One of the biggest challenges associated with securing Managing IT resources in large environments is expansive environments demands a holistic approach, especially when it comes to creating a comprehensive unified "identity layer" that can be used as a singular reference point for managing users and all of their associated ." This identity layer serves as a centralized hub for managing user accounts, roles, and entitlements. As EmpowerID excels at this by functioning as both a directory and an Identity Warehouse, EmpowerID is capable of creating this comprehensive identity layer via the inventory process that joins . It establishes this identity layer through a specialized inventory process, linking each user account in a managed account store to a corresponding EmpowerID Person . But this is only half the solution. Beyond creating and depositing a comprehensive identity layer into a central repository, what is needed is an authoritative system with the power and reach to control not only what can happen to those identities within its own repository, but also what can happen to those identities within each connected resource system as well. If changes happen to "Bob" in directory "A," those changes should also happen to "Bob" in directory "B" and "C" if those changes are authoritative—or discarded if they are not. Additionally, this should happen without requiring continual vigilance on the part of administrators and other power users. The EmpowerID synchronization engine joins the EmpowerID inventory process to provide just this solution. Whereas the inventory process creates the identity layer, the synchronization engine maintains it via a process entity.
However, the challenge extends beyond simply creating an identity layer. Organizations require an authoritative system that can enforce policy and manage these identities within the central repository and across all connected systems. This article elaborates on how EmpowerID's synchronization engine, in conjunction with its inventory process, achieves this through a mechanism known as "Attribute Flow."In EmpowerID,
...
Attribute Flow Mechanism
Attribute Flow is a flexible process that is used to detect changes that occur to a managed identity by comparing dynamic process within EmpowerID designed to identify and synchronize changes in managed identities. It constantly compares the attributes of each EmpowerID Person object with those of the attributes of each user account that has been joined to those Person objects. When attribute changes are detected, EmpowerID flags the account and processes those changes, issuing commands to update any affected accounts that are linked to it. If discrepancies in attributes are detected, EmpowerID processes these changes as per predefined rules.
Configurable Attribute Flow Rules
EmpowerID's Attribute Flow behavior is governed by rules that can be customized for each connected account store. The available configurations are:
No Sync: Disables any synchronization between EmpowerID and the connected account store.
Bidirectional Flow: This enables a two-way attribute sync, allowing changes to propagate freely between EmpowerID and connected systems.
Account Store Changes Only: Only accepts changes that originate from a connected account store, excluding changes made within EmpowerID.
EmpowerID Changes Only: Only accepts changes initiated within EmpowerID, ignoring those that come from connected account stores.
Attribute Change Processing
When an attribute change is detected, commands are issued to update the relevant attributes in either the EmpowerID Identity Warehouse or the connected account store, depending . The target of these commands is contingent on the origin of the change. If the change occurred through actions originating in attribute change and the configured Attribute Flow rules:
EmpowerID-Originated Changes: If changes are initiated within EmpowerID, commands
...
update the user objects in all connected resource systems via
...
their specific connectors.
Resource System-Originated Changes: If changes originate from an external resource system, they are pulled into EmpowerID's Identity Warehouse, where they are
...
either incorporated into existing records or discarded based on set criteria.
Insert Image 2: Workflow of Attribute Change Processing
Synchronization Steps
To provide a more detailed insight, below is a step-by-step explanation of the attribute synchronization process, which is illustrated by the image below. This image shows how synchronization occurs between users with three user identities: one in an HR System, one in Active Directory, and one in the EmpowerID Identity Warehouse. The process is as follows:
...
Initiation: The EmpowerID Worker Role service
...
kicks off the Inventory Job for a specific account store, such as the HR System
...
.
...
Evaluation: This service reviews the accounts, identifying changes by cross-referencing current attributes with those stored in the EmpowerID Identity Warehouse.
...
Change Detection: Identified changes, like a modified Job Title attribute
...
, are forwarded to the Attribute Inbox
...
. Depending on Attribute Flow rules
...
, the change either updates the
...
corresponding EmpowerID Person or is ignored.
Change Propagation: The change is then relayed to the Attribute Outbox,
...
making it accessible to the EmpowerID Worker Role service.
...
Change Processing: The service triggers the Attribute Flow: Directory Change Processor Job,
...
passing the changes to the EmpowerID Agent's LDAP Management Host
...
.
...
Step B2 - The LDAP Management Host pushes the Job Title attribute change to the user account in Active Directory that is joined to the EmpowerID Person.
In this way, the change to the Job Title attribute that occurred to the user account in the HR System occurs to that user's accounts in all managed systems. EmpowerID ensures these changes occur regardless of the direction in which they originate, as demonstrated by the "C" loop. In that loop, the logic and process is identical, with the only difference being the change to an attribute is discovered during the inventory of Active Directory. In that case, the changes flow from Active Directory to EmpowerID to the HR System.
Although the process appears intensive, the mechanism by which it occurs is silent and invisible to your users when EmpowerID is appropriately configured. What EmpowerID does with the attribute changes it discovers is up to you. For EmpowerID to follow the process outlined above, you only need to make a few configuration selections for each of your connected account stores. These include: enabling attribute flow to occur and setting the Attribute Flow Rules. Attribute Flow Rules determine what EmpowerID should do when it discovers attribute changes. These rules can be configured for each account store in one of the following ways:
...
No Sync - When this option is selected, information between EmpowerID and a managed account store is not synchronized and no attribute flow occurs. Using the image above as an example, this means that if someone changes the Job Title attribute for an account in the HR System that change will not update the EmpowerID Person objector the Active Directory. The changed value, however, will be stored in the account table.
...
Bidirectional Flow - When this option is selected, changes made to an account within a managed account store will occur to that account in EmpowerID and vice-versa. Depending on the Attribute Flow Rules set for any other managed account stores, those changes may or may not be pushed into other directories. In our example above, Attribute flow is set to Bidirectional for both the HR System and the Active Directory. In this way, changes originating in both the HR System and Active Directory can be passed from one to another because EmpowerID accepts those changes as being authoritative.
...
Account Store Changes Only - When this option is selected, only changes to attributes that originate in a connected account store will be accepted as authoritative by EmpowerID. Changes originating in the account store will flow to the EmpowerID Identity Warehouse, but changes originating in EmpowerID will not update the account store.
...
Final Update: The change is then implemented in the linked user account within systems like Active Directory.
...
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|