Account Inbox
The Account Inbox determines how discovered user accounts link to Person objects within the Identity Warehouse. When Inventory discovers accounts in connected systems, those accounts require evaluation to establish their relationship to managed identities. The Account Inbox processes this evaluation through configurable join and provision rules, producing one of three outcomes—joining accounts to existing Persons, provisioning new Persons for unmatched accounts, or leaving accounts unprocessed for administrative handling.
This automated evaluation and linkage process forms the foundation of unified identity management in EmpowerID. By intelligently matching accounts to Persons through attribute-based rules, the Account Inbox creates the associations enabling comprehensive identity governance. These associations allow role assignments, access policies, and lifecycle workflows to operate on Persons while automatically affecting all linked accounts across multiple systems.
The Account Inbox operates continuously, processing newly discovered accounts from Inventory and ensuring every user account has appropriate Person linkage. This ongoing processing maintains identity layer integrity as new users join the organization, existing users acquire additional accounts, and account attributes change over time.
Account Inbox Purpose and Function
Identity Aggregation Challenge
Organizations managing identities across multiple systems face the fundamental challenge of creating a unified view of individuals who maintain accounts in different directories and applications. A single employee might have an Active Directory account, an SAP account, a Salesforce account, and accounts in numerous other systems. Without intelligent aggregation, each account exists as an isolated identity with no connection to the others.
The Account Inbox solves this aggregation challenge by automatically linking these disparate accounts to a single Person object representing the individual. This linkage transforms disconnected accounts into a unified identity, enabling centralized management of access rights, role assignments, and lifecycle events affecting all accounts simultaneously.
Person-Centric Identity Model
EmpowerID's identity model centers on Person objects as the primary managed identity. All role assignments, policy evaluations, and lifecycle workflows operate at the Person level. Individual accounts in external systems serve as the technical implementation of identity, but the Person object provides the logical aggregation point enabling unified governance.
The Account Inbox creates and maintains this Person-centric model by continuously evaluating new accounts and determining their relationship to existing Persons. This evaluation uses configurable matching rules based on attributes such as employee ID, email address, or name combinations, ensuring accounts link to the correct Person with high accuracy.
Three Processing Outcomes
Before evaluation, accounts pass through initial filtering that excludes service accounts, system accounts, and accounts missing essential identity attributes (first name and last name). These filtered accounts are ignored and marked as already processed, preventing them from entering Account Inbox evaluation.
For accounts passing this filter, Account Inbox evaluation produces three possible outcomes:
Join to Existing Person — Accounts matching existing Persons through configured join rules are linked to those Persons, inheriting their role assignments, policy evaluations, and management contexts.
Provision New Person — Accounts without matches to existing Persons may trigger automatic Person creation when provision rules determine the account represents a new individual requiring management within EmpowerID.
Remain Unprocessed — Accounts failing both join matching and provision criteria remain in the Account table without Person linkage. Administrators can view these accounts through the Account Inbox interface and manually determine appropriate handling.
Join and Provision Rules
Account Filtering
Before join and provision evaluation begins, the Account Inbox applies filters determining which accounts qualify for processing. These filters examine account attributes to distinguish user accounts from service accounts, system accounts, and other non-human identities that don't require Person linkage.
Standard filter criteria include verification of first name and last name attributes, account status (active versus disabled or deleted), and account creation date. Accounts missing essential identity attributes or flagged as non-user accounts are excluded from processing, ensuring only legitimate user accounts proceed to join and provision evaluation.
Organizations can customize filter criteria to accommodate specific requirements, adding conditions based on organizational unit location, account naming patterns, or custom attribute values. This filtering capability ensures the Account Inbox focuses processing resources on accounts requiring Person linkage while excluding accounts that should remain as standalone directory objects.
Join Rule Logic
Join rules define the matching criteria determining whether an account should link to an existing Person. These rules specify which attribute combinations constitute a valid match, balancing accuracy against the risk of false positives or false negatives.
Default join rules require matching first name and last name attributes plus one of several additional attributes:
| Join Criteria | Description |
|---|---|
| Employee ID Match | Account employee ID matches Person employee ID |
| Email Address Match | Account email matches Person email |
| Date of Birth Match | Account birthdate matches Person birthdate |
| Personal Email Match | Account personal email matches Person personal email |
When an account matches an existing Person through any configured join rule, the Account Inbox creates the linkage by setting the account's PersonID field to match the Person's identifier. The account inherits role assignments, policy evaluations, and management context from the Person immediately, ensuring access rights reflect organizational roles and responsibilities.
Join rules can be customized to accommodate organization-specific matching requirements. Custom rules might use additional attributes such as employee number combined with hire date, national identification numbers, or custom identifier fields populated from HR systems. Organizations can also configure multiple join rules operating in precedence order, with more specific rules evaluated before broader matching criteria.
