EmpowerID Quick Start

Welcome to EmpowerID! Your organization has implemented EmpowerID to help you keep your user information secure and manage your access to its IT resources. This topic will help become more familiar with EmpowerID so that you can quickly get about your business, accomplishing what you need to do as efficiently as possible. If you are a new user, this topic is the place to begin as it shows you the basics of using EmpowerID from your first login. Once you understand the basics, you can select any topics that are relevant to you and your organizational situation.

What is EmpowerID?

EmpowerID is an Identity and Access Management platform that makes it easy for organizations to securely manage their IT resources.

How Do I Start?

To get started with EmpowerID, you open your browser and go to the login page for your organization. The URL for this page should look something like https://eid.yourorganization.com/ui, where "eid" represents the name of your organization's EmpowerID server. The page you see should look something like the below image. In the image, there is only one login option, the default EmpowerID login. Depending on how your organization has configured the page, you may have more login options and the page may be themed differently.

Once you reach the page, do the following:

  • Enter your credentials and click Login. If you are logging in with your EmpowerID account, you do not need to include your organization's UPN suffix (i.e., @yourorganization.com)

After logging in, you may be directed to a number of different pages before gaining access to your organization's portal. These pages can included the following:

  • Multi-Factor Authentication page — This page appears if your organization has set up Multi-factor authentication (MFA). Multi-factor authentication enhances the security of your account by using a secondary method to verify your identity. Depending on how your organization has set up MFA, you may be required to pick from one or more secondary methods or have the option to select none.

    In the below image, MFA is limited to Device Registration and is optional.

For more information on MFA and EmpowerID, see Multi-Factor Authentication.

  • Edit Person Demographics page — This page gives you the opportunity to provide personal information about yourself, such as your personal email or mobile phone number.

If you are not directed to the enrollment page, this means your organization does not allow you to reset your password.
If that is the case, the first page you will see is your personal home page.

The below image shows the enrollment page with its default configuration. The page you see may be themed differently and present you with different question and answer options.

Answer the questions presented to you and then click Submit.

You provide your own question and answer for the Custom Question.

After enrolling for password self-service reset (if that is your organization's policy), EmpowerID directs you to the home page that your organization has set for you. In the below image, that page is your personal dashboard. This dashboard allows you to quickly view panes of the most pertinent information about your activity within EmpowerID. An explanation of the dashboard panes follows the image.

  • My Open Tasks — In EmpowerID, tasks represent pieces of work that can be performed by an authorized user against an IT resource, and open tasks are those pieces of work that have been initiated, but not yet completed. If you are a user authorized to complete an open task, it appears in this dashboard pane.
  • My Tasks by Status — This pane provides a pie chart view of your tasks, with those tasks showing as open, rejected and approved.
  • My Requests by Status — IIn EmpowerID, requests represent actions that you have initiated against a resources for which you do not have the necessary access to complete. When this is the case, EmpowerID sends your request to other people with the ability to approve (or reject) your request. This pane provides a pie chart view of your reuests, with those requests showing as open, rejected and approved.
  • My Last 10 Login Failures — This pane displays the last 10 attempts to login that failed. This allows you to keep track of any login failures and may help you spot attempts by another user to fraudulently use your account.
  • My Recent Activities — This pane displays a list of all tasks you have performed on the site.
  • My SSO Apps By # of Logins — In EmpowerID, SSO Apps are Web applications that require you to authenticate, but do not support federated SSO (single sign-on). In these cases, EmpowerID provides the ability for you to still SSO to those applications through its browser extension. If you have accounts that EmpowerID knows about in these types of applications, your login activity to those applications (from EmpowerID) appears in this pane.

What is the purpose of the other elements I see?

Beyond your personal dashboard, you should see a number of elements common to each page. These elements are as follows:

  • Navigation Sidebar — The Navigation Sidebar is how you move through the pages of the EmpowerID Web site and search for people and other types of resources. The amount of resources for which you can search and the number of pages available to you differ according to the amount of access your organization has given you.
  • Language and Profile Menu Items — TThese allow you to set your personal language preference, view and edit aspects of your profile, change your password and log out of EmpowerID.

After logging in, what can I do?

As a default user of EmpowerID, your organization has given you the ability to do a few certain things. These are as follows:

The below capabilities represent the default given to standard users. Depending on your role within your organization, you may be able to see and do more or less.

How do I search for other people?

On every page of the EmpowerID Web application, you will see a Global Search control. This control contains two elements, a filter and a text field. The filter allows you to limit searches to particular resource types, such as people or shared folders. The text field provides a place for you to input the specific resource for which you are looking. For example, if you want to search for a person named "Megan Allen" you select person from the filter and then type "Megan Allen" in the text field. If your organization has a person named "Megan Allen" and you have access to view her then you will see a tile for her. Clicking the tile takes you to a page where you can view information about the person.

By default, the Person search filter is selected. This filter is shown in the above image.

How do I change my password?

If at any time you wish to change your password, you can do so by clicking your display name and selecting the Change Password menu item.

Type your current password in the Change Password field, your new password in the New Password and Confirm Password fields and click Submit.

How do I view and edit my profile?

You can view your profile by clicking your display name and selecting the View Profile menu item.

This directs your browser to your View Self page. This page contains your basic profile information and a number of expandable accordions with information specific to your person.

To edit your profile information, click the Edit link directly underneath the image placeholder. Edit links have the Pencil icon.

As an alternative, you can bypass your View Self page and go directly to your Edit page for your profile from the navigation sidebar by expanding IT Shop, clicking Workflows and then clicking the Edit Your Profile Information button.

This opens the Edit One page for your person. This page contains tabs with fields of information about your person.

To make an edit, select the tab(s) that contains the field(s) you want to edit, add your changes and click Save. For example, if you want to add a photo, you select the Photos tab. The tab provides a Photo Manager that allows you to capture a webcam image or upload a photo.

To upload a photo, do the following:

  1. Click the Browse button and then search for and select an image file on your machine.
  2. Click Upload File.
  3. Click Save.

    You should see a message stating that the task was sent for approval. Once approved the photo will appear on all pages related to your person. People will be able to see your photo on those pages.

How do I check the status of my requests?

Any time you request access to a resource, make a change to your profile or perform another task for which your manager or an administrator needs to approve, that task is sent to those people. You can view the status of your request, as well as who can approve it on the Requests Pending page. To go to the page, do the following:

  1. From the navigation sidebar, expand Task and Requests > Workflow Tasks and click Requests Pending.

    You should see your requests (if any) in the grid below the Search field. The grid allows you to view the task, the workflow you initiated, the elapsed time and when you submitted the request.

  2. To view who can approve a request, click the users icon beside it.

    You should see a list of potential approvers.

    If a request is approved or rejected, you will see it on the Requests Completed page. You can view this page by expanding Tasks and Requests > Workflow Tasks and clicking Request Completed.

    You should see any completed requests in the grid below the search field. You can see the decision that was made about the request, who made it as well as the status of the workflow.

    You may need to log out and then log back in to see some approvals take effect. For example, if you uploaded a photo and it was approved, you will see it on your next login.

How do I reset a forgotten password?

If you have enrolled for password self-service reset as described above and have forgotten your password, you can reset it by clicking the Password link on the login page.

Resetting a forgotten password requires that you have either an email address or mobile phone that is registered in EmpowerID. This is necessary as EmpowerID sends you a one-time password as an intermediate step. You enter the one-time password to authenticate and then reset the password.

Doing so directs you to the Password Reset Center, where you enter your EmpowerID login or email and validate you're a human by passing the reCAPTCHA.

To reset your password do the following:

  1. Enter your EmpowerID login or email.
  2. Check I'm not a robot and then pass the reCAPTCHA challenge
  3. Click Submit.
  4. Answer the personal challenge questions you created when enrolling for password self-service reset.
  5. After answering your personal challenge questions, select Unlock and Reset Password and specify the one-time password delivery method.
  6. Click Submit.
  7. Retrieve the one-time password that EmpowerID sends to your specified delivery method.
  8. Enter the one-time password in the One-Time Password field and then click Submit.
  9. Click OK to close the Change password result message.

Using Yubikey OTP

If your organization has enabled Yubikey OTP for multi-factor authentication, when logging in you will have the opportunity to authenticate using a token generated by a Yubikey device as a second factor. If multi-factor authentication is optional for your account, you do not need to use this method. However, if multi-factor authentication using Yubico OTP is required, you must have a Yubikey device issued to you and authenticate using that key before gaining access to your resources.

