Skip to main content

Inventory

Inventory is the foundational subsystem that populates the EmpowerID Identity Warehouse with identity and resource data from connected systems. When organizations connect Active Directory domains, cloud directories, HR systems, or SaaS applications to EmpowerID, the Inventory process discovers system topology, catalogs resources, and maintains an up-to-date representation of accounts, groups, and entitlements within the centralized warehouse.

This continuous discovery and synchronization provides comprehensive visibility into the identity landscape across hybrid and multi-cloud environments. Inventory operates as a scheduled job running at configured intervals—discovering newly created accounts, detecting attribute modifications, and identifying deleted objects. Through these ongoing cycles, the Identity Warehouse remains synchronized with source systems, providing accurate, current data for access governance, lifecycle automation, and compliance reporting.

As the entry point for all identity data entering EmpowerID, the Inventory subsystem forms the foundation upon which other capabilities depend—Account Inbox processing, Attribute Flow, and lifecycle automation all build upon the data Inventory provides.

Inventory Scope and Purpose

System Topology Discovery

When EmpowerID first connects to an account store such as Active Directory, the initial inventory operation discovers and registers system topology within the Identity Warehouse. This topology mapping creates the structural foundation enabling subsequent resource discovery and management.

For Active Directory environments, topology discovery creates several foundational objects representing the discovered infrastructure. A Security Boundary object represents the forest, establishing the authentication and trust framework. An Account Store object represents the domain, defining where accounts reside and authenticate. Resource System objects represent both the account store itself and integrated services such as Microsoft Exchange. Directory Server objects represent each domain controller, enabling distributed management and redundancy.

This topology information provides EmpowerID with the structural context needed to understand resource relationships, manage delegated administration boundaries, and coordinate provisioning operations across complex enterprise environments.

Resource Object Cataloging

Beyond topology, inventory discovers and catalogs resource objects—user accounts, groups, distribution lists, mailboxes, organizational units, and other directory objects. These discovered objects populate appropriate Identity Warehouse tables where they become available for access management, reporting, and lifecycle automation.

EmpowerID manages 73 different resource types across connected systems, ranging from basic objects like accounts and groups to specialized types such as Azure application objects, SharePoint Online groups, and SAP transaction codes. Each resource type has dedicated Identity Warehouse tables that store type-specific attributes and metadata, providing the data foundation for comprehensive identity governance.

Continuous Synchronization

Inventory operates as a scheduled process running at administrator-configured intervals. After initial discovery populates the warehouse, subsequent inventory cycles detect changes in connected systems—new accounts created, attributes modified, memberships changed, or objects deleted. This continuous synchronization ensures the Identity Warehouse maintains an accurate representation of current state across all connected systems.

Inventory execution frequency balances data currency against resource consumption. Organizations typically configure inventory to run multiple times daily, with more frequent schedules for critical systems requiring near real-time synchronization and less frequent schedules for systems with infrequent changes.

Account Discovery and Processing

Discovery Mechanism

The Inventory subsystem discovers accounts through connector-specific mechanisms appropriate to each system type. LDAP-based directories such as Active Directory use directory queries retrieving account objects and their attributes. Cloud services and SaaS applications leverage REST APIs or SCIM endpoints to enumerate user accounts. Database-driven systems rely on queries against user tables.

When inventory discovers accounts, it captures a complete attribute profile—identity markers like names, employee IDs, and email addresses; organizational context such as department, manager, and location; and authentication controls including account status and password policy settings. This comprehensive attribute capture ensures the Identity Warehouse has the information required for accurate matching, attribute flow, and policy evaluation.

Account Classification

Discovered accounts require classification to determine appropriate handling within EmpowerID. Not all accounts represent human users requiring Person object linkage—service accounts, administrative accounts, system accounts, and other non-human identities often need different treatment.

Inventory applies configurable filters to classify accounts based on attributes such as object class, account naming patterns, organizational unit location, or custom attribute values. This classification determines whether accounts proceed to Account Inbox processing for Person linkage or remain as standalone records within the Identity Warehouse.

Initial vs. Incremental Inventory

The first inventory operation against a newly connected system performs full discovery, cataloging all existing accounts, groups, and resources. This initial inventory can process thousands or millions of objects, establishing the baseline representation within the Identity Warehouse.

Subsequent inventory cycles perform incremental discovery, identifying only changes since the previous run. This incremental approach improves performance and reduces resource consumption while ensuring prompt change detection. The inventory engine tracks synchronization state for each connected system, maintaining high water marks indicating what changes have been processed.

Account Processing and Person Linkage

When inventory discovers user accounts, those accounts require evaluation to determine their relationship to Person objects within the Identity Warehouse. This evaluation process—handled through the Account Inbox subsystem—produces three possible outcomes based on configured join and provision rules.

Join to Existing Person

Accounts matching existing Person objects through configured join criteria are linked to those Persons, creating the association enabling unified identity management. The join process uses matching rules based on attributes such as employee ID, email address, or name combinations to identify the correct Person for each discovered account.

When accounts join to existing Persons, they inherit role assignments, policy evaluations, and management contexts. Attribute synchronization begins immediately, ensuring data flows bidirectionally between account and Person according to configured attribute flow rules.

Provision New Person

Accounts without matches to existing Persons may trigger automatic Person creation through provision rules. When provision rules determine an account represents a new individual requiring management within EmpowerID, the system creates a new Person object in the Identity Warehouse and joins the account to that newly created Person.

Newly provisioned Persons receive initial attribute values from the joined account, establishing baseline identity data. Provisioning policies may execute immediately, granting birthright access based on the Person's attributes and role assignments calculated from source account information.

Ignore or Queue

Some discovered accounts may not qualify for automatic Person linkage. Accounts failing both join matching and provision criteria enter the Account Inbox queue for manual review, allowing administrators to examine these accounts and determine appropriate handling. System accounts, service accounts, or accounts with incomplete attribute data typically follow this path.

For detailed information on join and provision rules, see Account Inbox.

Group and Resource Inventory

Beyond user accounts, inventory discovers and manages groups, distribution lists, and their membership relationships within connected systems.

Group Discovery

Groups represent collections of accounts within directory systems. When inventory discovers groups, it creates group objects in the Identity Warehouse associated with the appropriate account store and organizational location. Group objects include attributes such as name, description, membership type (security or distribution), and scope (global, universal, or domain local for Active Directory groups).

The inventory process flags discovered groups with metadata indicating their origin through the CreatedFromAccountStore attribute. This flag distinguishes groups discovered through inventory from groups created directly within EmpowerID or provisioned through policies, enabling proper handling during subsequent synchronization cycles.

Membership Relationships

Inventory discovers and maintains membership relationships between accounts and groups. When inventory detects that an account belongs to a group within the source system, it creates or updates the corresponding membership relationship in the Identity Warehouse. These membership records enable comprehensive visibility into access granted through group memberships and support access certification processes that include group-based entitlements.

Membership changes detected during inventory—accounts added to or removed from groups in source systems—synchronize to the Identity Warehouse, keeping membership data current. This synchronization ensures access reviews and entitlement reports reflect actual group membership state across connected systems.

RBAC Integration

Groups discovered through inventory integrate with EmpowerID's RBAC system through provisioning policies. When policies grant group memberships as part of role-based access provisioning, the system sets the RBACAssigned flag on affected membership records. This flag distinguishes policy-managed memberships from memberships discovered through inventory, enabling proper lifecycle management of policy-driven access grants.

The RbacAssignmentConfirmationDate attribute provides additional control over policy-managed group memberships. For groups initially discovered through inventory that subsequently receive policy-based membership grants, this date field establishes a confirmation period. If policies are removed before the confirmation date expires, the original inventory-discovered membership persists. If policies are removed afterward, the membership is revoked along with the policy, enabling organizations to control how policy changes affect existing group memberships.

