Creating Provisioning Policies for Salesforce Accounts

In EmpowerID, Provisioning policies, also known as "Resource Entitlements" or "RETS," are policies that can be created to automate the provisioning, moving, disabling and de-provisioning of resources to users based on their meeting certain qualifying criteria, such as belonging to a specific group, Management Role, Business Role and Location, or Query-Based Collection. Once a policy is created and enabled, EmpowerID continuously evaluates the policy to determine who should and should not have the resource as specified by the conditions of the policy.

This topic demonstrates how to create a RET policy that provisions Salesforce accounts and is divided into the following activities:

Prerequisites
Before you can create a Provisioning policy for Salesforce accounts, the following prerequisites need to be met:
  • EmpowerID must first be connected to Salesforce. For the details, see Connecting to Salesforce.
  • RET provisioning and RET deprovisioning must be enabled on the Salesforce account store.
    • To Enable RET Provisioning and Deprovisioning
      1. From the EmpowerID Management Console, navigate to Configuration Manager by clicking on the EmpowerID icon and selecting Configuration Manager from the context menu.
      2. In Configuration Manager, expand the User Directories node in the application navigation tree to the left and click Account Stores.
      3. Locate your Salesforce account store in the grid, right-click it and select Edit from the context menu. When locating the Salesforce account store, make sure the Security Boundary Type is Salesforce.com and not Tracking Only System, as it is possible to have both types. Tracking Only Systems are internal to EmpowerID.
      4. In the General pane of the Account Store Details screen for your Salesforce account store that appears, verify that Allow RET Provisioning and Allow RET De-Provisioning is enabled (green check mark beside each line). If these settings are not enabled, toggle each from a red sphere to a green check mark, so that they look like the below image.
  • Optional - If your organization wants the ability to approve or deny RETs on either a case-by-case basis or in batches, then you must enable both the Resource Entitlement Inbox Processor Job and the Resource Entitlement Recalculation Job on at least one EmpowerID server. If these jobs are not enabled, the default RET Provisioning and Transforming workflows will auto-provision all RETs. No approval processes will be involved.
    • To Enable RET Jobs
      1. From the Account Store Details screen, click the Configuration Manager button to return to the main screen of Configuration Manager.
      2. From the main screen of Configuration Manager, click EmpowerID Servers and Roles node in the application navigation tree and then check the Resource Entitlement Recalculation Job and Resource Entitlement Recalculation JobtextmoreText> on at least one EmpowerID Server.

To create a provisioning policy that provisions Salesforce accounts

  1. From the Navigation Sidebar, navigate to the Resource Entitlements/Provisioning Policies Management page by expanding Admin > Policies and clicking Provisioning Policies (RETS).
  2. From the Resource Entitlements/Provisioning Policies Management page, click the Actions tab and then click the Create Provisioning Policy tile.
  3. In the Choose Type section of the Policy Details form that appears, select Salesforce Account from the Object Type To Provision drop-down.
  4. In the General section of the form, do the following:
    1. Type a name and display name in the Name and Display Name fields, respectively.
    2. Optionally, type a description in the Description field.
    3. Select the Salesforce domain in which the accounts are to be provisioned from the Directory drop-down.
    4. The Choose Type and General sections of the form should look similar to the below image.

    • All Provisions Require Approval - If this option is selected, the provisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
    • All Deprovisions Require Approval - If this option is selected, the deprovisioning of each RET specified by the policy will need to be approved by a user delegated access to the Resource Entitlement Inbox.
    • Require Approval if Provision Batch Larger Than Threshold - This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the provisions. If the threshold is reached, EmpowerID will not provision any of the accounts until approval is granted.
    • Require Approval if Deprovision Batch Larger Than Threshold - This field allows you to set a numeric value that needs to be reached by a single run of the Resource Entitlement Inbox before an approver needs to approve the deprovisions. If the threshold is reached, EmpowerID will not deprovision any of the accounts until approval is granted.
    As a best practice, when testing provisioning policies, you should select All Provisions Require Approval and All Deprovisions Require Approval to become familiar with how EmpowerID processes RETs. Then, when moving to production, you can set the approval thresholds to a number that makes sense for your environment.

    In our example, we have selected All Provisions Require Approval and All Deprovisions Require Approval, meaning that the provisioning and deprovisioning of all accounts must be approved before those accounts will be processed by RET Inbox.