To use Yubikey OTP

  1. Log in to your organization's Web portal as you would normally do so.
  2. If multi-factor authentication is optional (or required and you have multiple options available to you) and you want to enable OATH Tokens as a second factor for your account, select OATH Token and click Submit.

    If Yubico is required for your account, you will not see a screen asking you to select a multi-factor option. Instead, you will see the below screen.

  3. Making sure your Yubikey is plugged into your computer, place your cursor in the Enter Verification Code field and then press the button or the gold disk on the key.

    You should see a token generated in the Enter Verification Code field.

Unless another level of multi-factor authentication is required on your account, you should now be authenticated. The next time you log in, plug your Yubikey device into the USB port on your computer and follow the instructions on the screen.

If you are asked for another factor, select the desired authentication method and follow the steps shown on the screen.

Using OATH Tokens

If your organization has enabled OATH Tokens for multi-factor authentication, when logging in you will have the opportunity to authenticate using a token generated by a client application such as Google Authenticator or Duo Security. If multi-factor authentication is optional for your account, you do not need to use this method. However, if multi-factor authentication using this method is required, you must have install Google Authenticator or Duo Security on your mobile device and authenticate using the token generated by that application.

To use OATH Tokens

  1. Log in to your organization's Web portal as you would normally do so.
  2. If multi-factor authentication is optional (or required and you have multiple options available to you) and you want to enable OATH Tokens as a second factor for your account, select OATH Token and click Submit.

    If OATH Tokens are required for your account, you will not see a screen asking you to select a multi-factor option. Instead, you will see the below screen.

    You should see a screen stating that you need to verify your identity by entering the code generated by Google Authenticator.

  3. To get your token, click Email Token and Instruction.
  4. Click Ok to close the software token was issued successfully message and then check your email for further instructions.
  5. Follow the instruction for installing Google Authenticator on your phone and then click the appropriate link to provision your token.
  6. If you read the email from the your computer, clicking the from your PC link generates QR code in the browser. Scan the code with a barcode reader from your mobile phone.
  7. Next, retrieve the token from Google Authenticator (or Duo if you are using that application), enter it in the Verification field and then click Verify.

If you entered the code correctly, and another level of multi-factor authentication is not required on your account, you should be authenticated. The next time you log in to the portal, follow the instructions on the screen.

If you enter the wrong code, you will see a message stating "The passcode entered is incorrect. Please try again." To do so, select your delivery method and request a new code. Once you correctly enter the new code, you will be authenticated. Depending on how your administrator has set things up, if you enter the wrong code repeatedly, you will see a message asking you to restart the login process. To do so, click the Back link.

Using Device Registration

If your organization has enabled device registration for multi-factor authentication, when logging in you will have the opportunity to authenticate using this method as a second factor. If multi-factor authentication is optional for your account, you do not need to use this method.

To use device registration

  1. Log in to your organization's Web portal as you would normally do so.
  2. If multi-factor authentication is optional (or required and you have multiple options available to you), and you want to enable device registration for your account, select Device Registration and click Submit.

    The MFA options available to you depends on your administrator. You may see more or less options than those shown below.

    If device registration is required for your account, you will not see a screen asking you to select a multi-factor option. Instead, you will see the below screen.

    You should see a message asking you to select a verification code delivery method.

    Depending on how your organization is implementing the authentication method, you may not see the SMS and Voice Call options.

  3. Select your delivery method, enter the information for that method and then click Send. For example, if you want to have your verification code sent by SMS enter the appropriate mobile phone number.
  4. After you receive the code, enter it in the Enter Verification Code field, type a name for your device in the Device Name field and then click Register.

If you entered the code correctly, and another level of multi-factor authentication is not required on your account, you should be authenticated. The next time you access the portal using this device and browser, you can log in simply using your credentials.

If you enter the wrong code, you will see a message stating "The passcode entered is incorrect. Please try again." To do so, select your delivery method and request a new code. Once you correctly enter the new code, you will be authenticated. Depending on how your administrator has set things up, if you enter the wrong code repeatedly, you will see a message asking you to restart the login process. To do so, click the Back link.

If you are asked for another factor, select the desired authentication method and follow the steps shown on the screen.

When using device registration, EmpowerID stores the device registration information in a cookie on the specific browser you used. This means the device registration is only good for that browser and on the specific device you used. If you try to log in using another device—or another browser on the same device—you will need to repeat the device registration process.

Using FIDO 2UF

If your organization has enabled FIDO Universal 2nd Factor for multi-factor authentication, when logging in you will have the opportunity to authenticate using a certificate that is linked to your Yubikey device as a second factor. If multi-factor authentication is optional for your account, you do not need to use this method. However, if multi-factor authentication using FIDO Universal 2nd Factor is required, you must have a Yubikey device issued to you and authenticate using that device before gaining access to your resources.

To use FIDO Universal 2nd Factor as an authentication method, you must use Google Chrome or Opera as your browser. Firefox and Internet Explorer currently do not support the U2F protocol.

To use FIDO Universal 2nd Factor

  1. Log in to your organization's Web portal as you would normally do so.
  2. If multi-factor authentication is optional (or required and you have multiple options available to you) and you want to enable FIDO Universal 2nd Factor for your account, select FIDO Universal 2nd Factor and click Submit.

    The MFA options available to you depends on your administrator. You may see more or less options than shown below.

    If FIDO Universal 2nd Factor is required for your account, you will not see a screen asking you to select a multi-factor option. Instead, you will see the below screen.

    You should see a message asking you to insert your security key.

  3. Making sure your Yubikey is plugged into your computer, press the button or the gold disk on the key.

    Unless another level of multi-factor authentication is required on your account, you should now be authenticated.

    If you are asked for another factor, simply select the desired authentication method and follow the steps for that method.

    When you use this method of authentication, EmpowerID generates a certificate for the Yubikey that is linked to your EmpowerID Person. No other user can use your Yubikey device to authenticate using FIDO Universal 2nd Factor authentication.

Using EmpowerID One-Time Passwords

If your organization has enabled EmpowerID One Time Passwords for multi-factor authentication, when logging in you will have the opportunity to authenticate using this method as a second factor. If multi-factor authentication is optional for your account, you do not need to use this method.

To use EmpowerID One Time Passwords

  1. g in to your organization's Web portal as you would normally do so.
  2. If multi-factor authentication is optional (or required and you have multiple options available to you) and you want to enable One Time Passwords for your account, select One Time Password and click Submit.

    The MFA options available to you depends on your administrator. You may see more or less options than shown below.

    If EmpowerID One Time Password authentication is required for your account, you will not see a screen asking you to select a multi-factor option. Instead, you will see the below screen. option. Instead, you will see the below screen.

    You should see a message asking you to select a verification code delivery method.

    Depending on how your organization is implementing the authentication method, you may not see the SMS and Voice Call options.

  3. Select your delivery method, enter the information for that method and then click Send. For example, if you want to have your verification code sent by SMS enter the appropriate mobile phone number.
  4. After you receive the code, enter it in the Enter Verification Code field and then click Verify.

If you entered the code correctly, and another level of multi-factor authentication is not required on your account, you should be authenticated. The next time you log in to the portal, you will be asked to verify your identity with a verification code.

To use FIDO Universal 2nd Factor as an authentication method, you must use Google Chrome or Opera as your browser. Firefox and Internet Explorer currently do not support the U2F protocol.

Using DUO Two-Factor Authentication

If your organization has enabled Duo for multi-factor authentication, when logging in you will have the opportunity to register your Duo Security account in EmpowerID. If multi-factor authentication is optional for your account, you do not need use this method or register your Duo Security account. However, if multi-factor authentication is required, you must register your Duo account before gaining access to your resources.

In order to use Duo, you must have a Duo Security account and have the Duo Mobile app installed on your mobile device. If you do not have a Duo account, you can sign up for one by visiting https://signup.duo.com/. Once signed up, install the Duo Mobile app on your mobile device from the App Store that is applicable to your device.

To use DUO Two-Factor Authentication

  1. Log in to your organization's Web portal as you would normally do so.
  2. If multi-factor authentication is optional and you want to enable Duo for your account, select Duo Two-Factor Authentication and click Submit.

    The MFA options available to you depends on your administrator. You may see more or less options than shown below.

    If DUO two-factor authentication is required for your account, you will not see a screen asking you to select a multi-factor option. Instead, you will see the below screen.

