When you first connect EmpowerID to an account store like Active Directory, EmpowerID discovers the topology of the Active Directory and registers the EmpowerID equivalents of that topology in the EmpowerID Identity Warehouse. These EmpowerID equivalents include:
A Security Boundary object to represent the AD forest
An Account Store object to represent the AD domain
A Resource System object to represent the account store
A Resource System object to represent the Exchange Organization if the Active Directory has Microsoft ExchangeA Resource System object to represent the Lync Pool if the Active Directory has Microsoft Lync
A Directory Server object to represent each Domain Controller
...
While the above process holds true for all resource objects, user accounts receive more treatment than other types of inventoried objects because of their relationship to EmpowerID Persons, user identities, and system resources. As mentioned in the What is Role-Based Access Control? topic, EmpowerID Person objects are objects in the EmpowerID Identity Warehouse that link together the user accounts, the permissions assignments, the audit history, and the management policies associated with users in whatever directories their user accounts may be located. Thus when EmpowerID inventories a resource system with user accounts, it evaluates those accounts using certain "Join" and "Provision" filters to determine whether they are owned by users , and based on that evaluation it does one of the following three things:
...
The inventory process is initiated by the end-user and executed by the Inventory Job hosted by the EmpowerID Worker Role. This can be an initial inventory of a newly connected account store or it can be a repeat inventory of an existing account store. EmpowerID treats newly discovered accounts the same regardless of the inventory count.
The LDAP Management Web Service retrieves all newly discovered accounts and passes them back to the EmpowerID Worker Role, which processes those accounts to determine whether or not they are valid user accounts
Valid accounts are written to the Accounts table of the EmpowerID Identity Warehouse.
Any new accounts in the Accounts table are evaluated to determine how EmpowerID should treat those accounts with respect to the Person object. EmpowerID does this by first executing the Join Filter to see whether the newly discovered accounts can be joined to any existing EmpowerID Persons currently in the EmpowerID Identity Warehouse. If a corresponding EmpowerID Person(s) exists, the account is joined to that Person. The Join Filter looks for specific attributes to ensure a correct match between a newly discovered account and an EmpowerID Person. If an attribute match occurs between an account and an EmpowerID Person, the account is joined to the Person; if EmpowerID finds no matches, EmpowerID executes the Provision rule to create a new EmpowerID Person object , and then joins the account to the new Person object.
EmpowerID adds each new Person object created to the Person table of the Identity Warehouse. The Person object then becomes the base user identity in EmpowerID.
Once this process has been completed, EmpowerID repeats the tasks above on a scheduled basis to ensure that each new user account discovered in an account store is joined to the right EmpowerID Person. The logic of the Join Filter always ensures that the right user accounts are joined to the right EmpowerID Persons.
| Info |
|---|
The mechanism by which EmpowerID processes user accounts is known as the Account Inbox. The Account Inbox is comprised of the above mentioned Join and Provision filters. For a greater discussion of the Account Inbox, see Understanding the Account Inbox. |
Inventorying Groups and Group Memberships
As mentioned in the What is Role-Based Access Control?topic, a group is a collection of user accounts residing in a directory outside of EmpowerID. In EmpowerID, these user accounts are linked to the EmpowerID Person objects that own them, which makes groups collections of accounts that resolve to people. When EmpowerID inventories a resource system with groups and memberships, it does the following:
Creates group objects and adds them to the specified account store;
Creates object relationships between user accounts and groups (group membership or group account);
Flags the group accounts as
CreatedFromAccountStore;Updates any changes in groups and memberships.
...