  5. In the Advanced section of the form, do the following:
    1. Leave On Claim Action set to Do Nothing.
    2. Leave On Transform Action set to Do Nothing.
    3. Select Deprovision from the On Revoke Action drop-down. This tells EmpowerID to disable the Salesforce account if the person no longer meets the criteria to receive the resource from the RET, such as would occur if the person was terminated or moved to a Business Role and Location without a RET policy for the specified resource.
    4. Leave the Creation Location Path Resolver Assembly and Creation Location Path Resolver Type fields empty. These fields allow you to use a custom assembly to set where an account (or any RET that requires a path) should be created.

    The Advanced section of the form should now look like the following image:

  6. Back in the main form, click Save.
  7. Next, add Configuration Parameters to the policy you just created. These parameters allow you to specify the Salesforce profile and role each user created by the policy is to be assigned. If Configuration Parameters are not set, EmpowerID assigns all users to the Chatter Free profile by default.

To set the Configuration Parameters

  1. Navigate to the Resource Entitlements Find page by clicking the Find Policies breadcrumb located at the top of the Policy Details page for the policy you just created.
  2. From the Policies tab of the Resource Entitlements Find page, search for the policy you just created and click the Display Name link.
  3. This opens the View page for the policy. View pages allow you to view and manage resources.

  4. In the View page, click the Configuration Parameters accordion to expand it and then click the Add Parameter (+) button.
  5. Type ProfileId in the Name field and the name of the Salesforce profile in the ConfigurationValue field and then click Save. EmpowerID sends this information to Salesforce. If you do not set a ProfileId, EmpowerID passes the Chatter Free User profile to Salesforce by default.
  6. The ConfigurationValue must match the name of the corresponding Profile in Salesforce.

  7. If the Profile you are setting can have a role in Salesforce, click the Add Parameter (+) button again, type UserRoleId in the Name field, the name of the Salesforce role in the Configuration Value field and then click Save.

Next, assign the policy you just created to one or more targets as demonstrated below.

To assign the provisioning policy to users

  1. From the View page for the Salesforce RET, click the Edit link for the policy located at the top of the page.
  2. Scroll to the Policy Assigned To section of the policy's Edit page and click the Add (+) button underneath the specific target type to which you want to assign the RET. In our example, we are assigning the policy to the Intern in Corporate Business Role and Location so we are clicking the Add (+) button in the Business Role and Locations pane of the section.

    This opens the Add Entry pane, which is where you select the specific actor you want to assign the policy to. Because we are assigning the policy to a Business Role and Location, the Add Entry pane is contextualized for that actor type.

  3. From the Add Entry pane, click the Select a Role and Location link.
  4. In the Business Role and Location selector that appears, do the following:
    1. Search for and select the Business Role to which you want to assign the policy. In our example, we are assigning the policy to the Intern Business Role, so we have selected Intern.
    2. Click the Location tab and then search for and select the Location. In our example, we want the policy to be applied to all Interns in or below the Corporate location, so we have selected Corporate.
  5. Click Select to close the Business Role and Location selector.
  6. Type a number to specify the priority for the RET policy in the Priority field. This value is used to determine the priority of the RET if the user qualifies for the same RET by virtue of another assignment, such as being a member of a group that has the same policy.
  7. Click Save.
  8. Back in the main form, click Save.
  9. If you selected Approve All Provisions and the Resource Entitlement Inbox and Resource Entitlement , you must manually approve each item in the Resource Entitlement Inbox for this policy before EmpowerID will provision the Salesforce accounts. This is demonstrated in the next section.

Next, assign the policy you just created to one or more targets as demonstrated below.

To approve the resource entitlements

  1. From the Navigation Sidebar, navigate to the RET Inbox by expanding System Logs and clicking RET Inbox.
  2. Click the Pending Batches tab. You should a batch for the Salesforce Resource Entitlement. In our case, the Resource Entitlement batch is the Chatter Free User batch.
  3. To approve the batch, click the Approval drop-down and select Approve from the menu.
  4. Click the shopping cart icon at the top of the page, then type a reason for the approval in the cart dialog and then click Submit.
  5. After the RET Inbox has provisioned the Salesforce accounts, you can view and manage those accounts and the groups created for those accounts from the Salesforce Management page. You navigate to the Salesforce Management page by expanding Pages in the Navigation Sidebar and clicking Salesforce Manager.