One of EmpowerID’s EmpowerID's primary functions is to present an accurate picture of security across an organization's on-premises and cloud -based IT systems. In addition to Beyond viewing and auditing these systems, EmpowerID provides Entitlement Management entitlement management capabilities—defined as “cataloging and managing all the accesses an account may have, as part of the business process used to provision access.”¹
To support these capabilities, EmpowerID periodically inventories “protected resources”¹ from the EmpowerID accomplishes this through periodic inventory of "protected resources" from systems you want to manage. Within EmpowerID, this inventory process is often called “inventory,” although it may be known in other IAM systems as “reconciliation.”
What Are Protected Resources?
Protected resources are defined as “a While other IAM systems might call this process "reconciliation," EmpowerID refers to it as "inventory."
Protected Resources
Protected resources encompass any system, process, service, information object, or even a physical location that is subject to access control, as defined by the resource owner owners and other stakeholders , such as a like business process owner owners or risk managermanagers. ” EmpowerID can inventory and manage a wide variety of protected diverse resources, including:
Accounts
Groups
Computers
User accounts and groups
Computer systems
Azure subscriptions
SharePoint Online site collections
Many other resource types
Resource Systems
...
To specify which systems you want to inventory, the schedule for inventorying them, and where each protected resource resides, EmpowerID maintains a ResourceSystems table. Each table entry represents a system containing protected resources you want EmpowerID to manage. Every registered system receives a unique ResourceSystemID and ResourceSystemGUID.
Additionally, EmpowerID itself has protected resources (for its pages, roles, APIs, etc.), which are treated as being in the “EmpowerID Resource System.”
Resource System Type vs. Security Boundary Type
...
Resource System Type: Defines the connector used to inventory data from an external system.
...
EmpowerID maintains a ResourceSystems table to track which systems to inventory, their schedules, and resource locations. Each system containing protected resources—including EmpowerID itself with its pages, roles, and APIs—must be registered with unique ResourceSystemID and ResourceSystemGUID identifiers.
System Types
EmpowerID uses two distinct connector types when interfacing with external systems:
Resource System Type defines the connector used specifically for inventorying data from external systems. This connector type focuses on reading and synchronizing resource information into EmpowerID's Identity Warehouse.
Security Boundary Type serves a different purpose, defining the connector used to directly manage resources in the external system. This includes:
Create, Update, and Delete operations
Attribute schema definitions for native objects
Direct manipulation of resources in their source systems
These two connector types work together to provide both comprehensive resource tracking and active management capabilities across your IT environment. While Resource System Types handle the discovery and monitoring of resources, Security Boundary Types enable EmpowerID to make controlled changes to those resources in their native systems.
Resource Management
Resource Records
When EmpowerID inventories protected resources, each resource is inserted into the Resource table with one is assigned a unique ResourceID and ResourceGUID in the Resource table. The ResourceGUID typically matches the external system's unique identifier (GUID) wherever possible.
From here on, “protected resources” will simply be called “resources” to align with EmpowerID component terminology. It is important to note that each resource in EmpowerID has a ResourceTypeID, specifying the resource type or object. EmpowerID maintains a ResourceType record for each type of protected resource it can manage and secure. The ResourceTypeID becomes especially relevant when determining or modifying who can view or manage each resource.
Storing Resource Data
You might wonder how EmpowerID stores meaningful information about such diverse resource types in a single Resource table. It does not store all data in one place. As mentioned in a previous module, the Identity Warehouse has over 1,200 tables. For each ResourceType, a dedicated table holds detailed information specific to that type of resource. Each record in these specialized tables points back to the ResourceID and ResourceGUID in the Resource table.
By maintaining a separate table per resource type, EmpowerID offers a richer user experience when you view and manage the information associated with different types of resources. Each resource has a ResourceTypeID that specifies its type and determines who can view or manage it. These "resources" (previously called "protected resources") align with EmpowerID component terminology.
Data Storage Architecture
Rather than storing all resource information in a single table, EmpowerID's Identity Warehouse contains over 1,200 specialized tables—one for each resource type. Each specialized table entry links back to its resource record through ResourceID and ResourceGUID.
This specialized table architecture serves multiple purposes:
Enables storage of detailed information specific to each resource type
Maintains relationships between resources through consistent identifiers
Provides rich management capabilities tailored to each resource type
Supports efficient querying and reporting across resource types
The combination of centralized resource tracking and specialized storage tables allows EmpowerID to effectively manage and secure the wide variety of resources in your IT environment.
...
1 Source: Bago (Editor) E. & Glazer I., (2021) “Introduction to Identity - Part 1: Admin-time (v2)”, IDPro Body of Knowledge 1(5).
...