Because of the key role of Person objects in EmpowerID, the process by which EmpowerID joins inventoried accounts to these objects is foundational to how EmpowerID manages your user identities. As was mentioned in the Understanding Inventory topic, when EmpowerID inventories a resource system with user accounts, it does more than just write a copy of those user accounts to a table in the EmpowerID Identity Warehouse. It evaluates those accounts to determine whether or not they are owned by users, and based on that evaluation it does one of the following three things:
It ignores them;
It joins them to existing EmpowerID Persons;
It provisions new EmpowerID Persons, joining those new Persons to the accounts.
...
The criteria for this evaluation is whether or not those inventoried accounts have valid FirstName and LastName properties (the properties are not null). If an account does not meet this criteria, EmpowerID simply ignores it and moves on to evaluate the next account. If an account does meet the criteria, EmpowerID marks the account as belonging to a user, captures all the unique identifier information for that account (SID, GUID, DN, UID, etc.), maps the account to the account store for attribute flow, and then executes a set of stored procedures, known as the "Join" and "Provision" rules. These rules, in conjunction with certain user-defined settings, tell EmpowerID what relationship, if any, it should create between inventoried user accounts and EmpowerID Persons. As a whole, this process of evaluating, joining and provisioning is handled by what is known in EmpowerID as the "Account Inbox."
...