Provision Rule Logic
Provision rules determine when the Account Inbox should create new Person objects for accounts that don't match existing Persons. These rules prevent unwanted Person creation while ensuring legitimate new users receive proper identity management from the moment their accounts are discovered.
Provision rules evaluate accounts against configured criteria including:
- Account source system (only designated authoritative sources trigger provisioning)
- Account status and completeness (required attributes must be populated)
- Organizational attributes (department, location, or other contextual data)
- Custom conditions defined through SQL logic or attribute evaluation
When provision rules determine an account represents a new individual requiring management, the Account Inbox creates a new Person object and joins the account to that Person. The new Person receives initial attribute values from the joined account, establishing baseline identity data. Provisioning policies may execute immediately, granting birthright access based on the Person's attributes and calculated role assignments.
Organizations often configure different provision rules for different account stores based on their role as authoritative sources. HR system account stores typically have liberal provision rules that create Persons for any new employee account, while other systems have restrictive or disabled provision rules preventing Person creation from secondary accounts.
Processing Mechanisms
Account Inbox Permanent Workflow
The Account Inbox operates through a permanent workflow—a continuously running process that monitors the Identity Warehouse for new accounts requiring evaluation. This workflow executes at regular intervals, typically every few minutes, claiming unprocessed accounts and applying join and provision rules.
The permanent workflow architecture provides several benefits over real-time processing at inventory. Batch processing enables efficient handling of large account volumes discovered during initial system connectivity. Scheduled execution allows resource allocation optimization during off-peak hours. Workflow-based processing provides flexibility for customization and integration with approval processes when required.
Bulk Processing
When the Account Inbox claims unprocessed accounts, it processes them in batches rather than individually. Batch processing typically handles 1,000 accounts per cycle, optimizing database performance and memory utilization while ensuring timely processing of newly discovered accounts.
Bulk processing includes automatic retry logic for accounts that encounter temporary errors during evaluation. Accounts failing processing due to transient issues are automatically retried during subsequent cycles, ensuring eventual successful processing without manual intervention.
Processing Status Tracking
The Account Inbox maintains detailed status information for each account through processing. Status values indicate whether accounts are awaiting processing, currently being evaluated, successfully processed and joined, or encountered errors requiring attention.
Processing status enables monitoring and troubleshooting through the Account Inbox interface. Administrators can view accounts by status, identifying accounts awaiting processing, accounts that failed to match any join rules, or accounts that encountered errors during evaluation. This visibility supports operational monitoring and rapid resolution of processing issues.
Configuration and Control
Account Store Settings
Account stores include configuration settings controlling how the Account Inbox processes accounts discovered from that store. These settings balance automation against administrative control, allowing organizations to tailor processing behavior to each system's role in the identity landscape.
Allow Automatic Person Join on Inventory — When enabled, the Account Inbox automatically joins newly discovered accounts to existing Persons when join rules find matches. Disabling this setting prevents automatic joining, requiring manual review for all secondary accounts.
Allow Automatic Provision Person on Inventory — When enabled, the Account Inbox automatically provisions new Persons for accounts that don't match existing Persons and meet provision rule criteria. Disabling this setting prevents automatic Person creation, requiring manual provisioning decisions.
Maximum Accounts Per Person — Limits how many accounts from this account store can link to a single Person. This safeguard prevents runaway errors from misconfigured join rules that might incorrectly match hundreds of accounts to a single Person.
These settings provide granular control over Account Inbox behavior for each connected system. Authoritative sources like HR systems typically enable both automatic joining and provisioning, while secondary systems may enable joining but disable provisioning to prevent Person creation from non-authoritative sources.
Join and Provision Rule Customization
Organizations can customize join and provision rules to accommodate unique matching requirements and provisioning policies. Custom join rules might incorporate organization-specific identifiers, combine multiple attributes in complex matching logic, or use custom SQL queries for sophisticated evaluation.
Custom provision rules enable conditional Person creation based on account attributes, organizational context, or integration with external approval processes. Organizations can implement multi-stage provisioning where certain account types trigger immediate Person creation while others require approval workflows before provisioning occurs.
Core Identity Integration
When Core Identities are configured, the Account Inbox can automatically link newly provisioned Persons to existing Core Identities based on configured matching criteria. This integration ensures multiple Person identities belonging to the same individual (such as standard and privileged accounts) link through their shared Core Identity, enabling coordinated lifecycle management.
Core Identity join rules typically use matching first and last names combined with additional anchor attributes like employee ID or birthdate. The Core Identity Permanent Workflow must be active to create and maintain Core Identity relationships as new Persons are provisioned.
Integration with Identity Lifecycle
Onboarding Integration
For joiner processes, the Account Inbox provides critical linkage between discovered accounts and managed Person identities. When Inventory discovers new employee accounts in authoritative systems, the Account Inbox evaluates those accounts through join rules. Accounts without existing Person matches trigger provision rules, creating new Persons representing newly hired employees.