    You should a message stating that your account requires DUO two-factor authentication.

  3. Click Start setup.
  4. Select the type of device you want to add and then click Continue. In this example, we are selecting Mobile phone as that is the recommended device.
  5. Enter and verify your phone number and then click Continue.
  6. Select the type of phone and then click Continue.
  7. Install Duo Mobile for your phone type and then click I have Duo Mobile installed. .
  8. Activate your Duo Mobile account for your organization by opening the opening the app on your phone, tapping the + button and scanning the barcode displayed on the page.
  9. Once you see the green check over the barcode, click Continue.
  10. Select your preferred authentication method from the When I log in drop-down and then click Continue to Login . You can choose to have Duo automatically send a Duo Push to your device, automatically call you or opt to make your choice on a case-by case basis.
  11. Proceed to log in and then choose your authentication method. In this example we are selecting Send Me a Push, which is the recommended method.
  12. If you selected Send Me a Push, Duo sends a notification to your mobile device. To continue to log in, click Approve and then Confirm.

Editing Your Multi-Factor Communication Options

When you enroll for multi-factor authentication (MFA), depending on the MFA method selected, you may need to provide EmpowerID with a preferred delivery method for receiving verification codes. Depending on how your administrator has configured your environment, delivery methods (also known as MFA communication options) could include email, SMS or voice call. When you select a delivery method, EmpowerID prompts you to enter the details for that method (such as your email address or phone number). You then verify your ownership of the email address or phone number by entering the code EmpowerID sends to it. Once verified, EmpowerID adds that communication option to your person as a trusted phone number or email address. The next time you perform an MFA method that requires a verification code, EmpowerID delivers it using this delivery method. If your phone number or email address changes, or you want to add additional phone numbers, email addresses and delivery methods (such as a voice call) you can do so from your person profile page. This article shows you how.

To edit your multi-factor communication options

  1. From any page of the EmpowerID Web interface, click your name and then select View Profile.

    This directs you to your personal profile page.

  2. From your profile page, click your display name link to go to your profile edit page.OATH Token and click Submit.
  3. From your profile edit page, click the Contact Information tab.

    If you enrolled for multi-factor authentication and selected a preferred delivery method, you will see it in the Trusted Phone Numbers and Email Addresses pane of the Phone Numbers section. In the below image, the user selected SMS as their preferred delivery method.

  4. To add a new trusted phone number or email address do the following:
    1. a. From the Trusted Phone Numbers and Email Addresses pane, click the Add button.

      This opens the Add Multi-Factor Communication Option modal.

    2. b. Click the Type drop-down and select the communication type you want to add.
    3. c. Click Next
    4. d. Depending on the communication type you selected, enter the appropriate phone number or email address and click Send Code
    5. e. Enter the code you received and then click Validate Code .

      If you entered the code correctly, you should see a Code Is Valid message

    6. f. Click Finish

      You should see the new communication type added to your trusted phone numbers and email addresses.

      The next time you do a MFA method that requires a verification code be sent to your phone or email address, you can select any of your trusted phone numbers and email addresses as the delivery method.

      You can delete a trusted phone number or email address by clicking the "X" beside the one you want to delete.

Using Passwordless Login

If your organization has enabled Passwordless login, you can login to your organization's site without needing to use your password. You authenticate using your EmpowerID user name or email address and one or more of the MFA types—such Device Registration and EmpowerID One-Time passwords —associated with your Password Manager policy.

To login using Passwordless login

  1. Point your browser to your organization's Web portal and then click the Passwordless Login link.
  2. Enter your EmpowerID login or email address and then click Submit.
  3. If you have not yet chosen an authentication method, you will be prompted to select one as shown below.

    If you have already authenticated with an authentication method, you can simply authenticate using that method.

  4. Follow the prompts to finish the selected authentication method.

    Unless another level of multi-factor authentication is required on your account, you should now be logged in. The next time you choose Passwordless login, simply authenticate using your selected authentication method(S).

    If you are asked for another factor, select the desired authentication method and follow the steps shown on the screen.

Installing the EmpowerID Mobile App

The EmpowerID Mobile App can be installed from the App Store for iOS and the Google Play Store for Android. Follow the instructions below for your device's operating system.

iOS

  1. Open the App Store on your iOS device.
  2. Search for EmpowerID.
  3. Locate the EmpowerID app and touch Get.

Android

  1. Open the Play Store on your Android device.
  2. Search for EmpowerID.
  3. Locate the EmpowerID app and select Install.

Registering a Mobile Device

Registering a Mobile Device to an account allows users to use Push and Passcode Multi-factor Authentication for logging into their EmpowerID account. If your administrator has made Mobile App Push an available MFA option in your Password Manager policy and MFA is required for your login, you will see an option to select Mobile App Push along with your other MFA options during login. The first time you select Mobile App Push, EmpowerID knows that you have not yet registered a mobile device and will show a QR code on the screen to allow registration of your phone. When the QR code is showing on the screen perform the following steps.

  1. Open the EmpowerID App.
  2. In the Authenticator View, touch the + icon to open the QR Code Reader.
  3. Scan the QR Code on your computer screen.
  4. You will see the new account in your account list.

An EmpowerID account may not be registered more than once on a single device. Multiple devices may be registered to EmpowerID account and multiple accounts can be registered to the same device.

If your EmpowerID person already has registered a mobile phone, you will not see the QR code during login to add another. You may return to this initial state by having an admin delete your Mobile Phone MFA Asset.

Note: Passwordless login does not allow registration of a Mobile Phone for security purposes.

Sending a Push

Using the EmpowerID Mobile App, use Push Authentication to login to EmpowerID.

NOTE: If you see a QR code when logging in, you need to register at least one device for your account. Refer to Register a Mobile Device.

  1. Open the EmpowerID App.
  2. Click Send Push
  3. In your mobile device, open the EmpowerID mobile app and touch Approve. The authentication process is completed and you are logged into EmpowerID.

Submitting an Authentication Code

Using the EmpowerID Mobile App, use Passcode Authentication to login to EmpowerID.

NOTE: If you see a QR code when logging in, you need to register at least one device for your account. Refer to Register a Mobile Device.

  1. Login to EmpowerID.
  2. Click the Enter Authentication Code link.
  3. On your mobile device, open the EmpowerID mobile app and touch Allow when prompted with the push notification. The authentication process is completed and you are logged into EmpowerID.

Editing the Name of an Account

To edit the name of an account in the EmpowerID Mobile App.

  1. Open the edit name dialog.
    • iOS -- Swipe left on the account list item and touch the Rename action.
    • Android -- Long press the account list item and touch the Rename action.
  2. Enter a new account name.

    Names are restricted to letters and numbers.

  3. Touch Save to save the new account name. You should see the app update to show the new name.

Deleting a Registered Mobile Device

To delete a registered mobile device in the EmpowerID Mobile App

  1. Touch the delete action.
    • iOS -- Swipe left on the account list item and touch the Delete action.
    • Android -- Long press the account list item and touch the Delete action.
  2. Touch Okay to confirm account deletion.

IT Shop Overview

The IT Shop makes requesting access to resources easy. Instead of navigating throughout the Web site looking for a specific resource—like an application, a role or a group, or a hard asset like a laptop—you can go to the IT Shop.

The IT Shop allows you to quickly see what resources you currently have access to and shop for more—both for yourself and for others. You simply search for what you want and put it in your cart. Once an item is placed in the cart, it stays in the cart until you check out or remove it. In this way, you can go about your business, navigating away from the IT Shop and even logging out of the EmpowerID Web application without losing the contents of your cart. When you are ready to checkout, that is, submit your access request(s), you review the items in your cart, add a reason for requesting those items and click Submit. Your requests then route for approval—first to managers and then to those with the RBAC delegations needed to make the final decision.

IT Shop Pages

The IT Shop contains the following four pages.

Find Resources

The Find Resources page (shown in the image above) contains all resources that have been published to the IT Shop. This page is the page you see when shopping for resources. From this page, you can search for and request access to any resources in the shop. Once your requests are in your cart, you simply submit them and wait for a response. If you have been given the delegations needed to access the resources without needing approval, the EmpowerID system grants you immediate access.

