Versions Compared

Version Old Version 1 New Version Current
Changes made by

Phillip Hanegan

Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

As we discussed previously, one of EmpowerID’s primary use cases One of EmpowerID's primary functions is to present an accurate picture of the security within each IT system in across an organization's on-premise and Cloud landscape. In addition to premises and cloud IT systems. Beyond viewing and auditing this information, EmpowerID is used for Entitlement Management. Entitlement Management is defined as ”Cataloging these systems, EmpowerID provides entitlement management capabilities—defined as “cataloging and managing all the accesses an account may have. This is , as part of the business process used to provision access.1

To perform these capabilities, EmpowerID periodically inventories “Protected Resources”1 from the systems a customer desires to manage. The process of synchronizing accounts and supporting data to the Identity Warehouse of an IAM system is often referred to as “Reconciliation” but is more commonly referred to as “inventory” in EmpowerID terminology.

Protected Resources are defined as “A system, a process, a service, an information object, or even a physical location that is subject to access control as defined by the owner of the resource and by other stakeholders, such as a business process owner or Risk manager.” EmpowerID is capable of inventorying and managing a wide variety of different types of protected resources. To configure which systems you wish to inventory and manage, on what schedule, and keep track of in which system a protected resource exists, EmpowerID maintains a table named “ResourceSystems”. The Resource System Type is the definition of the connector for inventorying data from an external system. This differs from Security Boundary Types, which contains the connector definition for Create, Update, Delete, and the attribute schema of the native objects directly managed in an external system.

EmpowerID itself contains protected resources for its pages, roles, APIs, etc., which are assigned as being in the EmpowerID Resource System. Each system that contains protected resources you wish to manage must be registered as a Resource System in the EmpowerID Identity Warehouse and is assigned a unique ResourceSystemID and ResourceSystemGUID.

The protected resources themselves can be a wide variety of different types of objects ranging from accounts, groups, and computers to Azure subscriptions, SharePoint Online Site Collections, and many other types. Each of these protected resources is inserted as a record into the Resource table in the Identity Warehouse and assigned a unique value for its ResourceID and ResourceGUID. The ResourceGUID is most often the actual unique identifier of the object in its external system if available in GUID format. From now on, we’ll refer to protected resources simply as resources to align with EmpowerID component terminology. Also, important to note is that each resource record is assigned a ResourceTypeID, which defines the type of resource or object. EmpowerID maintains a ResourceType record to define the types of protected resources it can manage and secure. The Resource Type of a resource becomes important later when discussing the inventory of permissions for resources and managing who has what level of access to view and manage these resources using EmpowerID.

One question some of you might be asking yourself is, “how does EmpowerID store any useful data about such a wide variety of different types of resources in a single Resource table.” The answer is that it doesn’t. As we mentioned in a previous module, the Identity Warehouse contains over 1,200 tables. A table exists for each resource type to hold valuable information about that type of resource. Entries in these tables will always have a pointer back to the ResourceID and ResourceGUID of their resource record. Having a unique table per resource type allows a richer user experience when viewing the information about these resources and managing them”¹

EmpowerID accomplishes this through periodic inventory of "protected resources" from systems you want to manage. While other IAM systems might call this process "reconciliation," EmpowerID refers to it as "inventory."

Protected Resources

Protected resources encompass any system, process, service, information object, or physical location subject to access control, as defined by resource owners and stakeholders like business process owners or risk managers. EmpowerID can inventory and manage diverse resources, including:

  • User accounts and groups

  • Computer systems

  • Azure subscriptions

  • SharePoint Online site collections

  • Many other resource types

Resource Systems

EmpowerID maintains a ResourceSystems table to track which systems to inventory, their schedules, and resource locations. Each system containing protected resources—including EmpowerID itself with its pages, roles, and APIs—must be registered with unique ResourceSystemID and ResourceSystemGUID identifiers.

System Types

EmpowerID uses two distinct connector types when interfacing with external systems:

Resource System Type defines the connector used specifically for inventorying data from external systems. This connector type focuses on reading and synchronizing resource information into EmpowerID's Identity Warehouse.

Security Boundary Type serves a different purpose, defining the connector used to directly manage resources in the external system. This includes:

  • Create, Update, and Delete operations

  • Attribute schema definitions for native objects

  • Direct manipulation of resources in their source systems

These two connector types work together to provide both comprehensive resource tracking and active management capabilities across your IT environment. While Resource System Types handle the discovery and monitoring of resources, Security Boundary Types enable EmpowerID to make controlled changes to those resources in their native systems.

Resource Management

Resource Records

When EmpowerID inventories resources, each one is assigned a unique ResourceID and ResourceGUID in the Resource table. The ResourceGUID typically matches the external system's unique identifier (GUID). Each resource has a ResourceTypeID that specifies its type and determines who can view or manage it. These "resources" (previously called "protected resources") align with EmpowerID component terminology.

Data Storage Architecture

Rather than storing all resource information in a single table, EmpowerID's Identity Warehouse contains over 1,200 specialized tables—one for each resource type. Each specialized table entry links back to its resource record through ResourceID and ResourceGUID.

This specialized table architecture serves multiple purposes:

  • Enables storage of detailed information specific to each resource type

  • Maintains relationships between resources through consistent identifiers

  • Provides rich management capabilities tailored to each resource type

  • Supports efficient querying and reporting across resource types

The combination of centralized resource tracking and specialized storage tables allows EmpowerID to effectively manage and secure the wide variety of resources in your IT environment.

...

1 Source: Bago (Editor) E. & Glazer I., (2021) “Introduction to Identity - Part 1: Admin-time (v2)”, IDPro Body of Knowledge 1(5).

...