Understanding the Relationship Between Persons and Accounts

EmpowerID distinguishes between Person objects and Account objects to enable comprehensive identity management across multiple systems. Understanding this relationship is fundamental to working with identities in EmpowerID.

Person Objects

A Person represents an individual in the organization and serves as the authoritative identity record in EmpowerID. Each person has a single Person object containing:

Core identity information – Name, email address, employee ID, and other attributes that define the individual
Organizational relationships – Department, manager, location, business unit, and other organizational attributes
Lifecycle data – Hire date, termination date, employment status, and other lifecycle attributes

Person objects exist independently of any specific system or directory. When you update a person's department or manager in EmpowerID, you are updating the authoritative record. These changes can then flow to connected systems through provisioning workflows.

Why Person Objects Matter

Person objects provide a single source of truth for individual identities. Without this separation, organizations must maintain identity information separately in each system, leading to:

Inconsistent data – The same person has different attributes in different systems
Manual synchronization – IT must update multiple systems individually when changes occur
Difficult reporting – No unified view of an individual's access across systems
Incomplete lifecycle management – Offboarding requires coordinating changes across multiple systems

With Person objects as the authoritative source, changes made once in EmpowerID propagate to connected systems automatically, ensuring consistency and reducing administrative effort.

Account Objects

An Account is a system-specific identity linked to a Person object. Accounts represent the individual's presence in specific systems such as:

Active Directory accounts – Domain user accounts (e.g., jsmith@corp.local)
Microsoft Entra ID accounts – Cloud identities for Microsoft 365 and Azure (e.g., jsmith@company.com)
SAP accounts – User accounts in SAP systems (e.g., JSMITH001)
Application accounts – Identities in line-of-business applications, SaaS platforms, and custom systems

Each account is linked to a Person object through an AccountToPerson relationship. This creates a clear connection between the organizational identity (Person) and system-specific identities (Accounts).

Multiple Accounts per Person

A single person can have multiple accounts across different systems. This is common in modern environments where users access:

On-premises Active Directory for legacy applications
Microsoft Entra ID for Microsoft 365 and cloud services
SAP for enterprise resource planning
Various SaaS applications requiring separate identities

A single person object links to multiple system-specific accounts across the environment

How Person and Account Objects Work Together

The relationship between Person and Account objects enables several key capabilities:

Centralized Attribute Management

When a person's attributes change—such as department, manager, or job title—EmpowerID updates the Person object. Provisioning workflows can then update the corresponding attributes on all linked accounts according to attribute flow rules configured for each connected system.

For example, when John Smith transfers from the IT department to Finance:

Administrator updates John's department in EmpowerID (Person object)
Provisioning workflow detects the change
Department attribute updates automatically on John's Active Directory account, Entra ID account, and SAP account
Each system receives the update according to its specific attribute mapping rules

This eliminates the need to update each system individually and ensures consistency across the environment.

Unified Access Visibility

Because all accounts link to Person objects, administrators can view all of an individual's access from a single interface. When reviewing John Smith's access, administrators see:

All accounts associated with John (AD, Entra ID, SAP, applications)
All groups each account belongs to
All direct permissions assigned to each account
All resource access granted through any account

This unified view simplifies access reviews, compliance audits, and security investigations.

Coordinated Lifecycle Management

During lifecycle events, EmpowerID can process all of a person's accounts through a single workflow:

Onboarding – Create the Person object and provision all required accounts (AD account, Entra ID account, SAP account) through one onboarding workflow. Each account is automatically linked to the Person object.

Organizational Changes – When a person transfers departments or changes managers, update the Person object once. Provisioning workflows handle updating attributes and access across all connected systems.

Offboarding – Disable or delete the Person object. Workflows automatically process all linked accounts (disable accounts, remove group memberships, revoke access) ensuring complete access revocation without orphaned accounts.

Account Creation and Linking

Accounts can be created and linked to Person objects through multiple methods:

Provisioning workflows – When onboarding a new employee, workflows create accounts in connected systems and automatically link them to the Person object.

Account store synchronization – When EmpowerID synchronizes with account stores like Active Directory, it creates Account objects for discovered accounts and links them to matching Person objects based on configured correlation rules.

Manual provisioning – Administrators can manually create accounts for existing persons and establish the AccountToPerson link.

Core Identity and Multiple Personas

When individuals require multiple distinct personas—such as separate standard and privileged accounts—EmpowerID uses Core Identity to link related Person objects while maintaining separation between the personas.