Resources in the IT Shop are divided by resource type (mailboxes, groups, shared folders, etc.) to allow you to filter the items for which you are shopping. You can tell which filter is being applied to the IT Shop by the image associated with the Search field. To change the filter, you select the image that represents the resource type. These filters are as follows:

Filters
Filter Image
Filter

This is the unfiltered or default view of the IT Shop. When you see this filter in the IT Shop Search field, your search returns all published resources having the searched for parameter. Thus, if you pass in "Bike Team" as your search parameter and there is a shared folder named "Bike Team," a mailbox named "Bike Team," and a group named "Bike Team," all three resource items are returned.

Filter Image
Filter

This is the application filter. When you see or apply this filter to the IT Shop Search field, your search returns published applications only.

Filter Image
Filter

This is the asset filter. When you see or apply this filter to the IT Shop Search field, your search returns published assets only.

Filter Image
Filter

This is the mailbox filter. When you see or apply this filter to the IT Shop Search field, your search returns published mailboxes only.

Filter Image
Filter

This is the group filter. When you see or apply this filter to the IT Shop Search field, your search returns published groups only.

Filter Image
Filter

This is the Management Role filter. When you see or apply this filter to the IT Shop Search field, your search returns published Management Roles only.

Filter Image
Filter

This is the Shared Folder filter. When you see or apply this filter to the IT Shop Search field, your search returns published shared folders only.

My Resources

The My Resources page provides a central location for you to see all the resources to which you currently have access, as well as the type of access to those resources you have. Similar to the Find Resources page, the My Resources page can be filtered to show resources by resource type.

The image below shows the My Resources page with the application filter applied.

Resources I Manage

The Resources I Manage page provides a central location for you to see and manage all the resources for which you are a resource owner. In EmpowerID, resource owners are delegated with the ability to grant other users access to those resources. As with the Find Resources and My Resources pages, the Resources I Manage page can be filtered by resource type.

The below image shows the Resources I Manage page with the shared folder filter applied.

As shown in the image above, each resource item record contains an Who Has Access link. When clicked, this link opens an Assignee pane, which allows the resource owner to see who currently has access to the resource and the type of access they have, as well as provides them with the ability to grant new access assignments against the resource.

Workflows

The Workflows page provides a central location for you to access any self-service workflow to which you are entitled, such as the Change Your Password and Edit Your Profile Information workflows.

Requesting Access to Resources

If you need access to resources you currently do not have, you can submit an access request for those resources from the IT Shop. As long as you have the ability to shop in the IT Shop and your organization has made the resource requestable. If you have the ability to shop in the IT Shop, but do not see the specific resource you want, most likely your organization has not made that resource requestable.

Once you find the resource for which you are looking and submit your request, EmpowerID sends the request to the Tasks and Requests Center for the appropriate people to either approve or reject. As the requesting person, EmpowerID places the request in your personal Request Center, where you can view the status of the request and see who has the ability to approve it.

To request access to resources

  1. From the Navigation Sidebar, expand t IT Shop and click Find Resources.

    If you do not see a node for the IT Shop in the Navigation Sidebar, this means you have not been given access to the IT Shop and cannot request access to new resources.

  2. In the IT Shop, search for the resource you are requesting and then click the Request Access link for that resource.
  3. Click the link beside the type of access you are requesting.
  4. Click Save.

    The Temporary Access option allows you to put date and time constraints on the access request. In this way, if you are a manager who is shopping for others, you can choose to limit the access assignment for that person when permanent access is not necessary.

    When this option is selected, you set the date and time ranges by clicking in the Access Begins and Access Ends fields and picking the appropriate values from the Calendar.

    Additionally, you can restrict the access to certain days and hours of the week by clicking Enable Day of Week Restrictions > Hours of the Day Allowed and setting the restrictions in the from and to fields for each day.

    This adds the request to the shopping cart.

  5. Click the shopping cart, type a reason for the request in the cart dialog and then click Submit.

    EmpowerID sends the request for approval. You can view the status of your request in the Request Center. For more information, see Viewing the Status of Your Access Requests.

Viewing Your Request Status

When you submit requests for resources and those requests go for approval, you can view the status of those requests in the Request Center, and interact with them further if needed.

To view the status of your access requests

  1. From the Navigation Sidebar, expand Tasks and Requests Workflow Tasks and click Requests Pending.

    This opens your personal view of the Request Center, which display all requests you have submitted that have yet to be acted on.

  2. Select an open request and click the drop-down arrow beside the request. This allows you to view more detailed information about the request as well as provides a link to the Task Details page for the request.

    Clicking the balloon icon to the right of the drop-down arrow opens the Comments pane for your request. This pane allows you to view any comments made by you, as well as any made by potential approvers.

    You can add new comments to the request by clicking the Add a comment link and typing your comments in the text field that appears.

    Clicking the person icon to the right of the balloon icon opens the Approvers pane for your request. This pane allows you to view all potential approvers of your request.

  3. If you wish to go to the Task Details page for the request, click the link for the access request.

    The Task Details page allows you to quickly see the status of the task as well as provides several accordions that when expanded allow you to view specific information about the task. These accordions are as follows:

    • Approvers Accordion — This accordion displays all possible approvers of the request.
    • Comments Accordion — This accordion displays the comments you made initially when justifying your request as well as any comments made by a potential approver. You can also add new comments to the request from the accordion. To do so, you type the new comment in the Add Comment field and press ENTER.
    • Decisions Accordion -- This accordion allows you to view any decision made concerning the request.
    • Affected Resources Accordion -- This accordion allows you to view the resources involved with your request. The affected resources will always include your person (which is a resource in EmpowerID) and the resource you want to access.
    • Process Flow Accordion -- This accordion allows you to see where your request is within the processes (workflow) involved with approving or rejecting it. Completed processes are notated with green lines while incomplete are notated with black lines.

Granting Access to Resources

If you are a resource owner (known as an "Access Manager" in EmpowerID) or another user delegated the ability to manage resources, you can view and manage the access assignments to those resources from the Resources I Manage page of the IT Shop. For example, if you are a group owner, you can add and remove people to and from the group as needed, as well as grant them additional levels of access.

Prerequisites

In order to manage access to the resources you manage from the IT Shop, you need to have access to the following EmpowerID resources:

  • IT Shop I Manage page - This page allows you to view any resources for which you are either an owner or a delegated manager.
  • UpdateAssignments workflow - This workflow allows you to initiate updating the access assignments of another person.

If you do not have access to these resources, you can request them from the IT Shop if your organization has made them requestable. If they are not in the IT Shop, you will need to speak with your manager.

To grant access to the resources you manage

  1. From the Navigation Sidebar, expand IT Shop and click Resources I Manage.
  2. From the Resources I Manage page, search for the resource that you want to give another user access to and then click the Who Has Access link for that resource

    This opens the Access pane. This pane shows you who currently has access to the resource and the type of access they have. At a minimum, you can see your access.

    The Access pane is comprised of the following components:

    1. Assignee Type Drop-down - This allows you to filter the results returned to the pane by EmpowerID actor type. Search Field - Allows you to search for a specific assignee with current access. Assignee Grid - Displays the assignees who currently have access to the resources and provides the functionality for adding and removing assignees.
  3. Select the appropriate actor type for the access assignment from the Assignee Type drop-down. In this example, we are granting access to another person, so we are selecting Person .
  4. From the Assignee Grid, click the Add (+) button.
  5. In the Grant Access pane that appears, type the name of the person to whom you want to grant access and then click the tile for that person.
  6. In the Grant Access pane, type the Access Level you want to grant the person and then click the tile for that Access Level.
  7. If the access is to be temporary, select Temporary Access . When this option is selected, you set the date and time ranges by clicking the Valid From and Valid To fields and picking the appropriate values from the Calendar.
  8. Additionally, you can restrict the access to certain days and hours of the week by clicking the Hours of the Day Allowed drop-down button and setting the restrictions in the from and to fields for each day.
  9. Click Save.
  10. Repeat for each additional access assignment you want to make.
  11. When you have finished adding access assignments for the resource, click the Shopping Cart located at the top of the page, type a reason for the request in the cart dialog and then click Submit.

    The new access assignment appears in the Assignee Grid.

Responding to Access Requests

If you are a manager, resource owner or other user delegated the ability to respond to access requests submitted by people within your organization, EmpowerID routes the access request to you, creating a task for you to complete. This topic demonstrates how to interact with those tasks from your Tasks To Do view, approving or rejecting the access requests associated with them.

If your organization has configured EmpowerID for email approvals, you can approve access requests directly from your email client. This is advantageous in situations where you are not logged in to EmpowerID. For more information, see Responding to Email Requests.

