...
In EmpowerID, account stores and any resource systems associated with those account stores belong to a "Security Boundary," which is the EmpowerID equivalent to an Active Directory forest. Security Boundaries provide the specific identity and authentication framework for account stores and resource systems and allow users with accounts in one account store to be granted access to resources in another account store, as long as those account stores belong to the same Security Boundary or have a trust relationship with account stores in another Security Boundary. The below image shows this relationship. In the image, EmpowerID provides umbrella protection for four different security boundaries. Two are AD forests, one is an HR System, and the other is the EmpowerID system itself. Based on the configuration of trust relationships, communication can flow from one Security Boundary to another via the EmpowerID Security Boundary, which has an implicit trust relationship with all other Security Boundaries.
...
The Structure of the EmpowerID Identity Warehouse
The EmpowerID Identity Warehouse is comprised of a large number of tables for storing and maintaining information about each connected resource system and the objects in those systems, including those within the EmpowerID system itself. These tables are differentiated by resource type and have records corresponding to both inventoried and non-inventoried objects alike. Some examples of the former include the Account, AccountStore, and ExchangeMailbox tables, while examples of the latter include the AtttestationPolicy, OrgRole, and Person tables (these tables correspond to unique objects created in EmpowerID). When EmpowerID inventories an account store or other type of resource system, such as Exchange, it copies all resource objects in those systems—and the important attributes of those objects—to the appropriate table in the Identity Warehouse, adding the attributes of those objects as column values. In this way, user accounts are added to the Account table, account stores are added to the AccountStore table, and mailboxes are added to the ExchangeMailbox table. So, for example, if you have an Active Directory account store and an account within that account store for a user named "Vince Vincent," EmpowerID will add that account as an individual record to the Account table of the Identity Warehouse, binding "Vince" to the FirstName column and "Vincent" to the last name column. EmpowerID will also bind any other attributes it finds for that user to the corresponding column of the account record. The Account table has 176 columns used for binding user attributes and other account information internal to EmpowerID. Once a record has been added to the Identity Warehouse, and EmpowerID has been configured to manage connected systems fully, the EmpowerID synchronization engine uses this table data to keep the attributes of the object in the Identity Warehouse in sync with the properties of that object across any connected resource systems in which the object lives.
...