The EmpowerID Identity Management Framework is built on the concept of a Services Oriented Architecture (SOA). As such, EmpowerID functionality is broken down into a large number of granular "jobs," which are hosted and run in Windows services that communicate back to the EmpowerID Identity Warehouse over WCF REST Web services. Jobs are either specific tasks that run on a scheduled basis (such as Inventory) or they are WCF REST Web Services used in workflow processes (such as the Exchange Management Host, which is called when performing Exchange management tasks using PowerShell). All Jobs can run on more than one server at a time for load-balancing and fail-over, with each server sending a periodic heartbeat to the Identity Warehouse specifying whether the server is online online and which Jobs it is hosting. If a server hosting a specific service moves offline for maintenance or other reasons, EmpowerID moves those processes to another server hosting the same Job.

As all communication occurs over WCFREST, the EmpowerID Web server plays an important role, directing the various calls that occur in EmpowerID—whether EmpowerID – whether those calls are automated processes like attribute flow or user-initiated processes like logging in to the EmpowerID Web application—to application – to the appropriate EmpowerID Windows service responsible for carrying out the call. To ensure this process flows without interruption, the EmpowerID Web server uses the following criteria to determine which Workflow server it uses:


A server is considered "online" if it has completed a heartbeat check-in to the Identity Warehouse within the last 3 minutes. The hearbeat heartbeat is written to the EmpowerID ServerServices table. By default, the services send this notification every two minutes, which allows fail-over in case a service is down or disconnected.

Each of the various services that make up the processing operations of the system can be assigned to any number of distributed servers within the EmpowerID Web interface. A brief overview of the purpose of each of these Jobs follows below:



Attribute Flow - Directory Change Processor

This is a job hosted by the EmpowerID Worker Role Windows service that takes the attribute changes from the attribute inbox that were discovered during inventory and processes them using the attribute flow rules to update the attributes for the EmpowerID Person object. Changes to the Person object can then lead to changes being pushed to the attribute outbox that will flow to other systems. This job is scheduled per Account Store.

Audit Event Log Monitoring

Group Membership Reconciliation

This is a job hosted by the EmpowerID Worker Role Windows

Account Lockout Detection Job

This is a job hosted by the EmpowerID Worker Role Windows service that actively gathers event logs from remote Windows Server systems. This is in contrast to the Windows Server Event Log Monitor that runs locally on managed Windows servers. Either can be used; however, this agent can be used instead of the Windows Server Event Log Monitor for a polling style of event log change detection versus the push method offered by the Windows Server Event Log Monitor.

Exchange Management Host

This is a WCF web service end point that can execute any of the PowerShell cmdlets for managing Microsoft Exchange 2007 or greater. This job is hosted by EmpowerID Agent Windows service and must be installed on a machine loaded with the Exchange Management Console tools.

Exchange Public Folder Path Sync

This Job maintains the correct path value for the mail-enabled public folders in their corresponding AD object. This value is not maintained by Exchange when Public Folders are moved but its accuracy is required for managing Public Folders.

Account Password Reset Inbox

Job hosted by the Worker Role service that performs the offline password resets.

API Inbox Processor Job

Assignee Member Policy Compiler

Compiles field values based on assignee member policies

Assignee Member Policy Inbox Processor

Job that claims and processes PBAC policy membership inbox entries

Attestation Policy Compiler

Job hosted by the Worker Role service that evaluates attestation policies and creates Attestation Review tasks.

Attestation Processor

Not Used - placeholder for customization

Authorization Function Compiler

Processes Local and Global AzFunctions and create the resultant assignees based on roles, rightas and Auth Object mappings

Authorization Risk Compiler

Processes Local and Global AzRisks

Export Job for Bidirectional Connectors

Export Job For Outbound Connectors

Bot Password Expiry Notification

Business Request Approvers Refresher

Claims and refreshes BusinessRequest and BusinessRequestItems due for approvers refresh.

Business Request Fulfillment Job

Fulfills claimed Business Request Item after approvals every ReprocessInterval + 120 seconds by initiating workflow to do fulfillment. If it is locked by server without getting processed it will be claimed again based on ReclaimByDate (set to +1 hour on each claim).

Business Request JSON Inbox Processor

Claims open BusinessRequestJSONInbox records to create BusinessRequest - Items, Approval Steps, Approvers

Business Request Item Step Fulfillment Job

Fulfills claimed Business Request Item Approval step after approvals every ReprocessInterval + 120 seconds by initiating workflow to do fulfillment. If it is locked by server without getting processed it will be claimed again based on ReclaimByDate (set to +1 hour on each claim).

Business Request Notification Inbox Claim Job

Job to claim entries in Business Request Notification Inbox and send notification emails

Business Request Notification Inbox Drop Processor

Job to process events from Business Request Notification Event Drop Inbox

Business Request Risk Compiler

Invokes BusinessRequest CompileAllRisks

Component Process Inbox Job

Database Archiving Rule Processor

Job that performs database archiving rules and processes

Dynamic Hierarchy Generation Job

Job hosted by the Worker Role service that calculates which groups should be provisioned or deprovisioned in group hierarchy policies.