Mailboxes and Specialized Resources

Exchange Mailbox Discovery

For Active Directory environments integrated with Microsoft Exchange, inventory discovers mailbox objects associated with user accounts. The system creates mailbox records in the ExchangeMailbox table, capturing attributes such as mailbox size limits, retention policies, and mailbox types (user mailbox, shared mailbox, resource mailbox).

Resource-Specific Objects

Beyond accounts, groups, and mailboxes, inventory discovers resource-specific objects appropriate to each connected system type. Azure AD inventory discovers application objects, service principals, and administrative units. SharePoint inventory discovers sites, libraries, and permission groups. SAP inventory discovers roles, transaction codes, and authorization objects.

Each resource type has dedicated inventory logic that understands the structure and relationships specific to that resource, ensuring comprehensive discovery of all objects requiring governance within each connected system.

Inventory Scheduling and Execution

Scheduled Operations

Inventory operates through scheduled jobs managed by the EmpowerID Worker Role service. Administrators configure inventory schedules for each connected account store, defining execution frequency, time windows, and resource allocation. These schedules balance data currency needs against system resource consumption and network bandwidth utilization.

High-priority systems requiring near real-time synchronization may have inventory schedules executing every few minutes. Standard systems typically run inventory every few hours, providing sufficient currency for most governance and lifecycle operations. Systems with infrequent changes may execute inventory daily or weekly, reducing resource consumption while maintaining adequate synchronization.

Error Handling

Inventory operations include comprehensive error handling addressing common failure scenarios. When inventory encounters authentication failures, network interruptions, or API rate limits, the system logs detailed error information and schedules retry operations. Partial failures—where some accounts or groups fail to process while others succeed—are handled gracefully, ensuring processing errors for individual objects don't prevent completion of the overall inventory operation.

Error reports provide administrators with visibility into inventory failures, including details of specific objects that failed processing and failure reasons. This diagnostic information enables rapid identification and resolution of connectivity issues, permission problems, or data quality issues in source systems.

Performance and Optimization

Change Detection

For systems supporting change detection mechanisms, inventory leverages native capabilities to identify modified objects efficiently. Active Directory change tracking uses Update Sequence Numbers (USN) to identify objects modified since the previous inventory run. Azure AD uses delta queries returning only changed objects. These change detection capabilities dramatically reduce time and resources required for incremental inventory operations.

Systems without native change detection require full object enumeration during each inventory cycle. The inventory subsystem optimizes these operations through efficient query patterns and selective attribute retrieval, minimizing data transfer and processing overhead.

Incremental Processing

The inventory engine maintains synchronization state for each connected system, tracking what changes have been processed and what remains. This state management enables incremental processing that picks up where previous operations left off, ensuring long-running inventory operations against large systems can complete successfully even when interrupted.

High water marks, sequence numbers, and modification timestamps provide the synchronization anchors enabling efficient incremental processing while ensuring no changes are missed between inventory cycles.

Integration with Identity Lifecycle

Inventory provides the data foundation enabling all identity lifecycle automation within EmpowerID. The continuous flow of current account and group information from connected systems ensures lifecycle policies, provisioning rules, and access governance processes operate on accurate, timely data.

Joiner Process Support

For joiner processes, inventory discovers newly created accounts in connected systems and routes them through Account Inbox processing for Person linkage. This discovery and linkage establishes new identities within EmpowerID, triggering onboarding workflows and provisioning policies that grant birthright access.

Mover Process Support

Inventory detects attribute changes in connected systems that indicate role changes, department transfers, or other organizational movements. These detected changes flow through the Identity Warehouse, triggering Change Data Capture events that initiate mover workflows. Attribute Flow ensures changes discovered through inventory propagate across connected systems according to configured authority rules.

Leaver Process Support

Inventory discovers account status changes and termination indicators signaling departures. Disabled accounts, deleted accounts, or accounts with termination dates populate within the Identity Warehouse, triggering leaver workflows that initiate access removal and cleanup processes.

For additional context on components that depend on inventory data: