Creating Provisioning Policies for ServiceNow Accounts

In EmpowerID, you can create Provisioning policies, also known as "Resource Entitlements" or "RETS," to automate the provisioning, moving, disabling and de-provisioning of resources to users based on whether they belong to a specific:

  • Group
  • Management Role
  • Business Role and Location
  • Query-Based Collection

Once a policy is created and enabled, EmpowerID continuously evaluates the policy to determine who should and should not have the resource as specified by the conditions of the policy.

This topic demonstrates how to create a RET policy that provisions ServiceNow accounts and is divided into the following activities:

Prerequisites
Before you can create a Provisioning policy for ServiceNow accounts, the following prerequisites need to be met:
  • EmpowerID must first be connected to ServiceNow. For the details, see Connecting to ServiceNow.
  • RET provisioning and RET deprovisioning must be enabled on the ServiceNow account store.
    • To Enable RET Provisioning and Deprovisioning
      1. From the EmpowerID Management Console, click the EmpowerID icon and select Configuration Manager.
      2. In the application navigation tree to the left, click Account Stores.
      3. Double-click your ServiceNow account store in the grid. Be sure the Security Boundary Type is ServiceNow and not Tracking Only System, as it is possible to have both types. Tracking Only Systems are internal to EmpowerID.
      4. In the General pane of the Account Store Details screen, enable Allow RET Provisioning and Allow RET De-Provisioning so that there is a green check mark beside each line.

To create a policy that provisions ServiceNow accounts

  1. From the Navigation Sidebar, expand the Admin node, then Policies, and click Provisioning Policies (RETS).
  2. On the Actions tab, click the Create Provisioning Policy tile.
  3. In the Choose Type section of the Policy Details form that appears, select Default from the Object Type To Provision drop-down.
  4. In the General section of the form, enter the following settings.
    • For the Name and Display Name fields, enter a name.
    • For the Resource Type, select User Account.
    • For the Resource System, select ServiceNow.
    • For the Object Class, enter User.
    • For the Creation Path, search and select ServiceNow.
  5. In the Throttling Settings, set these as required for your organization.
    • All Provisions Require Approval - Select to send provisioning for each RET specified by the policy for approval by a user delegated access to the Resource Entitlement Inbox.
    • All Deprovisions Require Approval - Select to send deprovisioning for each RET specified by the policy for approval by a user delegated access to the Resource Entitlement Inbox.
    • Require Approval if Provision Batch Larger Than Threshold - Set a numeric value for a single run of the Resource Entitlement Inbox before approval is required. If the threshold is reached, no accounts are provisioned until approval is granted.
    • Require Approval if Deprovision Batch Larger Than Threshold - Set a numeric value for a single run of the Resource Entitlement Inbox before approval is required. If the threshold is reached, no accounts are deprovisioned until approval is granted.
    As a best practice, when testing provisioning policies, select All Provisions Require Approval and All Deprovisions Require Approval to become familiar with how EmpowerID processes RETs. Then, when moving to production, you can set the approval thresholds to a number that makes sense for your environment.
  6. In the Advanced section of the form, enter the following settings.
    • Leave On Claim Action set to Do Nothing.
    • Set On Transform Action to Move.
    • Set On Revoke Action to Deprovision. This tells EmpowerID to disable the ServiceNow account if the person no longer meets the criteria to receive the resource from the RET.
    • Leave the Creation Location Path Resolver Assembly and Creation Location Path Resolver Type fields empty. These fields allow you to use a custom assembly to set where to create an account (or any RET that requires a path).

  7. Back in the main form, click Save.
  8. Next, add Assignees to the policy you just created. Here you specify the Business Roles and Locations, Management Roles, Management Role Definitions, Query-Based Collections, Groups, or People to assign to the policy. If Assignees are not set, EmpowerID assigns all users to the ServiceNow profile by default.

To set the Assignees

  1. Click the Find Policies breadcrumb located at the top of the Policy Details page.
  2. From the Policies tab, search for the policy you just created and click the Display Name link.
  3. This opens the View page for the policy. View pages allow you to view and manage resources.

  4. In the View page, click the Assignees accordion to expand it and then, in Business Roles and Locations, click the Add (+) button.
  5. Select a Role and Location, for example, All Employees in ServiceNow, and click Select, then Save. EmpowerID uses this information to decide who gets provisioned an account in ServiceNow.

Next, assign the policy you just created to one or more targets as demonstrated below.

To assign the provisioning policy to users

  1. Still in the Assignees accordion, scroll down to People, and click the Add (+) button to add a person as an assignee to the policy. In the Person box, press ENTER to search, and select a person.
  2. Click Save.

If you selected All Provisions Require Approval, Resource Entitlement Inbox, and Resource Entitlement, you must manually approve each item in the Resource Entitlement Inbox for this policy before EmpowerID can provision the ServiceNow accounts. This is demonstrated in the next section.

To approve the resource entitlements

  1. In the Navigation Sidebar, expand System Logs, then Policy Inbox Logs and select Provisioning (RET) Inbox.
  2. Click the Pending Batches tab to see a batch for the ServiceNow Resource Entitlement. In our case, you can see the Person you assigned to the ServiceNow location on the Pending Approval tab.
  3. To approve the batch or the person, click the Approve drop-down and select Approve from the menu.
  4. Click the shopping cart icon at the top of the page, then type a reason for the approval in the cart dialog and then click Submit.
  5. After the RET Inbox has provisioned the ServiceNow accounts, you can view and manage those accounts and the groups created for those accounts from the ServiceNow Manager page. To see it, in the Navigation Sidebar, expand Pages and click ServiceNow Manager. The tabs along the top give you access to Users, Roles and Groups, and Role and Group Changes.