Dynamic Hierarchy Membership Recalculation Job

Job hosted by the Worker Role service that calculates which groups in group hierarchy policies should have their membership refreshed

Dynamic Hierarchy Provision Inbox Processor

Job hosted by the Worker Role service that calculates which groups should be provisioned or deprovisioned in group hierarchy policies

Group Membership Queue Processor Job

Group Membership Reconciliation Job

Job hosted by the Worker Role service that evaluates the current "as is" membership of groups versus the "should be" state of


who should be a member based upon dynamic RBAC assignments of the "Member" Resource Role in EmpowerID. This job is scheduled per

resource system or account store.

Import Groups Job

Import Management Roles Job

This is a Job hosted by the EmpowerID Worker Role Windows service that claims inventory jobs for resource systems and account stores on a scheduled basis, calling the specific inventory method for that system. For account stores, the inventory process is responsible for populating the attribute inbox and running the initial Person provision process using the same Join and Provision Rule logic used by the Account Inbox One by One or Account Inbox Bulk permanent workflow. The actual implementation of how each system is inventoried is specific to the type of system and the implementation in its connector. This Job is scheduled per resource system or account store.

LDAP Management Host WCF Service

This is a WCF web service hosted by the EmpowerID Agent Windows service that ;manages any communication that occurs between EmpowerID and any LDAP directories.

Password Manager Service

This is a WCF web service that hosts logic specific to password management, such as validation, and is the service that receives password change notification messages from the EmpowerID Password Change Detection Agent Window service.

Inventory Get Unified Group Properties Job

Inventories the additional unified group properties to azure EID Group

License Pool Approval Change Inbox Processor

Processes License Pools Inbox entries requiring approval, removes accounts from licenses groups that grant the license

License Pool Change Inbox Processor

Processes License Pools Inbox entries and adds or removes accounts from the licenses groups that grant the license

License Pool Compiler

Processes License Pools and creates inbox entries to add or remove accounts to license assigned groups

License Reclamation Approval Inbox Processor

Generates approval for License Reclamation Inbox entries needing approval. After the approval, the other Reclamation Inbox Processor processes the approved items.

License Reclamation Compiler

Processes License Reclamation and creates inbox entries for licenses that are not in use or assigned to an invalid account.

License Reclamation Inbox Processor

Processes License Reclamation Inbox entries and either executes the entries or generates workflows for approval.

Notification Report Subscription Compiler

Job to claim notification report subscriptions on a scheduled basis and calls the RunReport() method on the subscription.

Office 365 Batch Processor

Job hosted by the Worker Role service that performs the batch processing for Exchange Online Office365 actions.

PBAC Attribute Account Store Sync Policy Processor

Job that claims and syncs AzFieldTypeAccountStoreSyncPolicy into AssigneeAzFieldType

Permanent Workflow Job

This is a Job hosted by the EmpowerID Worker Role Windows service that ensures permanent workflows are kept in a continuously running state. The parameters for the loop are set for each workflow added to the Permanent Workflow job.

Person Default Attributes Reinforcement Job


Job hosted by the Worker Role service that is responsible for making sure

each EmpowerID Person has

people have the mandatory attributes

they should have based on your Default Attribute Values policies

assigned by policy. It also populates the

Attribute outbox to ensure the corresponding account properties are changed, if needed.

PowerShell Service

This Job is a WCF web service end point hosted by the EmpowerID Agent Windows service for executing any type of PowerShell cmdlets. This service is used by workflows that execute PowerShell cmdlets. Applicable PowerShell snap-ins should be loaded on each server hosting this service.

RBAC Maintenance

Empty; this is purposely left blank for customer-specific maintenance, if needed.

RBAC Security Compiler

This is a Job hosted by the EmpowerID RBAC Services Windows

Ping Remote Server Job

This Job claims the remote servers and tries to ping them. If failed, it logs the server details.

RBAC Maintenance Job

Job hosted by the Worker Role service to calculate RBAC assignments

RBAC Security Compiler Job

Job hosted by the Worker Role service that is responsible for building the Location and Business Role trees

used in the various EmpowerID applications

. It also calculates the location of resource


location and which security delegations will affect them.


This job MUST run in only ONE server.

RBAC Security Person Business Role Compiler Job

This is a

Job hosted by the

EmpowerID RBAC Services Windows

Worker Role service that is responsible for calculating

the Business Roles and Locations an EmpowerID Person

what business roles and locations a person will have based on all possible assignments.

Resource Entitlement Inbox Processor Job

Job hosted by the Worker Role service that performs the actions specified by the Resource Entitlement Inbox entries (Provision, Deprovision, etc.).

Resource Entitlement Recalculation Job

This is a

Job hosted by the


Worker Role


service that evaluates the current "as is" status of Resource Entitlement policies (RETs) versus the "should be" state. This entails determining what Accounts, Home Folders, Exchange Mailboxes, etc.


that people currently own versus what they should own by policy. The delta to normalize what they have with what they should have is written to the Resource Entitlement Inbox as a series of actions to be performed (Provision, Disable, Move, De-provision).


