Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The EmpowerID Identity Management Framework is built on the concept of a Services Oriented Architecture (SOA). As such, EmpowerID functionality is broken down into a large number of granular EmpowerID's functionality is divided into numerous granular tasks, known as "jobs," which are hosted and run executed in Windows services that communicate back to with the EmpowerID Identity Warehouse over through REST Web services. Jobs are can be either specific tasks that run on a scheduled basis (such as scheduled tasks (e.g., Inventory) or they are REST Web Services used in workflow processes. All Jobs can run on more than one server at a time for load-balancing and fail-over, with each server sending a periodic heartbeat to the Identity Warehouse specifying whether the server is online and which Jobs it is hosting. If a server hosting a specific service moves offline for maintenance or other reasons, EmpowerID moves those Multiple servers can run the same jobs for load balancing and failover, and each server regularly reports its status (online/offline) and hosted jobs to the Identity Warehouse. If a server goes offline, EmpowerID transfers its processes to another server hosting the same Jobjob.

As all communication occurs over REST, the EmpowerID Web server plays an important role, directing the various calls that occur in EmpowerID – whether those calls are automated processes like attribute flow or user-initiated processes like logging in to the EmpowerID Web application – to the appropriate EmpowerID Windows service responsible for carrying out the call. To ensure this process flows without interruption, the EmpowerID Web server uses the following criteria to determine which Workflow server it uses:

...

Job

Purpose

Attribute Flow - Directory Change Processor

This is a job hosted by the EmpowerID Worker Role Windows service that takes the attribute changes from the attribute inbox that were any attribute changes discovered during inventory and processes them using the attribute flow rules to update the attributes for the EmpowerID Person object. Changes to the Person object can then lead to changes being pushed to the attribute outbox that will flow to other systems. This job is scheduled per Account Store.

Account Lockout Detection Job

This is a job hosted by the EmpowerID Worker Role Windows service that actively gathers event logs from remote Windows Server systems. This is in contrast to the Windows Server Event Log Monitor that runs locally on managed Windows servers. Either can be used; however, this agent can be used instead of the Windows Server Event Log Monitor for a polling style of event log change detection versus the push method offered by the Windows Server Event Log Monitor.

Account Password Reset Inbox

Job hosted by the Worker Role service that performs the offline password resets.

API Inbox Processor Job

API Inbox Processor Job

Assignee Member Policy Compiler

Compiles field values based on assignee member policies

Assignee Member Policy Inbox Processor

Job that claims and processes PBAC policy membership inbox entries

Attestation Policy Compiler

Job hosted by the Worker Role service that evaluates attestation policies and creates Attestation Review tasks.

Attestation Processor

Not Used - placeholder for customization

Authorization Function Compiler

Processes Local and Global AzFunctions and create the resultant assignees based on roles, rightas and Auth Object mappings

Authorization Risk Compiler

Processes Local and Global AzRisks

Export Job for Bidirectional Connectors

Export Job For Bidirectional Connectors

Export Job For Outbound Connectors

Export Job For Outbound Connectors

Bot Password Expiry Notification

Bot Password Expiry Notification

Business Request Approvers Refresher

Claims and refreshes BusinessRequest and BusinessRequestItems due for approvers refresh.

Business Request Fulfillment Job

Fulfills claimed Business Request Item after approvals every ReprocessInterval + 120 seconds by initiating workflow to do fulfillment. If it is locked by server without getting processed it will be claimed again based on ReclaimByDate (set to +1 hour on each claim).

Business Request JSON Inbox Processor

Claims open BusinessRequestJSONInbox records to create BusinessRequest - Items, Approval Steps, Approvers

Business Request Item Step Fulfillment Job

Fulfills claimed Business Request Item Approval step after approvals every ReprocessInterval + 120 seconds by initiating workflow to do fulfillment. If it is locked by server without getting processed it will be claimed again based on ReclaimByDate (set to +1 hour on each claim).

Business Request Notification Inbox Claim Job

Job to claim entries in Business Request Notification Inbox and send notification emails

Business Request Notification Inbox Drop Processor

Job to process events from Business Request Notification Event Drop Inbox

Business Request Risk Compiler

Invokes BusinessRequest CompileAllRisks

Component Process Inbox Job

Component Process Inbox Job

Database Archiving Rule Processor

Job that performs database archiving rules and processes

Dynamic Hierarchy Generation Job

Job hosted by the Worker Role service that calculates which groups should be provisioned or deprovisioned in group hierarchy policies.