Understanding Multiple Personas

Organizations implement privileged access management strategies that require users to have separate accounts for standard daily work and elevated administrative tasks. This separation provides:

Security boundaries – Administrative activities use different credentials than standard activities, reducing the risk of credential theft affecting privileged access.

Audit clarity – Administrative actions are logged separately from standard user activities, simplifying compliance reporting and security investigations.

Access control – Privileged accounts can be subject to different policies, stronger authentication requirements, and stricter monitoring than standard accounts.

A typical scenario includes:

Standard persona:

Person object: john.smith
AD account: jsmith@corp.local
Usage: Email, document editing, routine business applications
Access: Standard user permissions appropriate for daily work

Privileged persona:

Person object: john.smith-admin
AD account: jsmith-admin@corp.local
Usage: Server administration, Active Directory management, elevated tasks
Access: Administrative permissions required for IT duties

Both Person objects represent the same individual but serve different purposes and carry different access rights.

How Core Identity Works

Core Identity automatically links Person objects representing the same individual based on matching attributes configured by administrators. The linking process works as follows:

Configuration – Administrators configure matching rules that define which attributes EmpowerID should use to identify Person objects representing the same individual. Common matching strategies include:

FirstName + LastName + BirthDate – High confidence matching when birth dates are reliably available
FirstName + LastName – Simpler matching suitable for controlled environments with unique names
Email + EmployeeID – Custom matching based on organizational identifiers that remain consistent across personas

Automatic Linking – During identity synchronization, EmpowerID evaluates Person objects against configured matching rules. When Person objects match the criteria, EmpowerID:

Creates a Core Identity record (if one doesn't exist for this individual)
Links both Person objects to the Core Identity record
Maintains the linkage across future synchronizations

Persona Switching – Users can authenticate with credentials from any linked persona. After authentication, users can:

Select which persona to use at login if multiple options exist
Switch between linked personas during their session without logging out
Perform activities appropriate for the selected persona

Core Identity links multiple Person objects (personas) representing the same individual while maintaining separate accounts and access for each persona

Benefits of Core Identity

Governance and Compliance – Core Identity provides consolidated governance across all personas. Security teams and auditors can:

View all personas associated with an individual
Track when users switch between personas
Correlate activities across personas for security investigations
Ensure privileged access policies apply to all appropriate personas

User Experience – Users with multiple personas benefit from:

Seamless switching between standard and privileged accounts without repeated logins
Consistent user experience across personas
Clear context about which persona they're currently using

Access Separation – Despite linking personas, Core Identity maintains critical separations:

Each Person object retains its own accounts and permissions
Audit logs distinguish which persona performed specific actions
Access policies apply independently to each persona
Group memberships and resource assignments remain separate

When to Use Core Identity

Core Identity is appropriate when:

Privileged access management – IT administrators, database administrators, and other privileged users require separate accounts for standard and administrative activities.

Multi-domain environments – Users have accounts in different Active Directory domains or forests representing the same individual (e.g., acquisition scenarios, federated environments).

Role-based separation – Individuals perform distinct roles requiring separate identities with different access patterns (e.g., employee who is also a contractor, individuals with both vendor and employee relationships).

Core Identity is not necessary when users simply have multiple accounts in different systems (AD + Entra ID + SAP) without needing distinct personas. In those cases, the standard Person-to-Account relationship provides sufficient identity management.

Configuring Core Identity

To configure Core Identity linking rules in EmpowerID, see Configuring Core Identity. This guide provides procedures for:

Enabling Core Identity matching rules
Configuring attribute-based matching criteria
Verifying that Core Identity linking is working correctly

Next Steps

Learn more about managing identities in EmpowerID:

Onboarding People – Create Person objects and provision initial accounts
Configuring Core Identity – Set up Core Identity linking rules
Managing People – Update Person attributes and manage lifecycle events

Person Objects​

Why Person Objects Matter​

Account Objects​

Multiple Accounts per Person​

How Person and Account Objects Work Together​

Centralized Attribute Management​

Unified Access Visibility​

Coordinated Lifecycle Management​

Account Creation and Linking​

Core Identity and Multiple Personas​

Understanding Multiple Personas​

How Core Identity Works​

Benefits of Core Identity​

When to Use Core Identity​

Configuring Core Identity​

Next Steps​