Jobs
EmpowerID's functionality is divided into numerous granular tasks, known as "jobs," hosted and executed in Windows services that communicate with the EmpowerID Identity Warehouse through REST Web services. Jobs can be either scheduled tasks (e.g., Inventory) or REST Web Services used in workflow processes. Multiple servers can run the same jobs for load balancing and failover, and each server regularly reports its status (online/offline) and hosted jobs to the Identity Warehouse. If a server goes offline, EmpowerID transfers its processes to another server hosting the same job.
As all communication occurs over REST, the EmpowerID Web server plays an important role, directing the various calls that occur in EmpowerID – whether those calls are automated processes like attribute flow or user-initiated processes like logging in to the EmpowerID Web application – to the appropriate EmpowerID Windows service responsible for carrying out the call. To ensure this process flows without interruption, the EmpowerID Web server uses the following criteria to determine which Workflow server it uses:
- if the Web server itself is an "online" Workflow server, the Web server uses itself;
- otherwise, it calls the EmpowerID Identity Warehouse to request an "online" Workflow server in the same Communication Zone.
A server is considered "online" if it has completed a heartbeat check-in to the Identity Warehouse within the last 3 minutes. The heartbeat is written to the EmpowerID ServerServices table. By default, the services send this notification every two minutes, which allows fail-over in case a service is down or disconnected.
Each of the various services that make up the processing operations of the system can be assigned to any number of distributed servers within the EmpowerID Web interface. A brief overview of the purpose of each of these Jobs follows below:
| Job | Purpose |
|---|---|
| Attribute Flow - Directory Change Processor | This is a job hosted by the EmpowerID Worker Role Windows service that processes the attribute changes from the attribute inbox that were discovered during the inventory and processes them using the attribute flow rules to update the attributes for the EmpowerID Person object. Changes to the Person object can then lead to changes being pushed to the attribute outbox that will flow to other systems. This job is scheduled per Account Store. |
| Account Lockout Detection Job | This is a job hosted by the EmpowerID Worker Role Windows service that actively gathers event logs from remote Windows Server systems. This is in contrast to the Windows Server Event Log Monitor that runs locally on managed Windows servers. Either can be used; however, this agent can be used instead of the Windows Server Event Log Monitor for a polling style of event log change detection versus the push method offered by the Windows Server Event Log Monitor. |
| Account Password Reset Inbox | Job hosted by the Worker Role service that performs the offline password resets. |
| API Inbox Processor Job | API Inbox Processor Job |
| Assignee Member Policy Compiler | Compiles field values based on assignee member policies |
| Assignee Member Policy Inbox Processor | Job that claims and processes PBAC policy membership inbox entries |
| Attestation Policy Compiler | Job hosted by the Worker Role service that evaluates attestation policies and creates Attestation Review tasks. |
| Attestation Processor | Not Used - placeholder for customization |
| Authorization Function Compiler | Processes Local and Global AzFunctions and create the resultant assignees based on roles, rightas and Auth Object mappings |
| Authorization Risk Compiler | Processes Local and Global AzRisks |
| Export Job for Bidirectional Connectors | Export Job For Bidirectional Connectors |
| Export Job For Outbound Connectors | Export Job For Outbound Connectors |
| Bot Password Expiry Notification | Bot Password Expiry Notification |
| Business Request Approvers Refresher | Claims and refreshes BusinessRequest and BusinessRequestItems due for approvers refresh. |
| Business Request Fulfillment Job | Fulfills claimed Business Request Item after approvals every ReprocessInterval + 120 seconds by initiating workflow to do fulfillment. If it is locked by server without getting processed it will be claimed again based on ReclaimByDate (set to +1 hour on each claim). |
| Business Request JSON Inbox Processor | Claims open BusinessRequestJSONInbox records to create BusinessRequest - Items, Approval Steps, Approvers |
| Business Request Item Step Fulfillment Job | Fulfills claimed Business Request Item Approval step after approvals every ReprocessInterval + 120 seconds by initiating workflow to do fulfillment. If it is locked by server without getting processed it will be claimed again based on ReclaimByDate (set to +1 hour on each claim). |
| Business Request Notification Inbox Claim Job | Job to claim entries in Business Request Notification Inbox and send notification emails |
| Business Request Notification Inbox Drop Processor | Job to process events from Business Request Notification Event Drop Inbox |
| Business Request Risk Compiler | Invokes BusinessRequest CompileAllRisks |
| Component Process Inbox Job | Component Process Inbox Job |
| Database Archiving Rule Processor | Job that performs database archiving rules and processes |