To respond to access requests from your Tasks To Do view

  1. From the Navigation Sidebar, expand Tasks and Requests, then Workflow Tasks, and click Tasks To Do.
  2. If there is an Access Request awaiting your action, it appears in the grid.
  3. Click the drop-down arrow beside the request. This allows you to view more detailed information about the request as well as make a decision to approve or reject the request.
  4. Click the drop-down arrow beside the request. This allows you to view more detailed information about the request as well as make a decision to approve or reject the request.
  5. To approve or reject the request, click the Decision Selection drop-down and then click the appropriate response. In our example, we are approving the request.
  6. After EmpowerID processes the operation, click the Tasks Completed node in the Navigation Sidebar.

    The request you just approved appears.

  7. Click the drop-down button for the request and then click the task link.

    This directs you to the View page for the task. This page allows you to view the details of the task, including who initiated the request, who approved and what resources were affected.

Responding to Email Requests

If you are a manager, resource owner or other user delegated the ability to respond to access requests submitted by people within your organizations—and EmpowerID is configured for email approvals—you can respond to those access requests from your email client, apart from interacting directly with the request in your To Do Tasks or being in an active authenticated state. To do so, you simply reply to the email EmpowerID sends you with "Approved" or "Rejected". EmpowerID reads the response and submits your decision.

To respond to the Access Request from Email

  1. From your email client, locate and open any email containing an access request. The subject for the email looks something like "RequestID:X Pending Approval-..."
  2. Reply to the email with "Approved " or "Rejected"
  3. EmpowerID submits your decision.

Removing Access to Resources You Manage

If you are a resource owner (known as an "Access Manager" in EmpowerID) or another user delegated the ability to manage resources, you can view and manage the access assignments to those resources from the Resources I Manage page of the IT Shop. For example, if you are a group owner, you can add and remove people to and from the group as needed, as well as grant them additional levels of access. This topic demonstrates how to remove access to resources you own.

Prerequisites

In order to manage access to the resources you manage from the IT Shop, you need to have access to the following EmpowerID resources:

  • IT Shop I Manage page — This page allows you to view any resources for which you are either an owner or a delegated manager.
  • UpdateAssignments workflow — This workflow allows you to initiate updating the access assignments of another person.

If you do not have access to these resources, you can request them from the IT Shop if your organization has made them requestable. If they are not in the IT Shop, you will need to speak with your manager.

To remove access to the resources you manage

  1. From the Navigation Sidebar, expand IT Shop and click Resources I Manage.
  2. From the Resources I Manage page, search for the resource for which you want to remove access from another user and then click the Who Has Access link for that resource.

    This opens the Access pane. This pane shows you who currently has access to the resource and the type of access they have.

    The Access pane is comprised of the following components:

    • Assignee Type Drop-down- This allows you to filter the results returned to the pane by EmpowerID actor type.
    • Search Field - Allows you to search for a specific assignee with current access.
    • Assignee Grid - Displays the assignees who currently have access to the resources and provides the functionality for adding and removing assignees.
  3. Select the appropriate actor type for the access assignment from the Assignee Type drop-down. In this example, we are removing access from another person, so we are selecting Person.
  4. Search for the actor from whom you want to remove access.
  5. From the Assignee Grid, click the Remove Access button for the actor.
  6. Select the appropriate actor type for the access assignment from the Assignee Type drop-down. In this example, we are removing access from another person, so we are selecting Person.
  7. Repeat for each access assignment you want to remove and when ready click the Shopping Cart located at the top of the page.
  8. Type a reason for the removal in the cart dialog and then click Submit.

Creating Audit Recertification Policies

Recertification policies are policies that you add to audits to generate recertification review tasks for the access assignments given to people, roles, groups and Query-Based collections. Once you create an Recertification policy, you then scope the policy by adding targets, such as a specific Business Role and Location or group, to it.

Policy Usage
Access for Active People (Logged in Last 90 Days) For certifying the EmpowerID access assignments for all people who logged in during the last 90 days.
All Access Assignments for Shared Folders flagged as Audit For certifying shared folder access.
Certify Access Assignments for Resource Mailboxes For certifying access to resource mailboxes.
Direct Reports Recertification - All People Logged in Last 90 Days For managers to recertify any direct reports who have logged in within the last 90 days.
Mailbox Permissions For certifying mailbox permissions.
Management Role Access For certifying the access granted to Management Roles.
Person Access Summary for People Logged in Last 90 Days For certifying the access of all people who have logged in within the last 90 days.
Person Direct Entitlements For managers to certify or revoke the access of their direct reports.
SharePoint Group Access Assignments All EmpowerID access assignments for SharePoint groups.

To create a Recertification Policy

  1. Log in to the EmpowerID Web application as an auditor or other person with the ability to configure audits.
  2. From the navigation sidebar, expand For Auditors and click Audit Configuration.
  3. From the Audit Configuration page, click the Actions tab and then click Create Recertification Policy.
  4. In the Policy Details form that appears, select the appropriate policy type from the Policy Type drop-down. When selecting policy types, you have the following options:
    • Assignee Granted Security — This Recertification policy type creates a snapshot of the Access Level Assignments and Management Role assignments granted to an assignee as an actor.
    • Direct Reports — This Recertification policy type creates a snapshot of who reports to whom.
    • Exchange Mailbox Permissions — This Recertification policy type creates a snapshot of who currently has what type of access to a given Exchange mailbox.
    • Folder Permissions — This Recertification policy type creates a snapshot of who currently has what type of access to a given Windows folder.
    • Group Membership — This Recertification policy type creates a snapshot of who currently has membership in a given group.
    • Person Access Summary — This Recertification policy type creates a snapshot of all of the access assignments currently granted to a Person, and includes the following:
      • All RBAC assignments, including direct, relative, and by location assignments
      • Business Role and Location assignments
      • Any group memberships, including those on their accounts and those granted through RBAC
      • Any Management Role memberships
      • Account and group ownership
      • Any native permissions, such as NTFS permissions for shared folders and Exchange mailbox permissions/acls
    • Person Direct Entitlements — This Recertification policy type snapshots the current access granted to people and creates recertification tasks for the managers of each person targeted by the policy.
    • Management Role Membership — This Recertification policy type creates a snapshot of current assignees of a Management Role.
    • Resource Granted Security — This Recertification policy type creates a snapshot of who currently has access to any given resource object for which the policy is created.
  5. In our example, we are selecting Person Direct Entitlements.
  6. Type the appropriate information for the Recertification policy in the Name, Display Name and Description fields.
  7. Select Enabled to enable the policy.
  8. Click Save.
After EmpowerID creates the policy, a Target grid appears on the Policy Details page. This grid allows you to add and remove Recertification targets to and from the policy. Recertification targets allow you to scope the Recertification policy to the specific IT objects you want to audit and can include multiple EmpowerID Actor types, including individual resources, people, roles, locations, groups and Query-based Collections (SetGroups). This is demonstrated in the Adding Targets to Policies topic.

Adding Targets to Policies

Once you have created a Recertification policy you can scope the policy by adding targets to it. Recertification policy targets are the specific IT objects you wish to audit and can include multiple EmpowerID Actor types, including individual resources, people, roles, locations, groups and Query-based Collections (SetGroups).

To add targets to Recertification Policies

  1. Log in to the EmpowerID Web application as an auditor or other person with the ability to configure audits.
  2. From the Navigation Sidebar, expand For Auditors and click Audit Configuration.
  3. From the Audit Configuration page, click the Recertification Policies tab, search for the Recertification Policy to which you want to add a target, and click the Display Name link for that policy.
  4. From the Policy Details page that appears, click the Add button in the Target grid. This opens the Policy Target dialog, which provides fields for selecting the type of resource—such as Business Role and Location—as well as the specific object from that type, such as Sales Rep in Boston. By default, the Policy Target dialog opens with Business Role and Location selected as the type. To select another type, like Group, select it from the Type drop-down.
  5. Select the appropriate target type from the Type drop-down. In our example, we are targeting a Business Role and Location, therefore the following steps demonstrate the procedure for picking the target Business Role and Location.
  6. In the Business Role pane, search for and select the Business Role you want to target.
  7. In the Location pane, search for and select the location.
  8. Click Save.
  9. Repeat the above steps as needed to add other targets (of any type, such as a group, etc.) to the policy.
Once you have added targets to the Recertification policy, the policy needs to be attached to an audit in order to create recertification tasks. However, before you can attach the policy to an audit, you must first create the audit. This is demonstrated in the Creating and Configuring Audits topic.

