One of EmpowerID’s primary functions is to present an accurate picture of security across an organization's on-premises and cloud-based IT systems. In addition to viewing and auditing these systems, EmpowerID provides Entitlement Management capabilities—defined as “cataloging and managing all the accesses an account may have, as part of the business process used to provision access.”¹
To support these capabilities, EmpowerID periodically inventories “protected resources”¹ from the systems you want to manage. Within EmpowerID, this inventory process is often called “inventory,” although it may be known in other IAM systems as “reconciliation.”
What Are Protected Resources?
Protected resources are defined as “a system, process, service, information object, or even a physical location that is subject to access control as defined by the resource owner and other stakeholders, such as a business process owner or risk manager.” EmpowerID can inventory and manage a wide variety of protected resources, including:
Accounts
Groups
Computers
Azure subscriptions
SharePoint Online site collections
Many other resource types
Resource Systems and Resource System Types
To specify which systems you want to inventory, the schedule for inventorying them, and where each protected resource resides, EmpowerID maintains a ResourceSystems table. Each table entry represents a system containing protected resources you want EmpowerID to manage. Every registered system receives a unique ResourceSystemID and ResourceSystemGUID.
Additionally, EmpowerID itself has protected resources (for its pages, roles, APIs, etc.), which are treated as being in the “EmpowerID Resource System.”
Resource System Type vs. Security Boundary Type
Resource System Type: Defines the connector used to inventory data from an external system.
Security Boundary Type: Defines the connector used for Create, Update, Delete operations, as well as the attribute schema for the native objects that are managed directly in the external system.
Resource Records
When EmpowerID inventories protected resources, each resource is inserted into the Resource table with a unique ResourceID and ResourceGUID. The ResourceGUID matches the external system's unique identifier (GUID) wherever possible.
From here on, “protected resources” will simply be called “resources” to align with EmpowerID component terminology. It is important to note that each resource in EmpowerID has a ResourceTypeID, specifying the resource type or object. EmpowerID maintains a ResourceType record for each type of protected resource it can manage and secure. The ResourceTypeID becomes especially relevant when determining or modifying who can view or manage each resource.
Storing Resource Data
You might wonder how EmpowerID stores meaningful information about such diverse resource types in a single Resource table. It does not store all data in one place. As mentioned in a previous module, the Identity Warehouse has over 1,200 tables. For each ResourceType, a dedicated table holds detailed information specific to that type of resource. Each record in these specialized tables points back to the ResourceID and ResourceGUID in the Resource table.
By maintaining a separate table per resource type, EmpowerID offers a richer user experience when you view and manage the information associated with different types of resources.
https://youtu.be/g86rqKy_mi01 Source: Bago (Editor) E. & Glazer I., (2021) “Introduction to Identity - Part 1: Admin-time (v2)”, IDPro Body of Knowledge 1(5).