| Dynamic Hierarchy Generation Job | Job hosted by the Worker Role service that calculates which groups should be provisioned or deprovisioned in group hierarchy policies. |
| Dynamic Hierarchy Membership Recalculation Job | Job hosted by the Worker Role service that calculates which groups in group hierarchy policies should have their membership refreshed |
| Dynamic Hierarchy Provision Inbox Processor | Job hosted by the Worker Role service that calculates which groups should be provisioned or deprovisioned in group hierarchy policies |
| Group Membership Queue Processor Job | Group Membership Queue Processor Job |
| Group Membership Reconciliation Job | Job hosted by the Worker Role service that evaluates the current "as is" membership of groups versus the "should be" state of who should be a member based upon dynamic RBAC assignments of the "Member" Resource Role in EmpowerID. This job is scheduled per Resource System or Account Store. |
| Import Groups Job | Import groups job |
| Import Management Roles Job | Import Management Roles job |
| Inventory | This is a Job hosted by the EmpowerID Worker Role Windows service that claims inventory jobs for resource systems and account stores on a scheduled basis, calling the specific inventory method for that system. For account stores, the inventory process is responsible for populating the attribute inbox and running the initial Person provision process using the same Join and Provision Rule logic used by the Account Inbox One by One or Account Inbox Bulk permanent workflow. The actual implementation of how each system is inventoried is specific to the type of system and the implementation in its connector. This Job is scheduled per resource system or account store. |
| Inventory Get Unified Group Properties Job | Inventories the additional unified group properties to azure EID Group |
| License Pool Approval Change Inbox Processor | Processes License Pools Inbox entries requiring approval, removes accounts from licenses groups that grant the license |
| License Pool Change Inbox Processor | Processes License Pools Inbox entries and adds or removes accounts from the licenses groups that grant the license |
| License Pool Compiler | Processes License Pools and creates inbox entries to add or remove accounts to license assigned groups |
| License Reclamation Approval Inbox Processor | Generates approval for License Reclamation Inbox entries needing approval. After the approval, the other Reclamation Inbox Processor processes the approved items. |
| License Reclamation Compiler | Processes License Reclamation and creates inbox entries for licenses that are not in use or assigned to an invalid account. |
| License Reclamation Inbox Processor | Processes License Reclamation Inbox entries and either executes the entries or generates workflows for approval. |
| Notification Report Subscription Compiler | Job to claim notification report subscriptions on a scheduled basis and calls the RunReport() method on the subscription. |
| Office 365 Batch Processor | Job hosted by the Worker Role service that performs the batch processing for Exchange Online Office365 actions. |
| PBAC Attribute Account Store Sync Policy Processor | Job that claims and syncs AzFieldTypeAccountStoreSyncPolicy into AssigneeAzFieldType |
| Permanent Workflow Job | This is a Job hosted by the EmpowerID Worker Role Windows service that ensures permanent workflows are kept in a continuously running state. The parameters for the loop are set for each workflow added to the Permanent Workflow job. |
| Person Default Attributes Reinforcement Job | Job hosted by the Worker Role service that is responsible for making sure people have the mandatory attributes assigned by policy. It also populates the outbox so accounts owned by the person are updated. |
| Ping Remote Server Job | This Job claims the remote servers and tries to ping them. If failed, it logs the server details. |
| RBAC Maintenance Job | Job hosted by the Worker Role service to calculate RBAC assignments |
| RBAC Security Compiler Job | Job hosted by the Worker Role service that is responsible for building the Location and Business Role trees. It also calculates the location of resource location and which security delegations will affect them. :::warningThis job MUST run in only ONE server.::: |
| RBAC Security Person Business Role Compiler Job | Job hosted by the Worker Role service that is responsible for calculating what business roles and locations a person will have based on all possible assignments. |
| Resource Entitlement Inbox Processor Job | Job hosted by the Worker Role service that performs the actions specified by the Resource Entitlement Inbox entries (Provision, Deprovision, etc.). |
| Resource Entitlement Recalculation Job | Job hosted by the Worker Role service that evaluates the current "as is" status of Resource Entitlement policies (RETs) versus the "should be" state. This entails determining what Accounts, Home Folders, Exchange Mailboxes, etc. that people currently own versus what they should own by policy. The delta to normalize what they have with what they should have is written to the Resource Entitlement Inbox as a series of actions to be performed (Provision, Disable, Move, De-provision). |
| Resource Role Reconciliation Job | Job hosted by the Worker Role service that manages the membership of EmpowerID Resource Role groups (RRGs). It determines who should currently be a member of those RRGs and then modifies the membership to match. This job is scheduled per Resource System or Account Store. |