Creating and Configuring Audits

In EmpowerID, an audit is a user-defined, logically named object for identifying or grouping recertification tasks and running the Recertification policies that generate those tasks. When you create an audit, you add Recertification policies to it to define what you want to audit. Then when the audit runs, it compiles those Recertification policies, creating the appropriate recertification tasks.

To create and configure an audit

  1. Log in to the EmpowerID Web application as an auditor or other person with the ability to configure audits.
  2. From the Navigation Sidebar, navigate to the Audit Configuration page by expanding For Auditors and clicking Audit Configuration.
  3. From the Audit Configuration page, click the Actions tab and then click Create Audit.
  4. In the Audit Details form that appears, type an appropriate name, display name and description for the audit in the Name, Display Name and Description fields, respectively.
  5. Select the date you want the audit to start from the Started field. The start date must either be the present date or a future date. If you select a past date, the audit will not compile.
  6. Select the date you want the audit to end from the Due Date field. The due date must either be the present date or a future date. If you select a past date, the audit will not compile.
  7. In the Audit Owner field, type the name of the person who is to be the audit owner and then click the tile for that person. When creating audits, it is important to assign an owner to those audits. In EmpowerID, the audit owner is the auditor. Auditors are the only people who can compile their audits.
  8. Select Enabled. This allows the audit to compile any Recertification polices belonging to it.
  9. Click Save.

After EmpowerID creates the audit, you will see a Recertification Policy grid appear on the Audit Details page. This grid allows you to add and remove Recertification Policies to and from the audit. In order for the audit to create recertification tasks, it needs to have at least on Recertification policy. This is demonstrated in the below section, as well as treated separately in the Adding Recertification Policies to Audits topic.

Adding Recertification Policies to Audits

In EmpowerID, an audit is a user-defined, logically named object for identifying or grouping recertification tasks and running the Recertification policies that generate those tasks. After creating an audit, you add Recertification policies to it to define what you want to audit. Then when the audit runs, it compiles those Recertification policies, creating the appropriate recertification tasks.

To add recertification policies to audits

  1. Log in to the EmpowerID Web application as an auditor or other person with the ability to configure audits.
  2. In the Navigation Sidebar, expand Compliance Management and click Audit Configuration.
  3. Click the Audits tab and search for the audit to which you want to add a Recertification policy.
  4. Click the Audit link. This opens the View One page for the Audit. View One pages allow you to view information about an object in EmpowerID and manage it as needed.
  5. From the audit's View One page, expand the Recertification Policies accordion and click the Add New Recertification Policy (+) button in the Policy grid.
  6. In the Recertification Policy dialog that appears, type the name of the policy you want to add to the audit, and then click the tile for that policy.
  7. Optionally, type a number in the Ignore Any Certified Within Last X Days field.
  8. Click Save to add the Recertification policy to the audit. The policy is added to the Recertification Policies grid.

To add exclusions to the Policy

Optionally, you can keep the audit from creating recertification tasks for certain access assignments that would normally be generated by the recertification policy.

  1. On the Recertification Policy grid, click the Exclusions button for the policy. This opens a view with two grids: Exclude These Entitlements and Exclude These Entitlement Types. These grids allow you to exclude entitlements granted to specific actors, such as individual people or groups, as well as entitlement types, such as roles or groups that have no bearing for the audit.
  2. To exclude a specific entitlement, in the Exclude These Entitlements grid, click the Add button. This opens the Attestation Policy Target dialog, where you can select the type of resource, such as Business Role and Location, and a specific object of that type, such as Sales Rep in Boston.
  3. Select a target type from the Type drop-down, for example, Management Role. A box (or if you choose Business Role and Location, a pair of tree selectors) appears to the right.
  4. Click in the box and press Enter for a list of available options, or type the name of the specific actor to exclude, in this case "customer," select the tile for the actor, and click Save. The Customer actor type is added to the grid of entitlements to exclude from this audit.
  5. To exclude a type of entitlement, in the Exclude These Entitlement Types grid, click the Add button.
  6. Select a Type from the drop-down list. The following types are available:
    • Business Role excludes business roles from the type of entitlements audited.
    • Group Membership excludes group membership from the type of entitlements audited.
    • Inherited Direct by Business Role excludes any access inherited directly from the person's business role from the type of entitlements audited.
    • Inherited Direct by Management Role excludes any access inherited directly from the person's management role from the type of entitlements audited.
    • Inherited Direct by Primary Business Role excludes any access inherited directly from the person's primary business role from the type of entitlements audited.
    • Inherited Location based by Business Role excludes any location inherited from the person's business role from the type of entitlements audited.
    • Inherited Location by Primary Business Role excludes any location inherited from the person's primary business role from the type of entitlements audited.
    • Inherited Management Role by Primary Business Role excludes any management role inherited directly from the person's primary business role from the type of entitlements audited.
    • Inherited Role Group Membership excludes any group membership inherited from the person's role from the type of entitlements audited.
    • Management Role excludes management roles from the type of entitlements audited.
    • Primary Business Role excludes primary business roles from the type of entitlements audited.
    • Resource Role excludes resource roles from the type of entitlements audited.
    • Role Group Membership excludes role group membership from the type of entitlements audited.
  7. Click Save. The type is added to the grid of excluded entitlement types. Once you have finished adding your Recertification policies to the audit, the next step is to generate the recertification tasks associated with the policies. You do this by compiling the audit. This is demonstrated in the Compiling Audits topic.

Compiling an Audit

In order to create recertification tasks for audit participants to review and certify to, the audit needs to be compiled. When an audit is compiled, EmpowerID creates a certification task for each of the resources included in the Recertification policies associated with the audit. For example, if you an audit with a Recertification policy that targets the access assignments of each manager's direct reports, compiling the audit will generate recertification tasks for those managers.

To compile audits

  1. Log in to the EmpowerID Web application as an audit owner.
  2. From the Navigation Sidebar, expand For Auditors and click Audit Configuration.
  3. From the Audit Configuration page, click the Audits tab and search for the audit you want to compile.
  4. From the Audit grid, click the View Dashboard link for the audit. This takes you to the Audit Compliance Audit Details page for the audit. This page provides you with a dashboard for quick analysis of the audit's status as well as a Policies tab for viewing the Recertification policies belonging to the audit and a Communication tab that can be used to send email messages to audit participants.
  5. From the Dashboard tab, click the Compile button to start generating Recertification tasks.
  6. While the audit is compiling, you can click the Policies tab to see how many tasks and review items are being generated. With the audit compiling, each audit participant receives a Recertification task. We discuss how to respond to those tasks in the Responding to Recertification Tasks topic.

Fulfilling Revokes

Once recertification tasks have been completed by line managers and approved by auditors performing revoke quality checks, EmpowerID creates Fulfillment tasks for each team responsible for removing user access to each revoked resource within any external application for which their team is an owner. Any member of the team can fulfill the revoke. As a Fulfillment team member, once you revoke access in the application, you certify in EmpowerID that you have done so. Your certification completes your task.

To fulfill revokes

  1. Log in to the EmpowerID Web application as a Fulfillment team member.
  2. From the Navigation Sidebar, expand Tasks and Requests and click Tasks To Do.
    Any Fulfillment tasks you have are listed.
  3. Click the drop-down arrow beside the Fulfillment task and click View Approval Form. This directs you to the Process Entitlement Fulfillment page. This page allows you to view information about the task and includes a grid of each user removal that you must execute in the external application for which you are an owner.
  4. After you have finished processing the revokes in the application, click Submit.
    EmpowerID processes your submission and marks the task as completed. You can view this from your Tasks Completed view.
  5. To view more details about the Fulfillment, click the drop-down arrow beside the task and then click task link. This directs you to the View One page for the task. This page allows you to view information about the task, including other Fulfillment tasks related to it.
  6. As you can see from the above image, there are still two Fulfillments that need to be performed. After the appropriate teams complete their Fulfillment tasks, EmpowerID processes the removals and marks the Fulfillments completed.

Performing Revokes Quality Checks

Once recertification tasks have been completed by line managers, as the auditor you need to review and approve or reject any revokes executed by those line managers. In EmpowerID, this action is known as Revokes Quality Checks. Once you approve the revokes, if the resources represented by those revokes live in a system to which EmpowerID is connected, EmpowerID completes the revocation by removing those resources. If the resources live in a system to which EmpowerID is not connected, EmpowerID routes the revokes to the Fulfillment teams responsible for maintaining access to the resources in those disconnected systems.

To perform a Revokes Quality Check

  1. Log in to the EmpowerID Web application as the auditor responsible for performing Revoke Quality Checks.
  2. From the Navigation Sidebar, expand For Auditors and click Revokes Quality Check.
    All revokes executed by each line manager involved with the recertification are listed.
  3. Optionally, if you want to view more information about a revoke, click the Task ID link for for it. This directs you to the Recertification Details page, where you can view all the recertification decisions made by the line manager for the person. When you have finished viewing the details, click the back button on your browser to return to the Revokes Quality Checks page
  4. From the Revokes Quality Check page, choose whether to process the revokes or ignore them. When doing so, you have two options:
    • You can select all revokes on the current page by checking the box in the grid header. EmpowerID adds each revoke to the Selected basket.
    • You can select individual revokes by checking the box beside the revoke. This is most useful in scenarios where you either want to further review the revokes before processing them or ignore them altogether.
  5. Once you have finished your selections, either click Process Selected to send the revokes to your Fulfillment teams or click Ignore Selected to close the revokes.
EmpowerID creates Fulfillment tasks for each Fulfillment team responsible for removing the access assignments in the external applications they own. The Fulfillment process is discussed further in the Fulfilling Revokes topic.

Getting an API Key

EmpowerID is an extendable Identity and Access Management (IAM), Single Sign-On and workflow development platform that uses thousands of workflow operations with real-time access checks to give organizations the security tools needed to control who can do what, where and when with their resources. Through its Web API, you the developer, can access and extend these features in your own applications. The API is built on the principles of REST and is organized around the components (resource objects, like user accounts, EmpowerID people, Exchange mailboxes, workflows, etc.,) of the EmpowerID platform. This topic is an introductory topic to using the EmpowerID API, showing the basic steps needed to successfully call it. To get started, have your organization assign you the SSO Application Developer Management Role. Among other things, this role gives you the ability to create OAuth applications in EmpowerID. Once you have the role, follow the rest of the topic to begin working with the EmpowerID API.

Getting an API Key

  1. From the Navigation Sidebar of the EmpowerID Web interface, expand Admin > SSO Connections and click OAuth.
  2. From the EmpowerID OAuth Client Apps tab of the OAuth page, click the Add button.
  3. In the OAuth Provider Application Details page that appears, type a name, display name and description for the application in the Name, Display Name and Description fields, respectively.
  4. Select Active from Application Status.
  5. Scroll to the Callback URLs section of the form and click the Add New button.
  6. In the Redirect URI field, enter https://yourserver/webidpforms/oauth/v2, replacing "yourserver" with the FQDN of your EmpowerID Web server.
  7. Click Save to close the Callback URLs dialog.
  8. Back on the main page, click Save.
  9. Once the application is created, return to the EmpowerID OAuth Client Apps page and click the link for the application you just created.
  10. Copy the API Key, the Client ID and the Client Secret. You will need these to get an access token.

Getting an Access Token

After registering an application in EmpowerID, the next step for working with the API is to use the credentials generated for that application—which consists of the API Key, the Client ID and the Client Secret—to get an access token. The access token is what authorizes resource API calls. The resources that can be manipulated vary, depending on the Access Levels associated with the application user. Access tokens can be issued as OAuth 2.0 tokens or JWT tokens. In this topic, we demonstrate getting an OAuth 2.0 token.

To get an access token

To get an access token, you need to make a POST request to https://{FQDN_Of_Your_EmpowerID_Web_Server}/oauth/v2/token with the following header and data value pairs:

Headers

Key Value
Authorization This is the Basic authentication scheme for the EmpowerID Person requesting the access token. To use this scheme, you set the value to the base-64 encoded value of the person's username and password. To get this value, you can visit one of many websites that provide this service, write your own code, or use a REST client like Postman.
Content-Type application/json
X-EmpowerID-API-Key The API key for the OAuth application you created.

Request Data
Request data is sent to the API in JSON format.

            >
                {
                    "client_id": "{The Client ID of the OAuth app you created above}",
                    "client_secret": "{The Client Secret of the OAuth app you created above}",
                    "redirect_uri": "{The Redirect URI of the OAuth app you created above}",
                    "grant_type": "password"
                }
            
        

Response
If the request is successful, you should receive a JSON response that looks similar to the following:

            >
                {
                    "access_token": "WER1RFdjUVF1OE52ekdWZjJIQjMzSHVqcERQT0p5c...aZW",
                    "token_type": "Bearer",
                    "expires_in": 3600,
                    "refresh_token": "YnQrRHhuyYmNidzY3MTFSVnE1Q1BLN1RuZ1liOH...WQ==",
                    "id_token": "null",
                    "error": "",
                    "error_description": "null"
                    }
            
        

Code Examples
cURL

            >
                curl "https://{FQDN_Of_Your_EmpowerID_Web_Server}/oauth/v2/token" \
                -H "X-EmpowerID-API-Key: {Your_API_Key} \
                -H "Authorization: Basic {base64_encoded_value_of_the_EmpowerID_Person_username_and_password}" \
                -H "Content-Type: application/x-www-form-urlencoded" \
                -d "grant_type=password&client_id={Your_Client_ID}&client_secret={Your_Client_Secret}&redirect_uri=
                https://{FQDN_Of_Your_EmpowerID_Web_Server}/webidpforms/oauth/v2"
            
        

Ajax

            >
                var auth = btoa("EmpowerID_Person_Username:EmpowerID_Person_Password")
                $.ajax({
                    url: "https://{FQDN_Of_Your_EmpowerID_Web_Server}/oauth/v2/token",
                    type: "POST",
                    
                    headers: {
                    "X-EmpowerID-API-Key": "1a9e18d5-7ec8-4214-b4e7-23b550c9c6ba",
                    "Content-Type": "application/json",
                    "Authorization": "Basic " + auth   
                    },
                    
                    data: JSON.stringify({
                    "client_id": "Your_Client_ID",
                    "client_secret": "Your_Client_Secret",
                    "redirect_uri": "https://{FQDN_Of_Your_EmpowerID_Web_Server}/webidpforms/oauth/v2", 
                    "grant_type": "password"
                    })
                });
            
        

Postman Example
If you'd rather manage your API calls with a more graphically oriented tool, there are a number of browser extension applications that you can use, such as Postman for Chrome and RESTClient for Firefox. In this topic, we use Postman.

  1. Open the Postman app on your machine.
  2. In Postman, open a new tab, select POST as the HTTP method and enter https://{FQDN_Of_Your_EmpowerID_Web_Server}/oauth/v2/token.
  3. Click the Headers tab add the above mentioned key/value pairs.
  4. Click the Body tab, select raw and then add the below JSON:
                        >
                            {
                                "client_id": "{Your_Client_ID}",
                                "client_secret": "{Your_Client_Secret}",
                                "redirect_uri": "https://{FQDN_Of_Your_EmpowerID_Web_Server}/webidpforms/oauth/v2", 
                                "grant_type": "password"
                            }
                        
                    
  5. Click Send.
    If the request is successful, you should receive a JSON response that looks similar to the following:

Now that you have the access token for your application, you can start working with the API as demonstrated in the Creating a Person topic.

Creating a Person

To call the API so that it performs the operations or returns the data requested by your application, you need to make a POST request to the appropriate endpoint. When creating new resources like an EmpowerID Person, you need to POST a request to the endpoint that starts the EmpowerID Workflow service, passing to the API the necessary header and request data. For creating an EmpowerID Person, this data is as follows.

Endpoint

Headers

Key Value
X-EmpowerID-API-Key The API key for the OAuth application you created above.
Authorization The OAuth token you received from EmpowerID.
Content-Type application/json

Request Data

Request data is sent to the API in JSON format. The data in the below request represents the minimum key/value pairs required for creating an EmpowerID Person. The API Reference includes all possible key/value pairs that can be submitted when creating people.

OutputParameters are optional, but are useful for viewing the results of the operation.

