Skip to main content

EmpowerID Identity Warehouse

The EmpowerID Identity Warehouse serves as the central repository for identity and entitlement data across all connected systems within an organization. Unlike traditional directory services such as Active Directory or LDAP that maintain a single identity store for a specific system, the Identity Warehouse aggregates identity and entitlement information from multiple sources into a unified data model.

This architecture provides comprehensive visibility into user identities, their accounts across various systems, role assignments, resource entitlements, and audit history—all accessible from a single authoritative repository.

Organizations managing identities across hybrid cloud and on-premises environments face the challenge of maintaining data consistency when user information resides in multiple disconnected systems. The Identity Warehouse addresses this challenge by creating a comprehensive identity layer unifying data from HR systems, Active Directory domains, cloud directories, SaaS applications, and other resource systems.

This centralized approach eliminates information silos, maintains data integrity, and provides the foundation for automated lifecycle management, access governance, and compliance reporting.

Identity and Entitlement Warehouse Architecture

Distinction from Traditional Directory Services

Traditional directory services like Azure Active Directory, LDAP, or other enterprise directories function as single-purpose identity stores specific to particular systems. Each maintains its own set of user accounts with limited visibility into identities managed by other directories.

The EmpowerID Identity Warehouse operates as a meta-directory that aggregates information from diverse systems. It connects to multiple directory services and external systems including SAP, Azure Active Directory, ServiceNow, Workday, Salesforce, and others, inventorying and ingesting their identity data into a unified repository.

This aggregation provides comprehensive visibility into all identities within the organization and enables centralized management of users maintaining accounts across multiple systems.

Database Architecture

The Identity Warehouse is built on Microsoft SQL Server and comprises an extensive data model designed to represent the full complexity of enterprise identity management:

  • Over 1,200 tables storing identity, resource, and entitlement data
  • Approximately 700 views providing queryable representations of complex relationships
  • More than 20,000 stored procedures implementing identity management logic and workflows

Each object type managed by EmpowerID has corresponding tables storing type-specific attributes and metadata. For example, user accounts are stored in the Account table, Person objects in the Person table, groups in the Group table, and mailboxes in the ExchangeMailbox table. These tables are exposed programmatically through the EmpowerID Web Services API, enabling automated identity management operations and integration with external systems.

Identity Model

Understanding the EmpowerID identity model is essential for effective identity lifecycle management. The model defines three primary identity types working together to represent individuals and their access across the enterprise.

Person Identity

The Person object represents the central managed identity within EmpowerID. Think of the Person as the "user" in EmpowerID—it serves as the primary aggregating component for all accounts an individual owns across different systems.

Person objects are the foundation for identity management in EmpowerID:

  • All role and access assignments (RBAC, ABAC, PBAC) are associated with Persons
  • Attribute synchronization flows through Persons to connected accounts
  • Audit trails and compliance reporting track activities at the Person level
  • Provisioning policies and lifecycle workflows operate on Persons

When EmpowerID inventories user accounts from connected systems, it joins those accounts to Person objects through intelligent matching rules based on attributes such as employee ID, email address, or name combinations. This joining process creates the unified identity view enabling comprehensive identity management.

Account Objects

Account objects represent technology-based identities in external systems. Each Person can have multiple accounts corresponding to different systems—Active Directory accounts, SAP accounts, LDAP accounts, Azure AD accounts, and others.

Accounts are linked to Persons to establish ownership and relationships. This linkage enables:

  • Comprehensive visibility into all accounts owned by an individual
  • Synchronized attribute updates across multiple systems
  • Centralized password management and reset capabilities
  • Unified access reviews covering all accounts

Not all accounts require a dedicated Person object. Service accounts, system accounts, and other non-human identities may be managed as standalone accounts without Person linkage when they don't require identity lifecycle management or access governance.

Core Identity

The Core Identity provides an optional layer for managing multiple Person identities belonging to the same individual. This concept becomes important when organizations need to maintain separate managed identities for different purposes—for example, a standard operational identity and a privileged administrative identity—while recognizing they belong to the same person.

Core Identity enables:

  • Tracking multiple managed identities belonging to one individual
  • Cascading operations such as terminations that must affect all related identities
  • Segregation of duties enforcement across multiple Person identities
  • Attribute synchronization between related Persons

For example, an employee named "Joe Smith" might have a primary Person identity for day-to-day operations and a separate Person identity for administrative tasks requiring elevated privileges. Both Persons would be linked through a Core Identity, ensuring lifecycle events affecting Joe Smith—such as termination—cascade appropriately to all associated identities.

Resource Systems and Security Boundaries

Resource Systems

Resource Systems in EmpowerID represent the external IT systems EmpowerID connects to and manages. Each resource system has its own record in the Identity Warehouse with a unique identifier and associated connector definition. Resource systems include:

  • Active Directory domains
  • LDAP directories
  • HR systems (Workday, SAP SuccessFactors, etc.)
  • Cloud directories (Azure AD, Google Workspace)
  • SaaS applications (Salesforce, ServiceNow, etc.)
  • Collaboration platforms (Microsoft 365, SharePoint)
  • The EmpowerID system itself

EmpowerID manages 73 different resource types across these systems, ranging from basic objects like Person and Account to specialized types such as Azure Application objects, SharePoint Online groups, and SAP transaction codes.