Dynamic Hierarchy Membership Recalculation Job

Job hosted by the Worker Role service that calculates which groups in group hierarchy policies should have their membership refreshed

Dynamic Hierarchy Provision Inbox Processor

Job hosted by the Worker Role service that calculates which groups should be provisioned or deprovisioned in group hierarchy policies

Group Membership Queue Processor Job

Group Membership Queue Processor Job

Group Membership Reconciliation Job

Job hosted by the Worker Role service that evaluates the current "as is" membership of groups versus the "should be" state of who should be a member based upon dynamic RBAC assignments of the "Member" Resource Role in EmpowerID. This job is scheduled per Resource System or Account Store.

Import Groups Job

Import groups job

Import Management Roles Job

Import Management Roles job

Inventory

This is a Job hosted by the EmpowerID Worker Role Windows service that claims inventory jobs for resource systems and account stores on a scheduled basis, calling the specific inventory method for that system. For account stores, the inventory process is responsible for populating the attribute inbox and running the initial Person provision process using the same Join and Provision Rule logic used by the Account Inbox One by One or Account Inbox Bulk permanent workflow. The actual implementation of how each system is inventoried is specific to the type of system and the implementation in its connector. This Job is scheduled per resource system or account store.

Inventory Get Unified Group Properties Job

Inventories the additional unified group properties to azure EID Group

License Pool Approval Change Inbox Processor

Processes License Pools Inbox entries requiring approval, removes accounts from licenses groups that grant the license

License Pool Change Inbox Processor

Processes License Pools Inbox entries and adds or removes accounts from the licenses groups that grant the license

License Pool Compiler

Processes License Pools and creates inbox entries to add or remove accounts to license assigned groups

License Reclamation Approval Inbox Processor

Generates approval for License Reclamation Inbox entries needing approval. After the approval, the other Reclamation Inbox Processor processes the approved items.

License Reclamation Compiler

Processes License Reclamation and creates inbox entries for licenses that are not in use or assigned to an invalid account.

License Reclamation Inbox Processor

Processes License Reclamation Inbox entries and either executes the entries or generates workflows for approval.

Notification Report Subscription Compiler

Job to claim notification report subscriptions on a scheduled basis and calls the RunReport() method on the subscription.

Office 365 Batch Processor

Job hosted by the Worker Role service that performs the batch processing for Exchange Online Office365 actions.

PBAC Attribute Account Store Sync Policy Processor

Job that claims and syncs AzFieldTypeAccountStoreSyncPolicy into AssigneeAzFieldType

Permanent Workflow Job

This is a Job hosted by the EmpowerID Worker Role Windows service that ensures permanent workflows are kept in a continuously running state. The parameters for the loop are set for each workflow added to the Permanent Workflow job.

Person Default Attributes Reinforcement Job

Job hosted by the Worker Role service that is responsible for making sure people have the mandatory attributes assigned by policy. It also populates the outbox so accounts owned by the person are updated.

Ping Remote Server Job

This Job claims the remote servers and tries to ping them. If failed, it logs the server details.

RBAC Maintenance Job

Job hosted by the Worker Role service to calculate RBAC assignments

RBAC Security Compiler Job

Job hosted by the Worker Role service that is responsible for building the Location and Business Role trees. It also calculates the location of resource location and which security delegations will affect them.

Note

This job MUST run in only ONE server.

RBAC Security Person Business Role Compiler Job

Job hosted by the Worker Role service that is responsible for calculating what business roles and locations a person will have based on all possible assignments.

Resource Entitlement Inbox Processor Job

Job hosted by the Worker Role service that performs the actions specified by the Resource Entitlement Inbox entries (Provision, Deprovision, etc.).

Resource Entitlement Recalculation Job

Job hosted by the Worker Role service that evaluates the current "as is" status of Resource Entitlement policies (RETs) versus the "should be" state. This entails determining what Accounts, Home Folders, Exchange Mailboxes, etc. that people currently own versus what they should own by policy. The delta to normalize what they have with what they should have is written to the Resource Entitlement Inbox as a series of actions to be performed (Provision, Disable, Move, De-provision).

Resource Role Reconciliation Job

Job hosted by the Worker Role service that manages the membership of EmpowerID Resource Role groups (RRGs). It determines who should currently be a member of those RRGs and then modifies the membership to match. This job is scheduled per Resource System or Account Store.

