settings section of the form, specify the provisioning and deprovisioning thresholds for the policy. These settings are as follows:
    • All Provisions Require Approval - If this option is selected, the provisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
    • All Deprovisions Require Approval - If this option is selected, the deprovisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
    • Require Approval if Provision Batch Larger Than Threshold - This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the provisions. If the threshold is reached, EmpowerID will not provision any of the accounts until approval is granted.
    • Require Approval if Deprovision Batch Larger Than Threshold - This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the deprovisions. If the threshold is reached, EmpowerID will not deprovision any of the accounts until approval is granted.
    As a best practice, when testing provisioning policies, you should select All Provisions Require Approval and All Deprovisions Require Approval to become familiar with how EmpowerID processes RETs. Then, when moving to production, you can set the approval thresholds to a number that makes sense for your environment.

    In our example, we have selected Approve All Provisions and Approve All Deprovisions, meaning that the provisioning and deprovisioning of all DAX user accounts must be approved before those accounts will be processed by RET Inbox.

  6. In the Advanced section of the form, do the following:
    1. Leave the On Claim Action set to Do Nothing.
    2. Leave the On Transform Action set to Do Nothing.
    3. Select Deprovision from the On Revoke Action drop-down. This tells EmpowerID to delete the DAX user account if the person no longer meets the criteria to receive the resource from the RET, such as would occur if the person was terminated or moved to a Business Role and Location without a RET policy for the specified resource.
    4. Leave the Creation Location Path Resolver Assembly and Creation Location Path Resolver Type fields empty. These fields allow you to use a custom assembly to set where an account (or any RET that requires a path) should be created.

    The Advanced and Creation Path Resolver sections of the form should look like the following image.

  7. Click Save.
  8. The next section involves setting Configuration Parameters for the DAX User provisioning policy. This is only necessary if you are creating a provisioning policy for DAX users with an Active Directory user account type. If this provisioning policy is for DAX users with the Claims user account type, you can skip the section.

To set the Configuration Parameters for the Provisioning Policy

  1. Navigate to the Resource Entitlements Find page by clicking the Find Policies breadcrumb located at the top of the Policy Details page for the policy you just created.
  2. From the Policies tab of the Resource Entitlements Find page, search for the policy you just created and click the Display Name link.

    This opens the View page for the policy.

  3. In the View page, expand the Configuration Parameters accordion and then click the Add Parameter (+) button.
  4. In the General pane that appears, type accountType in the Name field, Active Directory User in the ConfigurationValue field and then click Save to close the pane.

Next, assign the policy you just created to one or more targets as demonstrated below.

To assign the provisioning policy to users

If you did not add configuration parameters to the provisioning policy (as desribed in the above section, you can begin with step 2 below.
  1. From the View page for the DAX RET, return to the Policy Details form by clicking the Edit link for the policy located at the top of the page.
  2. From the Policy Details form, scroll to the Policy Assigned To section and click the Add (+) button underneath the specific target type to which you want to assign the RET. In our example, we are assigning the policy to the Intern in Corporate Business Role and Location so we are clicking the Add (+) button in the Business Role and Locations pane of the section.
  3. This opens the Add Entry pane, which is where you select the specific actor you want to assign the policy to. Because we are assigning the policy to a Business Role and Location, the Add Entry pane is contextualized for that actor type.

  4. From the Add Entry pane, click the Select a Role and Location link.
  5. In the Business Role and Location selector that appears, do the following:
    1. Search for and select the Business Role to which you want to assign the policy. In our example, we are assigning the policy to the Intern Business Role, so we have selected Intern.
    2. Click the Location tab and then search for and select the Location. In our example, we want the policy to be applied to all Interns in or below the Corporate location, so we have selected Corporate.
    3. Click Select to close the Business Role and Location selector.
    4. Type a number to specify the priority for the RET policy in the Priority field. This value is used to determine the priority of the RET if the user qualifies for the same RET by virtue of another assignment, such as being a member of a group that has the same policy.
    5. Click Save.
  6. Back in the main form, click Save.
  7. If you selected Approve All Provisions, you must manually approve each item in the Resource Entitlement Inbox before EmpowerID will provision the DAX accounts. This is demonstrated in the next section.

To approve the resource entitlements

  1. From the Navigation Sidebar, navigate to the RET Inbox by expanding System Logs and clicking RET Inbox.
  2. Click the Pending Approval tab. You should see a record for each RET that needs to be approved.
  3. To approve the RETs, click the Approve drop-down for each RET and select Approve from the menu.
  4. Click the shopping cart icon at the top of the page, then type a reason for the approval in the cart dialog and then click Submit.
  5. After the RET Inbox has provisioned the DAX user accounts, you can view and manage those accounts as you would any other user accounts.