Overview of the EmpowerID Identity Warehouse

Owned by Phillip Hanegan
May 23, 2018
5 min read

EmpowerID inventories, manages, and protects resources in what are called "resource systems," which are simply systems that contain IT resources. Resource systems can include Active Directory domains, LDAP directories, HR systems, Microsoft Exchange Organizations, SharePoint Farms, as well as custom applications and the EmpowerID system itself. It is not uncommon for many organizations to have more than one of these types of systems, and as organizations grow and/or merge with other entities, creating an effective strategy to accurately manage the identities and resources in each system can prove to be challenging and time-consuming. With multiple repositories of user data to maintain, it is likely that data will be overlooked somewhere, resulting in loss of informational integrity and potentially costly security breaches. If left unchecked, these types of errors could possibly threaten the health of an organization's IT infrastructure. In situations like these, what is needed is an easy, reliable way to bring those resource systems under the authority of one central repository that has the ability to capture the information in each of those systems, unify it into a cohesive whole, and maintain the integrity of it in real-time across all systems so that if changes occur to a user named "Bob" in one system, those changes automatically occur to the same "Bob" in all systems. As a powerful SQL-based relational Identity Warehouse with an extensive connector framework, EmpowerID is ideal for this as it is able to connect to a wide variety of resource systems in real-time and gather the user information in each to create a comprehensive "identity layer" that can be used to manage users and all of their associated accounts, roles, and entitlements in whatever resource systems those objects may reside. And because EmpowerID is an RBAC platform, access to this data is always secure and cannot be viewed or edited by any user unless that user has the specific right to do so.

Each system to which EmpowerID is capable of connecting falls into one of two categories: account stores or resource systems. Account stores are special resource systems that function as user directories capable of performing authentication, such as Active Directory domains, whereas resource systems are simple repositories of resources that must be associated with an account store to provide an authentication context, such as Exchange. EmpowerID supports live connectivity to account stores through the use of saved proxy accounts or by remote distributed agents acting under a Windows Service identity. These proxy accounts are highly privileged accounts that EmpowerID encrypts and stores in its Identity Warehouse for use with all actions and communication that occurs between itself and a connected directory. As an RBAC platform, EmpowerID allows users to access the resources in an account store without requiring those users be granted direct access to the account store. The Proxy account performs all of the directory work, but the EmpowerID reporting infrastructure logs all changes as being performed by the specific end-user accessing the resources in that directory.

In EmpowerID, account stores and any resource systems associated with those account stores belong to a "Security Boundary," which is the EmpowerID equivalent to an Active Directory forest. Security Boundaries provide the specific identity and authentication framework for account stores and resource systems, and allow users with accounts in one account store to be granted access to resources in another account store, as long as those account stores belong to the same Security Boundary or have a trust relationship with account stores in another Security Boundary. The below image shows this relationship. In the image, EmpowerID provides umbrella protection for four different Security Boundaries, of which two are AD forests, one is an HR System, and the other is the EmpowerID system itself. Based on the configuration of trust relationships, communication can flow from one Security Boundary to another via the EmpowerID Security Boundary, which has an implicit trust relationship with all other Security Boundaries.


 

The Structure of the EmpowerID Identity Warehouse

The EmpowerID Identity Warehouse is comprised of a large number of tables for storing and maintaining information about each connected resource system and the objects in those systems, including those within the EmpowerID system itself. These tables are differentiated by resource type and have records corresponding to both inventoried and non-inventoried objects alike. Some examples of the former include the Account, AccountStore, and ExchangeMailbox tables, while examples of the latter include the AtttestationPolicy, OrgRole, and Person tables (these tables correspond to unique objects created in EmpowerID). When EmpowerID inventories an account store or other type of resource system, such as Exchange, it copies all resource objects in those systems—and the important attributes of those objects—to the appropriate table in the Identity Warehouse, adding the attributes of those objects as column values. In this way, user accounts are added to the Account table, account stores are added to the AccountStore table, and mailboxes are added to the ExchangeMailbox table. So, for example if you have an Active Directory account store and an account within that account store for a user named "Vince Vincent," EmpowerID will add that account as an individual record to the Account table of the Identity Warehouse, binding "Vince" to the FirstName column and "Vincent" to the last name column. EmpowerID will also bind any other attributes it finds for that user to the corresponding column of the account record. The Account table has 176 columns used for binding user attributes as well as other account information internal to EmpowerID. Once a record has been added to the Identity Warehouse, and EmpowerID has been configured to fully manage connected systems, the EmpowerID synchronization engine uses this table data to keep the attributes of the object in the Identity Warehouse in sync with the properties of that object across any connected resource systems in which the object lives.

In addition to tables of information, the Identity Warehouse contains many stored procedures. All of the tables and their stored procedures are exposed programmatically through the EmpowerID web services API as secure objects and methods.

The image below shows the relationship between the EmpowerID Identity Warehouse and the resource systems to which EmpowerID is connected. Each inventoried object in a connected resource system is added to an Identity Warehouse table that corresponds to the object's resource type. In this way, inventoried user accounts are always added as records to the Account table, inventoried Account Store (Domain) objects are always added as records to the AccountStore table, and inventoried mailboxes are always added as records to the ExchangeMailbox table, and so on.




For more details on the inventory process, see Inventory Overview.


Related Content