Use Dynamic Hierarchy Policies to Create External Roles and Locations
You can use a Dynamic Hierarchy policy to automatically generate external Business Roles and Locations based on the value of a specified person attribute, such as the name of their department. After the policy is created, the Dynamic Hierarchy engine will add any person with the matching attribute values to the Role and Location.
Create the policy
- On the navbar, expand Dynamic Hierarchies and select Policies.
- Click the Add (+) button.
This opens the Policy Details form.
3. Fill out each section of the form according to your policy needs.
General
- Select a Policy Type – Select Account Attribute External Roles and Locations
- Name – Name of the policy
- Description – Description of the policy
- Directory – Select the account store where the groups are to be created
Hierarchy Generation
-
Hierarchy Generation Enabled – Select this option to enable EmpowerID to generate hierarchies from the policy
-
Hierarchy Generation Next Run – Click the field and select the date and time for the next run of the Hierarchy Generation job
-
Hierarchy Generation Schedule – Set the start and end dates for hierarchy generation to occur
-
Hierarchy Generation Interval – Set the interval for the Hierarchy Generation job to process the policy. Options include:
-
Once – Hierarchy generation occurs one time
-
Minute Interval - Hierarchy generation occurs "X" times every "Y" minutes as specified in the Run Indefinitely, Iterations and Interval fields. So, for example, if you select an iteration of 2 and an interval of 24, hierarchy generation occurs twice. The first occurrence is at the date and time specified in the Hierarchy Generation Next Run field and the second occurrence is 24 minutes after the first run completes. However, if you select Run Indefinitely, and then select an Interval of 24, hierarchy generation occurs once every 24 minutes, indefinitely.
-
Hour Interval - Hierarchy generation occurs "X" times every "Y" hours as specified in the Run, Iterations and Interval fields. So, for example, if you select an iteration of 2 and an interval of 24, hierarchy generation occurs twice. The first occurrence is at the date and time specified in the Hierarchy Generation Next Run field and the second occurrence is 24 hours after the first run completes. However, if you select Run Indefinitely, and then select an Interval of 24, hierarchy generation occurs once every 24 hours, indefinitely.
-
Daily - Hierarchy generation occurs once every "X" days at a designated time as specified in the Run Indefinitely, Iterations and Times fields. So, for example, if you select an iteration of 2, hierarchy generation occurs twice. The first occurrence is at the date and time specified in the Hierarchy Generation Next Run field and the second occurrence is on the following day at the time specified in the Times field. However, if you select Run Indefinitely, hierarchy generation occurs on a daily basis at the time specified in the Times field.
Membership Recalculation
-
Membership Recalculation Enabled – Select this option to enable the system to update role membership as specified by the schedule and interval
-
Membership Recalculate Next Run – Set the date and time for the next run of the Dynamic Hierarchy Membership Recalculation job
-
Membership Recalculation Schedule – Set the start and end dates for hierarchy generation to occur
-
Membership Recalculation Interval – Set the interval for membership recalculation to run. Options include:
-
Once – Membership recalculation occurs one time.
-
Minute Interval – Membership recalculation occurs "X" times every "Y" minutes as specified in the Run Indefinitely, Iterations and Interval fields. So, for example, if you select an iteration of 2 and an interval of 24, membership recalculation occurs twice. The first occurrence is at the date and time specified in the Membership Recalculate Next Run field and the second occurrence is 24 minutes after the first run completes. However, if you select Run Indefinitely, and then select an Interval of 24, membership recalculation occurs once every 24 minutes, indefinitely.
-
Hour Interval – Membership recalculation occurs "X" times every "Y" hours as specified in the Run Indefinitely, Iterations and Interval fields. So, for example, if you select an iteration of 2 and an interval of 24, membership recalculation occurs twice. The first occurrence is at the date and time specified in the Membership Recalculate Next Run field and the second occurrence is 24 hours after the first run completes. However, if you select Run Indefinitely, and then select an Interval of 24, membership recalculation occurs once every 24 hours, indefinitely.
-
Daily – Membership recalculation occurs once every "X" days at a designated time as specified in the Run Indefinitely, Iterations and Times fields. So, for example, if you select an iteration of 2, membership recalculation occurs twice. The first occurrence is at the date and time specified in the Membership Recalculate Next Run field and the second occurrence is on the following day at the time specified in the Times field. However, if you select Run Indefinitely, membership recalculation occurs on a daily basis at the time specified in the Times field.
Policy Settings
-
External Role Level 1 – Specify the attribute that is to be used to generate the parent external role.
-
External Location Level 1 – Specify the attribute that is to be used to generate the parent external location.
-
External Role Level 2 – If nesting roles, specify the attribute that is to be used to generate the first child external role.
-
External Location Level 2 – If nesting locations, specify the attribute that is to be used to generate the first location external role.
-
External Role Level 3 – If nesting roles, specify the attribute that is to be used to generate the second child external role.
-
External Location Level 3 – If nesting locations, specify the attribute that is to be used to generate the second location external role.
-
Claim Matching Roles – Select this option to allow the Dynamic Hierarchy engine to claim any matching roles in the system as Dynamic Hierarchy generated roles.
-
Claim Matching Locations – Select this option to allow the Dynamic Hierarchy engine to claim any matching locations in the system as Dynamic Hierarchy generated locations.
-
Role Assignment Removal Delay (Minutes) – Specify the time in minutes that the engine should wait to remove users who no longer meet the criteria for Role and Location assignments from those Roles and Locations.
-
Empty Role Action – Specify the action EmpowerID should take if a generated role no longer contains any users. When doing so, you have the following options:
-
No Action
-
Delete – Deletes the role.
-
Empty Location Action – Specify the action EmpowerID should take if a generated location no longer contains any users. When doing so, you have the following options:
-
No Action
-
Delete – Deletes the location.
-
Level 1 Naming Convention
{Value1}– At a minimum enter{Value1}. EmpowerID creates a dynamic Role and Location for each attribute matching the value selected from the External Role Level 1 and External Location Level 1 fields. For example, if you selected the JobTitle attribute for the external role and the Department for the external location, an external role is created for each unique job title and an external location is created for each department. -
Level 2 Naming Convention
{Value1}{Value2}– If you are nesting roles and locations, for the first child enter{Value1}{Value2}. EmpowerID creates a dynamic Role and Location under the parent Role and Location for each attribute matching the values selected from the External Role Level 2 and External Location Level 2 fields. -
Level 3 Naming Convention
{Value1}{Value2}{Value3}– If you are nesting roles and locations, for the child of the first child enter{Value1}{Value2}{Value3}. EmpowerID creates a dynamic Role and Location under the first child Role and Location for each attribute matching the values selected from the External Role Level 3 and External Location Level 3 fields.
- Click Save.