Newly provisioned Persons immediately enter lifecycle automation. The Business Role and Location Recompiler evaluates external role and location assignments from the source account, calculating appropriate EmpowerID Business Role and Location assignments. Provisioning policies execute automatically, granting birthright access based on calculated roles. Onboarding workflows trigger, managing additional provisioning tasks and notifications.
Mover Process Support
Throughout employment, individuals may acquire additional accounts as they access new systems or receive specialized access requirements. The Account Inbox processes these secondary accounts, joining them to existing Persons through join rules. This automatic linkage ensures new accounts inherit existing role assignments and policy evaluations, maintaining consistent access rights across all accounts belonging to an individual.
When individuals change roles within the organization, attribute changes discovered through Inventory flow to their Person objects. These attribute changes may trigger Business Role and Location recalculation, updating role assignments and initiating mover workflows that adjust access across all linked accounts.
Leaver Process Support
The Account Inbox supports leaver processes by providing the Person-to-account linkage enabling coordinated termination. When leaver workflows detect termination criteria, they operate on Person objects, triggering access removal that automatically affects all linked accounts. This unified deactivation prevents scenarios where accounts in some systems remain active after termination because they weren't individually identified for cleanup.
Data Quality and Governance
The Account Inbox maintains identity data quality by preventing duplicate Person creation and ensuring accurate account-to-Person linkage. Join rule accuracy directly impacts data quality—overly broad rules risk incorrectly joining unrelated accounts to the same Person, while overly narrow rules risk creating duplicate Persons for the same individual.
Organizations monitor Account Inbox processing to identify patterns indicating rule refinement needs. High volumes of unprocessed accounts may indicate join rules that are too restrictive. Discovery of multiple Persons with similar attributes may indicate join rules that are too narrow, missing legitimate matches.
Account Inbox Monitoring
Processing Visibility
The Account Inbox interface provides administrative visibility into account processing status. Administrators can view accounts by processing outcome—successfully joined, provisioned with new Persons, or remaining unprocessed. This visibility supports operational monitoring and enables rapid identification of processing issues requiring attention.
Processing detail views show which join rules matched for successfully joined accounts, what provision rules triggered for newly created Persons, and why accounts remain unprocessed. This diagnostic information supports troubleshooting of join rule accuracy and provision rule configuration.
Administrative Handling of Unprocessed Accounts
Accounts remaining unprocessed require administrative determination of appropriate handling. Common scenarios include accounts with incomplete attributes that prevent automatic matching, accounts from non-authoritative sources where automatic provisioning is disabled, or accounts matching multiple Persons where manual selection is required.
Administrators review unprocessed accounts through the Account Inbox interface, examining account attributes and existing Person records to determine correct linkage. Manual joining creates the same account-to-Person relationship that automatic joining produces, ensuring manually processed accounts integrate fully into lifecycle management.
Exception Handling
The Account Inbox includes exception handling for edge cases such as accounts matching multiple Persons or Persons linked to more accounts than allowed by the Maximum Accounts Per Person setting. These exceptions flag potential data quality issues requiring investigation—multiple matches may indicate duplicate Person records that should be merged, while excessive accounts per Person may indicate misconfigured join rules.
Exception handling prevents automatic processing that might create incorrect linkages, flagging problematic accounts rather than making potentially incorrect automated decisions.
Performance and Scalability
Batch Processing Optimization
The Account Inbox batch processing architecture provides performance benefits for organizations with large user populations. Processing accounts in batches of 1,000 enables efficient database operations and memory management while maintaining processing throughput adequate for most organizational needs.
Processing interval configuration allows organizations to balance processing frequency against resource utilization. More frequent processing intervals (every few minutes) provide near real-time Person provisioning for newly discovered accounts. Less frequent intervals (hourly or daily) reduce resource consumption in environments where immediate processing is not required.
Inventory Integration
The Account Inbox integrates tightly with Inventory scheduling to ensure timely processing of newly discovered accounts. When Inventory executes on frequent schedules providing near real-time account discovery, the Account Inbox permanent workflow executes on similarly frequent schedules to maintain processing currency.
This coordination ensures newly hired employees receive proper Person identity and birthright access provisioning shortly after their accounts appear in connected systems, supporting day-one productivity for new hires.
Related Documentation
For additional context on components that interact with Account Inbox:
- EmpowerID Identity Warehouse - Person objects and account linkage
- Inventory - Account discovery feeding the Account Inbox
- Attribute Flow - Synchronization of attributes between linked accounts and Persons
- Business Role and Location Assignments - Role calculation for newly provisioned Persons
- Change Data Capture Engine and Kusto Query - Detection of attribute changes affecting Person linkage