Account Stores

Account Stores are a specialized category of resource systems containing identities capable of authentication. Account stores function as user directories with authentication capabilities, such as Active Directory domains or Azure AD tenants. They extend the basic resource system definition to include detailed information about contained identities, authentication mechanisms, and behavior configuration.

Not all resource systems function as account stores. For example, Microsoft Exchange is a resource system depending on Active Directory or Azure AD for authentication rather than maintaining its own account store.

Security Boundaries

Security Boundaries in EmpowerID are analogous to Active Directory forests—they define authentication and trust relationships between account stores. Security boundaries provide the identity and authentication framework for account stores and resource systems, allowing users with accounts in one account store to access resources in another account store when those stores belong to the same security boundary or have established trust relationships.

The security boundary concept enables:

  • Cross-domain access within federated environments
  • Trust relationship management between different identity systems
  • Consistent security policy enforcement across related systems
  • Coordinated authentication and authorization flows

EmpowerID itself operates as both a resource system and a security boundary, with implicit trust relationships to all other security boundaries it manages.

Identity Warehouse Capabilities

Unified Identity Management

The Identity Warehouse provides comprehensive identity management capabilities across all connected systems:

Master Identity Management — Account objects from different systems (SAP accounts, Azure AD accounts, ServiceNow accounts) are joined to a single Person identity, creating a unified view of all identities associated with an individual. This enables streamlined identity management and attribute synchronization across disparate systems.

Delegated Administration — Centralized management of identity administration processes across multiple platforms follows a least-privilege approach. Administrators receive delegated authority for specific organizational units, locations, or business roles without requiring direct access to underlying systems.

Password Synchronization — Password changes propagate automatically across managed systems. When a user resets their password, the change flows to all connected systems (IBM, SAP, Microsoft, Salesforce) maintaining consistency and enhancing security.

Access Governance and Compliance

Risk Management and Segregation of Duties — The unified data model enables policy definition and evaluation across multiple directories. Organizations can prevent access conflicts—ensuring a user's role in an SAP system doesn't grant conflicting privileges in Active Directory—and enforce segregation of duties policies across the enterprise.

Access Recertification — Administrators perform access certification procedures across all managed systems simultaneously. Reviewers see complete access profiles including accounts, group memberships, and role assignments from all connected systems, enabling comprehensive periodic access reviews.

Audit Trail Management — The Identity Warehouse maintains complete historical records of identity changes, access modifications, and administrative actions. These audit trails support regulatory compliance requirements (SOX, HIPAA, GDPR) and provide evidence for security investigations.

Attribute Flow and Synchronization

Identity data remains consistent across multiple systems through the Attribute Flow engine, which synchronizes attributes between the Identity Warehouse and connected systems based on configured authority rules. When an employee's department changes in the HR system, that change propagates to their Person object in the Identity Warehouse and flows to all connected accounts according to configured synchronization rules.

For detailed information on attribute synchronization, see Attribute Flow.

Inventory and Population

When EmpowerID connects to a resource system, the inventory process discovers system topology and populates the Identity Warehouse with resource objects. For account stores like Active Directory, inventory creates Security Boundary objects, Account Store objects, Resource System objects, and Directory Server objects representing the discovered infrastructure.

The inventory process then discovers resource objects—accounts, groups, mailboxes, roles—and adds them as records to the appropriate Identity Warehouse tables. User accounts discovered during inventory are evaluated through Join and Provision rules to determine their relationship to Person objects. Accounts matching existing Persons through configured criteria (employee ID, email address, name attributes) are joined to those Persons. Accounts without matches result in new Person object creation based on configured provisioning rules.

This continuous inventory process keeps the Identity Warehouse synchronized with connected systems, discovering new accounts, detecting attribute changes, and identifying deleted objects for lifecycle management.

For detailed information on the inventory process, see Inventory.

Security and Access Control

The Identity Warehouse implements comprehensive security controls to protect sensitive identity data. As an RBAC platform, EmpowerID ensures data within the Identity Warehouse cannot be viewed or modified by any user unless that user has specific rights granted through role assignments.

Access to Identity Warehouse data occurs through:

  • The EmpowerID Web Application with role-based access controls
  • The EmpowerID Web Services API with authentication and authorization
  • Reports and analytics with data filtering based on user permissions
  • Automated workflows operating under service account context

All operations against Identity Warehouse data are logged with details of the user, action, timestamp, and affected objects, creating comprehensive audit trails for compliance and security investigations.

Integration and Extensibility

The Identity Warehouse integrates with identity management processes through multiple mechanisms:

Stored Procedures — Complex identity management logic is implemented through stored procedures encapsulating business rules, join logic, attribute transformation, and workflow triggers. These procedures are invoked by EmpowerID services and workflows to maintain data consistency and enforce policy.

Web Services API — Tables and stored procedures are exposed through the EmpowerID Web Services API, enabling programmatic access for integration with external systems, custom applications, and automation scripts.

Change Data Capture — SQL Server Change Data Capture monitors Identity Warehouse tables for modifications, enabling near real-time detection of identity changes that trigger lifecycle workflows.

For detailed information on change detection, see Change Data Capture Engine and Kusto Query.

For additional context on Identity Warehouse usage and related concepts: