Skip to main content

EmpowerID Identity Lifecycle Concepts

The following articles introduce key lifecycle features in EmpowerID, aiming to equip administrators with the foundational knowledge required for effective system management. You will find conceptual overviews covering critical components such as the Identity Warehouse, EmpowerID Jobs, Inventory, Account Inbox, Attribute Flow, and Business Role and Location Assignments. Understanding these features is crucial for orchestrating the fluid movement and control of identity data within your organization.

📄️ EmpowerID Identity Warehouse

EmpowerID inventories, manages, and protects resources in "resource systems," which are simply systems that contain IT resources. Resource systems can include Active Directory domains, LDAP directories, HR systems, Microsoft Exchange Organizations, SharePoint Farms, custom applications, and the EmpowerID system itself. It is not uncommon for many organizations to have more than one of these systems, and as organizations grow and/or merge with other entities, creating an effective strategy to manage the identities and resources in each system accurately can be challenging and time-consuming. With multiple repositories of user data to maintain, data will likely be overlooked somewhere, resulting in loss of informational integrity and potentially costly security breaches. If left unchecked, these types of errors could threaten the health of an organization's IT infrastructure. In situations like these, what is needed is an easy, reliable way to bring those resource systems under the authority of one central repository that has the ability to capture the information in each of those systems, unify it into a cohesive whole, and maintain the integrity of it in real-time across all systems so that if changes occur to a user named "Bob" in one system, those changes automatically occur to the same "Bob" in all systems. As a powerful SQL-based relational Identity Warehouse with an extensive connector framework, EmpowerID is ideal for this as it can connect to a wide variety of resource systems in real-time and gather the user information in each to create a comprehensive "identity layer" that can be used to manage users and all of their associated accounts, roles, and entitlements in whatever resource systems those objects may reside. And because EmpowerID is an RBAC platform, access to this data is always secure and cannot be viewed or edited by any user unless that user has the specific right to do so.

📄️ Jobs

EmpowerID's functionality is divided into numerous granular tasks, known as "jobs," hosted and executed in Windows services that communicate with the EmpowerID Identity Warehouse through REST Web services. Jobs can be either scheduled tasks (e.g., Inventory) or REST Web Services used in workflow processes. Multiple servers can run the same jobs for load balancing and failover, and each server regularly reports its status (online/offline) and hosted jobs to the Identity Warehouse. If a server goes offline, EmpowerID transfers its processes to another server hosting the same job.

📄️ Account Inbox

Because of the key role of Person objects in EmpowerID, the process by which EmpowerID joins inventoried accounts to these objects is foundational to how EmpowerID manages your user identities. As was mentioned in the Understanding Inventory topic, when EmpowerID inventories a resource system with user accounts, it does more than just write a copy of those user accounts to a table in the EmpowerID Identity Warehouse. It evaluates those accounts to determine whether or not they are owned by users, and based on that evaluation, it does one of the following three things:

📄️ Attribute Flow

One of the biggest challenges associated with securing IT resources in large environments is creating a comprehensive "identity layer" that can be used as a singular reference point for managing users and all of their associated accounts, roles, and entitlements. As a directory and Identity Warehouse, EmpowerID is capable of creating this comprehensive identity layer via the inventory process that joins each user account in a managed account store to a corresponding EmpowerID Person. But this is only half the solution. Beyond creating and depositing a comprehensive identity layer into a central repository, what is needed is an authoritative system with the power and reach to control not only what can happen to those identities within its own repository, but also what can happen to those identities within each connected resource system as well. If changes happen to "Bob" in directory "A," those changes should also happen to "Bob" in directory "B" and "C" if those changes are authoritative—or discarded if they are not. Additionally, this should happen without requiring continual vigilance on the part of administrators and other power users. The EmpowerID synchronization engine joins the EmpowerID inventory process to provide just this solution. Whereas the inventory process creates the identity layer, the synchronization engine maintains it via a process known as "Attribute Flow."