Resource System Inbox Inventory Processor

Used when Inventory uses Inbox to bring data in

Rights Enforcement Job

This is a Job hosted by the EmpowerID Worker Role Windows service that adds or removes native permissions for resources in external systems based upon the current state of RBAC delegations. The actual granting or revoking of rights for external systems can result in calls to other agents in order to complete the action. This Job is scheduled per resource system or account store.

Rights Inventory Job

Job hosted by the Worker Role service that inventories native permissions for external system resources. The actual inventory of rights for the external system in question can result in calls to other agents (e.g., SharePoint Agent) in order to complete the action.

Risk Factor and Stats Recalculation Job

Job hosted by the Worker Role service that is responsible for calculating the risk factor score for all EmpowerID actor types.

Role and Location Compiler

This is a Job hosted by the EmpowerID Worker Role Windows service that determines the Business Roles and Locations that should be assigned to an EmpowerID Person based on information coming from an external custom system like an HR system. The Role and Location Compiler does not support using AD or LDAP for its functions. Only account stores where the Allow Role and Location Recalculation is set to Enabled will be considered. If multiple account stores are being monitored, those with a higher Role and Location Re-Eval Order value are given precedence. The following account store information is used by this job:

  • Accounts related to an EmpowerID Person

  • External Roles

  • External Locations

  • Associations between accounts, external roles, and external locations in an Account Store and whether the association is "Primary" (only one association can be designated as "Primary" for a given account per Account Store)

  • Mappings managed in the EmpowerID Role and Location Mapper:

    • Mappings between external roles and EmpowerID Roles (an external role can be mapped to multiple EmpowerID Roles, but only one of these mappings is considered "Primary")

    • Mappings between external locations and EmpowerID Locations

Role and Location Processor

This is a Job hosted by the EmpowerID Worker Role Windows service that makes Business Role and Location changes as determined by the Role and Location Compiler. The processor performs the following actions:

  • Changes a Person's primary Business Role and Location (only affects people whose primary role and location were not explicitly assigned)

  • Assigns secondary roles and locations to a Person

  • Removes secondary roles and locations from a Person

  • Handles ambiguous assignments by reassigning people whose Business Role and Location is uncertain to the role and location specified in the EmpowerID Resource System's "Default User Creation Path. This only occurs when a Person's primary Business Role and Location was previously determined by Role and Location Compiler and set by the processor, but can no longer be ascertained due to insufficient or inconclusive information.

Role Model Business Role Application Role Inbox Processor

Role Model Business Role Application Role Inbox Processor

Role Model Identity Application Role Inbox Processor

Role Model Identity Application Role Inbox Processor

Role Model Identity Business Role Inbox Processor

Role Model Identity Business Role Inbox Processor

RoMo Application Role Inventory

RoMo ApplicationRole Inventory

RoMo Business Process Tree Inventory

RoMo Business Process Tree Inventory

RoMo Business Role Application Role Inventory

RoMo BusinessRole ApplicationRole Inventory

RoMo Business Role Inventory

RoMo Business Role Inventory

RoMo Differentiation Type Value Tree Inventory

RoMo Differentiation Type Value Tree Inventory

RoMo Identity ApplicationRole Inventory

RoMo Identity ApplicationRole Inventory

RoMo Identity Business Role Inventory

RoMo Identity Business Role Inventory

RoMo Template Business Role Inventory

RoMo Template Business Role Inventory

Search Tag Compilation

Job hosted by the Worker Role service that evaluates and prepares the tags needed for tag searching in EmpowerID, it calculates implicit tagging.

Separation Of Duties Violation Processor

Job hosted by the Worker Role service that performs default configured actions in response to SoD Violation tasks.

Set Compiler Job

Job hosted by the Worker Role service that evaluates saved searches or Sets against connected Account Stores. The results of these compiled search can be used for query-based assignment of Person objects to Business Roles and Locations. This job can run on multiple servers at same time (It doesn't follow job schedule or reprocess interval).

SharePoint Online Topology Azure Web Job

Job hosted by the Worker Role service to inventory SharePoint Online using Azure Web Jobs

SharePoint Online Topology Job

Job hosted by the Worker Role service to inventory SharePoint Online

Workflow Task Renotification

Sends email notification and escalation based on the schedule configured on the Request Workflow schedule

Windows Service and AppPool Account Password Sync

This Job synchronizes account password resets for accounts used by Windows Services and IIS App Pools.

...