| Resource System Inbox Inventory Processor | Used when Inventory uses Inbox to bring data in |
| Rights Enforcement Job | This is a Job hosted by the EmpowerID Worker Role Windows service that adds or removes native permissions for resources in external systems based upon the current state of RBAC delegations. The actual granting or revoking of rights for external systems can result in calls to other agents in order to complete the action. This Job is scheduled per resource system or account store. |
| Rights Inventory Job | Job hosted by the Worker Role service that inventories native permissions for external system resources. The actual inventory of rights for the external system in question can result in calls to other agents (e.g., SharePoint Agent) in order to complete the action. |
| Risk Factor and Stats Recalculation Job | Job hosted by the Worker Role service that is responsible for calculating the risk factor score for all EmpowerID actor types. |
| Role and Location Compiler | This is a Job hosted by the EmpowerID Worker Role Windows service that determines the Business Roles and Locations that should be assigned to an EmpowerID Person based on information coming from an external custom system like an HR system. The Role and Location Compiler does not support using AD or LDAP for its functions. Only account stores where the Allow Role and Location Recalculation is set to Enabled will be considered. If multiple account stores are being monitored, those with a higher Role and Location Re-Eval Order value are given precedence. The following account store information is used by this job: - Accounts related to an EmpowerID Person - External Roles - External Locations - Associations between accounts, external roles, and external locations in an Account Store and whether the association is "Primary" (only one association can be designated as "Primary" for a given account per Account Store) - Mappings managed in the EmpowerID Role and Location Mapper: - Mappings between external roles and EmpowerID Roles (an external role can be mapped to multiple EmpowerID Roles, but only one of these mappings is considered "Primary") - Mappings between external locations and EmpowerID Locations |
| Role and Location Processor | This is a Job hosted by the EmpowerID Worker Role Windows service that makes Business Role and Location changes as determined by the Role and Location Compiler. The processor performs the following actions: - Changes a Person's primary Business Role and Location (only affects people whose primary role and location were not explicitly assigned) - Assigns secondary roles and locations to a Person - Removes secondary roles and locations from a Person - Handles ambiguous assignments by reassigning people whose Business Role and Location is uncertain to the role and location specified in the EmpowerID Resource System's "Default User Creation Path. This only occurs when a Person's primary Business Role and Location was previously determined by Role and Location Compiler and set by the processor, but can no longer be ascertained due to insufficient or inconclusive information. |
| Role Model Business Role Application Role Inbox Processor | Role Model Business Role Application Role Inbox Processor |
| Role Model Identity Application Role Inbox Processor | Role Model Identity Application Role Inbox Processor |
| Role Model Identity Business Role Inbox Processor | Role Model Identity Business Role Inbox Processor |
| RoMo Application Role Inventory | RoMo ApplicationRole Inventory |
| RoMo Business Process Tree Inventory | RoMo Business Process Tree Inventory |
| RoMo Business Role Application Role Inventory | RoMo BusinessRole ApplicationRole Inventory |
| RoMo Business Role Inventory | RoMo Business Role Inventory |
| RoMo Differentiation Type Value Tree Inventory | RoMo Differentiation Type Value Tree Inventory |
| RoMo Identity ApplicationRole Inventory | RoMo Identity ApplicationRole Inventory |
| RoMo Identity Business Role Inventory | RoMo Identity Business Role Inventory |
| RoMo Template Business Role Inventory | RoMo Template Business Role Inventory |
| Search Tag Compilation | Job hosted by the Worker Role service that evaluates and prepares the tags needed for tag searching in EmpowerID, it calculates implicit tagging. |
| Separation Of Duties Violation Processor | Job hosted by the Worker Role service that performs default configured actions in response to SoD Violation tasks. |
| Set Compiler Job | Job hosted by the Worker Role service that evaluates saved searches or Sets against connected Account Stores. The results of these compiled search can be used for query-based assignment of Person objects to Business Roles and Locations. This job can run on multiple servers at same time (It doesn't follow job schedule or reprocess interval). |
| SharePoint Online Topology Azure Web Job | Job hosted by the Worker Role service to inventory SharePoint Online using Azure Web Jobs |
| SharePoint Online Topology Job | Job hosted by the Worker Role service to inventory SharePoint Online |
| Workflow Task Renotification | Sends email notification and escalation based on the schedule configured on the Request Workflow schedule |
| Windows Service and AppPool Account Password Sync | This Job synchronizes account password resets for accounts used by Windows Services and IIS App Pools. |