Element Description Type Required
Name Name of the workflow String Required
InputParameters Workflow input Data Object Required
TargetPerson Attributes of the person Data Object Required
FirstName First name of the person String Required
LastName Last name of the person String Required
PrimaryOrgRoleOrgZoneID Primary Business and Location of the person Integer Required
OutputParameters Workflow output Data Object Optional

Code Examples

In the examples, we are passing in the minimum number of parameters and requesting an output showing the PersonID, LastName and FirstName attributes of the person that is created by the operation.

cURL

Be sure to use double quotes unless you are making the request from a non-Windows OS.

Request

Ajax

Response

If the request is successful, you should receive a JSON response that looks similar to the following:

Postman Example

  1. Open the Postman app on your machine.
  2. In Postman, open a new tab, select POST as the HTTP method and enter https://{FQDN_Of_Your_EmpowerID_Web_Server}/api/services/workflow/start.
  3. Click the Headers tab and add the above mentioned key/value pairs.
  4. Click the Body tab, select raw and then add the below JSON:
  5. Click Send.

    If the request is successful, you should receive a JSON response that looks similar to that shown below.

Editing People

To call the API so that it performs the operations or returns the data requested by your application, you need to make a POST request to the appropriate endpoint. When creating new resources like an EmpowerID Person, you need to POST a request to the endpoint that starts the EmpowerID Workflow service, passing to the API the necessary header and request data. For creating an EmpowerID Person, this data is as follows.

The below example demonstrates editing an EmpowerID Person by editing the Title attribute of the person created in the above example.

Endpoint

Headers

Key Value
X-EmpowerID-API-Key The API key for the OAuth application you created above.
Authorization The OAuth token you received from EmpowerID.
Content-Type application/json

Request Data

Request data is sent to the API in JSON format. The data in the below request represents the minimum key/value pairs required for editing an EmpowerID Person.

OutputParameters are optional, but are useful for viewing the results of the operation.

Element Description Type Required Note
Name Name of the workflow String Required
InputParameters Workflow input Data Object Required
TargetPerson Specifies the object of the operation Data Object Required
PersonID ID of the person Integer Required
Title Attribute being edited String Required At least one attribute needs to be edited. In this example, Title is the attribute. You add each attribute being edited to the request.

Code Examples

cURL

The following shows an example of editing a Person using cURL.

Be sure to use double quotes unless you are making the request from a non-Windows OS.

Request

Response

If the request is successful, you should receive a JSON response that looks similar to the following:

Postman Example

  1. Open the Postman app on your machine.
  2. In Postman, open a new tab, select POST as the HTTP method and enter https://{FQDN_Of_Your_EmpowerID_Web_Server}/api/services/workflow/start.
  3. Click the Headers tab and add the above mentioned key/value pairs.
  4. Click the Body tab, select raw and then add the below JSON:
  5. Click Send.

    If the request is successful, you should receive a JSON response that looks similar to that shown below.

Authorization API

The Authorization API provides endpoints that allow you to call specific HasAccess() checks against a selected resource. This allows you to view what the people in your environment can do with specific resources, as well as view their current roles and other assignments.

In the examples, be sure to replace {Your_Access_Token} with your token and {Your_API_Key} with the API key for your application.

HasAccessToResource

This endpoint allows you to check whether a person can perform operations against two resources, such as approving a request to add a person to a group.

HTTP Request
Header Key/Value Pairs
Key Value
X-EmpowerID-API-Key X-EmpowerID-API-Key
Authorization Bearer {Your_Access_Token}
Content-Type application/json
Payload Name/Value Pairs
Name Value
person EmpowerID login of the person you are checking
resource1 GUID of the resource targeted by the operation
operation Display Name of the operation
Code Examples

Ajax

HasAccessToDualResource

This endpoint allows you to check whether a person can perform operations against two resources, such as approving a request to add a person to a group.

HTTP Request
Header Key/Value Pairs
Key Value
X-EmpowerID-API-Key The API key for your OAuth application
Authorization Bearer {Your_Access_Token}
Content-Type application/json
Payload Name/Value Pairs
Name Value
person EmpowerID login of the person you are checking
resource1 GUID of the first resource targeted by the operation
operation Display Name of the operation
resource2 GUID of the second resource targeted by the operation
Code Examples

Ajax

HasRoleForResource

This endpoint allows you to check whether a person has a specific Access Level for a set of given resources.

HTTP Request
Header Key/Value Pairs
Key Value
X-EmpowerID-API-Key The API key for your OAuth application
Authorization Bearer {Your_Access_Token}
Content-Type application/json
Payload Name/Value Pairs
Name Value
person EmpowerID login of the person you are checking
resource1 GUID of the first resource targeted by the operation
operation Display Name of the operation
resource2 GUID of the second resource targeted by the operation
Code Examples

Ajax

HasAccessToWorkflow

This endpoint allows you to check whether a person can initiate a specific workflow.

HTTP Request
Header Key/Value Pairs
Key Value
X-EmpowerID-API-Key The API key for your OAuth application
Authorization Bearer {Your_Access_Token}
Content-Type application/json
Payload Name/Value Pairs
Name Value
person EEmpowerID login of the person you are checking
resource Display Name of the workflow
Code Examples

Ajax

HasAccessToWorkflows

This endpoint allows you to check whether a person can initiate both of the specified workflows.

HTTP Request
Header Key/Value Pairs
Key Value
X-EmpowerID-API-Key The API key for your OAuth application
Authorization Bearer {Your_Access_Token}
Content-Type application/json
Payload Name/Value Pairs
Name Value
person EmpowerID login of the person you are checking
workflows Comma separated Display Name of each workflow
Code Examples

Ajax

HasAccessToPage

This endpoint allows you to check whether a person can view the specified page in the EmpowerID Web interface.

HTTP Request
Header Key/Value Pairs
Key Value
X-EmpowerID-API-Key The API key for your OAuth application
Authorization Bearer {Your_Access_Token}
Content-Type application/json
Payload Name/Value Pairs
Name Value
person EmpowerID login of the person you are checking
page GUID of the page
Code Examples

Ajax

HasAccessToPages

This endpoint allows you to check whether a person can view the specified pages in the EmpowerID Web interface.

HTTP Request
Header Key/Value Pairs
Key Value
X-EmpowerID-API-Key The API key for your OAuth application
Authorization Bearer {Your_Access_Token}
Content-Type application/json
Payload Name/Value Pairs
Name Value
person EmpowerID login of the person you are checking
pages Protected Application Resource GUID of the pages; Comma separated
Code Examples

Ajax

GetAllowedResources

This endpoint returns a list of resources the specified user can see.

HTTP Request
Header Key/Value Pairs
Key Value
X-EmpowerID-API-Key The API key for your OAuth application
Authorization Bearer {Your_Access_Token}
Content-Type application/json
Payload Name/Value Pairs
Name Value
person EmpowerID login of the person you are checking
pages GUID of the parent application
Code Examples

Ajax

Results

Returns a JSON object containing the GUID of all controls for a specified parent application that the person can see.

HasManagementRoles

This endpoint allows you to check whether a person has all of the specified Management Roles.

HTTP Request
Header Key/Value Pairs
Key Value
X-EmpowerID-API-Key The API key for your OAuth application
Authorization Bearer {Your_Access_Token}
Content-Type application/json
Payload Name/Value Pairs
Name Value
person EmpowerID login of the person you are checking
managementRoles GUID of each Management Role; Comma separated
Code Examples

Ajax

Results

Returns a Boolean. If true, the person has the specified Management Roles; if false, the person does not have one or more of the roles.

IsInManagementRole

This endpoint allows you to check whether a person has the specified Management Role.

HTTP Request
Header Key/Value Pairs
Key Value
X-EmpowerID-API-Key The API key for your OAuth application
Authorization Bearer {Your_Access_Token}
Content-Type application/json
Payload Name/Value Pairs
Name Value
person EmpowerID login of the person you are checking
managementRole GUID of the Management Role
Code Examples

Ajax

Results

Returns a Boolean. If true, the person has the specified Management Roles; if false, the person does not have one or more of the roles.

IsInGroup

This endpoint allows you to check whether a person belongs to a specific group.

HTTP Request
Header Key/Value Pairs
Key Value
X-EmpowerID-API-Key The API key for your OAuth application
Authorization Bearer {Your_Access_Token}
Content-Type application/json
Payload Name/Value Pairs
Name Value
person PersonID of the person you are checking
group GUID of the Group
Code Examples

Ajax

Results

Returns a Boolean. If true, the person is in the group; if false, the person is not.

HasGroups

This endpoint allows you to check whether a person belongs to a specific group.

HTTP Request