Resource Role Reconciliation

This is a

Job hosted by the


Worker Role


service that manages the membership of EmpowerID Resource Role groups (RRGs). It determines who should currently be a member of those RRGs and then modifies the membership to match. This job is scheduled per

Resource System or Account Store.

Resource System Inbox Inventory Processor

Used when Inventory uses Inbox to bring data in

Rights Enforcement Job

This is a Job hosted by the EmpowerID Worker Role Windows service that adds or removes native permissions for resources in external systems based upon the current state of RBAC delegations. The actual granting or revoking of rights for external systems can result in calls to other agents in order to complete the action. This Job is scheduled per resource system or account store.

Rights Inventory Job

This is a

Job hosted by the


Worker Role


service that

adds or removes

inventories native permissions for

resources in external systems based upon the current state of RBAC delegations

external system resources. The actual

granting or revoking

inventory of rights for the external


system in question can result in calls to other agents (e.g., SharePoint Agent) in order to complete the action.

This Job is scheduled per resource system or account store

Risk Factor and Stats Recalculation Job

Job hosted by the Worker Role service that is responsible for calculating the risk factor score for all EmpowerID actor types.

Role and Location Compiler

This is a Job hosted by the EmpowerID Worker Role Windows service that determines the Business Roles and Locations that should be assigned to an EmpowerID Person based on information coming from an external custom system like an HR system. The Role and Location Compiler does not support using AD or LDAP for its functions. Only account stores where the Allow Role and Location Recalculation is set to Enabled will be considered. If multiple account stores are being monitored, those with a higher Role and Location Re-Eval Order value are given precedence. The following account store information is used by this job:

  • Accounts related to an EmpowerID Person

  • External Roles

  • External Locations

  • Associations between accounts, external roles, and external locations in an Account Store and whether the association is "Primary" (only one association can be designated as "Primary" for a given account per Account Store)

  • Mappings managed in the EmpowerID Role and Location Mapper:

    • Mappings between external roles and EmpowerID Roles (an external role can be mapped to multiple EmpowerID Roles, but only one of these mappings is considered "Primary")

    • Mappings between external locations and EmpowerID Locations

Role and Location Processor

This is a Job hosted by the EmpowerID Worker Role Windows service that makes Business Role and Location changes as determined by the Role and Location Compiler. The processor performs the following actions:

  • Changes a Person's primary Business Role and Location (only affects people whose primary role and location were not explicitly assigned)

  • Assigns secondary roles and locations to a Person

  • Removes secondary roles and locations from a Person

  • Handles ambiguous assignments by reassigning people whose Business Role and Location is uncertain to the role and location specified in the EmpowerID Resource System's "Default User Creation Path. This only occurs when a Person's primary Business Role and Location was previously determined by Role and Location Compiler and set by the processor, but can no longer be ascertained due to insufficient or inconclusive information.

Role Model Business Role Application Role Inbox Processor

Role Model Identity Application Role Inbox Processor

Role Model Identity Business Role Inbox Processor

RoMo Application Role Inventory

RoMo Business Process Tree Inventory

RoMo Business Role Application Role Inventory

RoMo Business Role Inventory

RoMo Differentiation Type Value Tree Inventory

RoMo Identity ApplicationRole Inventory

RoMo Identity Business Role Inventory

RoMo Template Business Role Inventory

Search Tag Compilation

Job hosted by the Worker Role service that evaluates and prepares the tags needed for tag searching in EmpowerID, it calculates implicit tagging.

Separation Of Duties Violation Processor

Job hosted by the Worker Role service that performs default configured actions in response to SoD Violation tasks.

Set Compiler Job

This is a job

Job hosted by the


Worker Role


service that evaluates saved searches or Sets against connected

account stores

Account Stores. The results of these compiled


search can be used for

assigning Management Roles and Resource Roles as well as



assignment of Person objects to Business Roles and Locations. This job can run on multiple servers at same time (It doesn't follow job schedule or reprocess interval).


This is a WCF web service end point that can execute any of the SharePoint object model calls required for managing Microsoft SharePoint 2007 or greater. This Job is hosted by the EmpowerID Agent Windows service and must be installed on a machine that is a SharePoint server in the farm to be managed.

Windows Server Event Log Monitor

This Job gathers raised notifications when a new event is added to the Windows event log and decides whether or not to track the event based on the monitoring policy defined for that system in EmpowerID. This can be used to push notification of changes, in place of the pull method offered by the Audit Event Log Monitoring job.

Windows Server Management Host WCF Service

This is a WCF web service hosted by the EmpowerID Agent Windows service that can execute any of the local Windows server OS management actions required for shared folder creation or other system management tasks. This service must be installed on a machine that is the intended target for management.

Online Topology Azure Web Job

Job hosted by the Worker Role service to inventory SharePoint Online using Azure Web Jobs

SharePoint Online Topology Job

Job hosted by the Worker Role service to inventory SharePoint Online

Workflow Task Renotification

Sends email notification and escalation based on the schedule configured on the Request Workflow schedule

Windows Service and AppPool Account Password Sync

This Job synchronizes account password resets for accounts used by Windows Services and IIS App Pools.

