Nervepoint Access Manager provides the Provisioning feature. Provisioning covers the idea of creating a user within a primary directory. This is achieved and managed through the concept of Departments.
A department is a logical division that groups users together and is managed by a manager user, if required multiple managers can also be set for each department.
In Access Manager users can belong to a department, either a newly defined department, or the department that was used to create the user, or the default department that is associated with the connector. Users that have been imported at directory creation are not automatically assigned to a department.
The basic steps to provision a user are as follows:
1. Create a department
2. Define the connector's attribute visibility
Creating a Department
In the Provisioning page there are two tabs, the first tab Departments is where you can create a new department and manage existing ones. The page consists of two sections, the first section shows all of the currently active departments, by default each primary connector has a 'Default' department associated with it automatically.
Below the Department list is the Edit section for the currently selected Department. From here you can change any setting for the Department that is currently selected in the list.
To create a new department select the New Department button. The Edit section will now update and become a new department editor.
The following information is required:
• Directory: The primary connector the department is attached to, when used to Account Creation accounts will be created in this directory.
• Name: Identifying name of the department, this will be visible when a user goes through the account creation request wizard.
• Notifications: The method used to sent notifications to end users creating their accounts for the creation request and any status updates.
• Manager: The user, or users, responsible for approving or rejecting account creation request if omitted this will be the admin and Administrator directory users only. Adding a user will open an Approval tab in the end user's My Account page.
Once the details have been set select Save to create the department.
Configuring Attributes
Depending on which type of directory connector the department has been associated with a set of attributes will be listed running down the left of the Edit/Create section of the page.
With the new department selected you can now begin configuring the attributes for the department:
1. Expand the attribute groups and select an attribute from the attribute list.
2. The properties of the selected attribute will be shown in the main body of the attribute editor.
3. Configure the attribute settings to suit your business requirements, details on attribute settings are explained further below.
Attribute Types
There are two types of attributes used in Access Manager:
1. Global Attributes: These are attributes defined under the category Global Attributes and are required by Access Manager to administer a user. These cannot be altered other than label and tooltips.
2. Connector specific attributes: These are attributes that can be edited and are saved directory to the actual directory when creating the user account or when edited by the user.
Visibility
As can be seen below each configurable attribute has a number of visibility settings these affect how the attribute is seen by different class of users and at different states.
1. Provision Visibility: This controls how the attribute is presented during the user account creation process.
2. Approve Visibility: This controls how the attribute is presented to the admin users and department managers at the account approval process after the account request has been submitted.
3. Self service editing: This controls how the attribute is presented in the User Account for exiting users and after new users have been approved.
Each Visibility setting can be set to one of four options:
1. Hidden: The attribute will not be displayed during this section.
2. Read-Only: The attribute will be displayed and show the current value but cannot be set or changed.
3. Optional: The attribute is available for configuration and can set or changed.
4. Required: The attribute requires a value to be set in order for the user to continue.
Default Values
Some attributes allow you to set a default or source value regardless of the visibility settings of the attribute. There are two options from providing a source value, Expression and Alternative Value.
1. Expression Source: Expressions use Javascript to allow you to set-up a script to return a value that the attribute will use, this script can make use of other attribute variables allowing you to clone a values provided elsewhere. The default script for a username, for example, is made by using the the values of the first and last names in the global attributes.
2. Alternative Value: These are used to set a default entry that does not use expressions, whatever is entered to the field is set for the attribute.
The availability of Source options varies from attribute to attribute, some allow you to choose which is used, some are limited to one of the options, and other attributes do not allow you to provide a source value at all.
The best way to understand attribute settings is by example:
Read-only by Approving Manager
In the above image the General > First Name attribute will be hidden during account creation, read only to the approving manager, and will be hidden from the end user's My Account page. This is set automatically with a default value that is an expression that is an attributeId of 'First Name' located under the Global Attribute category. So whatever is set on the global attribute 'First Name' will be copied into this field and eventually into AD as the givenName attribute.
Read-only Expression
The user logon name that will be set within the directory will be made up of several attributes, the attribute with the Id's of givenName and sn. These happen to be the Account 'firstname', and 'surname' attributes. This attribute will not be visible during creation, nor to the approving manager and nor will it be editable by the end user later from their My Account page.
End User Editing
Below are a couple of General attributes that have been set to optional for end user editing.
You can see on the My Account page these properties are available for editing by any user in that department.
