Versions Compared

Old Version 5

changes.mady.by.user Patrick Parker

Saved on

compared with

New Version Current

changes.mady.by.user Garinger, Phil

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Reconciliation is the process of synchronizing the accounts and supporting data to the IBM® Security Identity Governance and Intelligence central data repository from a managed resource. Reconciliation is required when accounts and supporting data can be changed on the managed resource so that the Identity Governance and Intelligence data is consistent and up-to-date with the remote resource.

Key concepts:

Always between Person and Account in Account Store

Rules specify Publish Only, Subscribe Only, Bidirectional

Scores used to increase data quality for multi-authoritative

Inbound attribute changes come into inbox queue

Outbound changes go out through outbox queue

Handlers for transformation

...

Key Points

  • Attribute Flow is a flexible process that is used to detect changes that occur to a managed identity by comparing the attributes of each EmpowerID Person object with the attributes of each user account that has been joined to those Person objects.

  • When attribute changes are detected for an attribute configured to flow, EmpowerID flags the account and processes those changes, issuing commands to update any affected attributes in either the EmpowerID Identity Warehouse (metadirectory) or the connected account store, depending on the origin of the change.

  • If the changes occurred through actions originating in an Account Store, EmpowerID retrieves those changes and records them in the Identity Warehouse, where they are evaluated and either used to update the Identity Warehouse or discarded as appropriate.

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont\">\r\n <h3>About Attribute Flow</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/AttributeFlow.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
Attribute Flow Configuration Processes
  • Attribute flow rules are defined per attribute per account store to determine what attributes should flow, in what direction, and with what priority.  This is the lowest level of granularity in the configuration process.
  • At the account store configuration level, attribute flow can be disabled for the entire account store so that attributes will not be evaluated for any accounts in the account store.
  • At the system level, attribute flow processing can be either disabled or enabled to facilitate the flow of attributes from external accounts to the EmpowerID Person identity.Attribute flow rules are defined per attribute per account store to determine what attributes should flow, in what direction, and with what priority.  This is the lowest level of granularity in the configuration process.
  • At the account store configuration level, attribute flow can be disabled for the entire account store so that attributes will not be evaluated for any accounts in the account store.
  • At the system level, attribute flow processing can be either disabled or enabled to facilitate the flow of attributes from external accounts to the EmpowerID Person identity.
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont\">\r\n <h3>Attribute Flow Configuration</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/AttributeFlowConfiguration.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
Flow Rules – Type and Direction
Image Added
 Insert excerpt
IL:Attribute Flow Excerpt - Legacy Editor
IL:Attribute Flow Excerpt - Legacy Editor
nopaneltrue
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont\">\r\n <h3>Attribute Flow Rules</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/AttributeFlowRules.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
Flow Rules – Weighting and Scoring (Data Quality)
Image Added
  • Create Score – In the event of conflicting updates from 2 separate accounts, this weighting determines which account attribute value will take precedence if the current person attribute is null
  • Update Score - In the event of conflicting updates from 2 separate accounts, this weighting determines which account attribute value will take precedence if the current person attribute has a value
  • Delete Score – In the event that an attribute value from one account store has a value in it and another has a null value, this weighting determines if the value should be nulled or not.  If the account store with the null value has a higher weighting, then the attribute will be nulled.  Otherwise, it will be left alone.
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont\">\r\n <h3>Attribute Scoring</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/AttributeScoring.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
Inventory and Attribute Flow
Image Added
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont\">\r\n <h3>Inventory and Attribute Flow</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/InventoryAndAttributeFlow.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
Attribute Flow Handlers
  • By default, EmpowerID retrieves attribute values for each user account in a connected account store and maps them value for value to the corresponding Person attributes stored in the EmpowerID Identity Warehouse.
  • In this way, if the value of "State" for an AD user account is "Massachusetts" then the value of "State" for that account's Person object in EmpowerID is "Massachusetts."
  • Attribute Flow Handlers allow you to customize this logic by writing your own code to handle value transformations on a per attribute basis
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont\">\r\n <h3>Attribute Flow Handlers</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/AttributeFlowHandler.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
The diagram below provides an overview of the Attribute flow rules and relationships between accounts, person identities, and core identities.
...
Attribute Flow Demo
...
 Info
Related Docs Topics:
Configure Attribute Flow 
 Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue