Skip to main content

Understanding People in EmpowerID

A Person in EmpowerID represents the authoritative identity record for any individual who interacts with your organization's systems and resources. Understanding how Person objects work is fundamental to effective identity administration.

What is a Person Object?

The Person identity is the central managed identity within EmpowerID. Think of the Person as the "user" in EmpowerID—it represents a distinct identity for individuals within your organization.

Person objects are stored in the EmpowerID Person table and serve as the primary aggregating component for all accounts that an individual owns across different systems. All roles and access assignments (RBAC, ABAC) are derived from the Person identity, making it the foundation for access control, account aggregation, and identity management throughout the platform.

Person vs Account

While Person objects represent the individual's identity in EmpowerID, Account objects represent their identities in external systems (like Active Directory or Office 365). Accounts are linked to Persons for unified management. See Understanding Persons and Accounts for details on this relationship.

Person Attributes

Person objects store information about individuals in your organization. The specific attributes available depend on your EmpowerID configuration and organizational needs.

Required Information

When creating a Person, EmpowerID requires:

  • Primary Business Role and Location — Establishes the Person's organizational context and determines base access through role-based access control (RBAC)
  • Basic identity information — Such as name and login credentials (specific requirements vary based on your configuration)

Common Attribute Categories

Person objects typically include attributes in these categories:

Identity Information
Attributes that identify the individual, such as names, email addresses, employee identifiers, and login credentials.

Organizational Context
Attributes that define the Person's place in the organization, such as business roles, locations, manager relationships, department, division, and job title.

Contact Information
Communication channels and physical address information.

System Behavior Settings
Attributes that control how the Person interacts with EmpowerID, such as:

  • Whether the Person can authenticate to the system
  • Whether attributes should synchronize with linked accounts
  • Whether email notifications are enabled
  • Password change requirements
Attribute Customization

The specific Person attributes available in your environment depend on your EmpowerID configuration. Organizations can extend the Person object with custom attributes to meet specific business requirements.

When to Create Person Objects

Not all accounts in connected systems require a corresponding Person object. According to EmpowerID's identity model, Person objects should be created when:

  • The account will be used for login to applications or REST APIs
  • There's a need for managing access through EmpowerID (e.g., IAM Shop requests, role assignments)
  • Policies related to access roles need to be assigned to the account
  • HR records are involved to align identities with organizational data
  • You need to separate and manage attribute changes to prevent cross-contamination of data between distinct accounts (e.g., standard user account vs. admin account)
Service Accounts

Not all accounts require a dedicated Person object. Service accounts, application accounts, and other non-person accounts may be managed as standard Account objects without creating a corresponding Person.

Person Relationships

Persons exist within a network of organizational relationships:

Business Roles and Locations

Every Person must have a Primary Business Role and Location. This assignment:

  • Determines the Person's organizational context
  • Establishes base access and permissions through role-based access control
  • Defines the Person's position in location hierarchies

Persons can optionally have Secondary Business Roles and Locations for additional access needs.

Management Hierarchy

The Manager attribute establishes reporting relationships:

  • Enables organizational chart views
  • Supports manager-based visibility scopes (e.g., viewing direct reports)
  • Facilitates approval workflows based on management chains

Group Memberships

Persons can be assigned to groups:

  • Security Groups — Provide access to resources
  • Distribution Groups — Enable email distribution
  • Generic Groups — Serve organizational or categorization purposes

Management Role Assignments

Persons are assigned Management Roles that control:

  • UI Access — Which pages and controls they can see
  • Visibility — Which objects they can view
  • Actions — Which operations they can perform

Account Relationships

Persons can be linked to multiple Account objects from external systems. This linkage enables:

  • Unified View — See all accounts across systems from one interface
  • Centralized Provisioning — Create and manage accounts from the Person record
  • Lifecycle Automation — Automatically provision, modify, or deprovision accounts based on Person status
  • Attribute Flow — Synchronize attributes between the Person and their linked accounts

Figure 1: Person object linked to accounts in multiple external systems

Attribute Synchronization

When attribute synchronization is enabled, changes to Person attributes can flow to linked accounts, ensuring consistent identity information across systems.

Core Identity Grouping

When individuals require multiple Person objects (such as separate standard and privileged identities), EmpowerID uses Core Identity to link these managed identities together.

The Core Identity serves as a unique representation of an individual within the enterprise, acting as the overarching link between multiple managed identities (Person objects).

Figure 2: Core Identity linking multiple Person objects for the same individual

Benefits of Core Identity

Core Identity enables:

  • Cascading Operations — When an action needs to be performed (such as termination), it can cascade to all related managed identities, ensuring no secondary identity is missed
  • Separation of Access — Each Person maintains distinct roles, permissions, and accounts appropriate to their function (e.g., standard vs. privileged access)
  • Centralized Management — Core attributes can be managed at the Core Identity level while role-specific attributes remain separated
  • Attribute Synchronization Control — Manage synchronized attribute values for accounts associated with multiple Person identities

When to Use Core Identity

Core identities are particularly useful when:

  • An individual has privileged access that needs segregation from day-to-day access (e.g., standard "jsmith" and admin "jsmith-admin" accounts)
  • Multiple Person objects within the same or different directories need to be managed under one umbrella
  • You need to ensure that lifecycle events cascade appropriately across all of an individual's identities
Example Scenario

Joe Smith has a primary managed identity "Joe_123" connected to his standard accounts (HR system, Microsoft Active Directory, email). He also has an administrative identity "Admin_Joe" with separate elevated privileges and admin accounts. A Core Identity links both Person objects, ensuring that when Joe Smith's employment ends, both identities and all their associated accounts are deactivated together.

For detailed setup instructions, see Set Up Core Identities.

Resource Responsibility

Beyond managing their own access, Persons can be designated as responsible parties for organizational resources:

  • User accounts
  • Groups
  • Computers
  • Management roles
  • Locations
  • Shared credentials

Resource responsibility establishes accountability for:

  • Managing the security of IT objects
  • Overseeing resource lifecycle
  • Ensuring compliance with organizational policies
note

Resource responsibility is distinct from account ownership. A Person "owns" their linked accounts as part of their identity, but can be "responsible for" managing other resources on behalf of the organization.

Key Takeaways

  1. Person objects are the authoritative identity records in EmpowerID for all individuals
  2. Every Person must have a primary Business Role and Location assignment
  3. Accounts are linked to Persons for unified management across multiple systems
  4. Core Identity solves scenarios requiring multiple Person objects for one individual
  5. Resource responsibility establishes accountability beyond account ownership