One of the biggest challenges associated with securing IT resources in large environments is creating a comprehensive "identity layer" that can be used as a singular reference point for managing users and all of their associated accounts, roles, and entitlements. As a directory and Identity Warehouse, EmpowerID is capable of creating this comprehensive identity layer via the inventory process that joins each user account in a managed account store to a corresponding EmpowerID Person. But this is only half the solution. Beyond creating and depositing a comprehensive identity layer into a central repository, what is needed is an authoritative system with the power and reach to control not only what can happen to those identities within its own repository, but also what can happen to those identities within each connected resource system as well. If changes happen to "Bob" in directory "A," those changes should also happen to "Bob" in directory "B" and "C" if those changes are authoritative—or discarded if they are not. Additionally, this should happen without requiring continual vigilance on the part of administrators and other power users. The EmpowerID synchronization engine joins the EmpowerID inventory process to provide just this solution. Whereas the inventory process creates the identity layer, the synchronization engine maintains it via a process known as "Attribute Flow."
In EmpowerID, Attribute Flow is a flexible process that is used to detect changes that occur to a managed identity by comparing the attributes of each EmpowerID Person object with the attributes of each user account that has been joined to those Person objects. When attribute changes are detected, EmpowerID flags the account and processes those changes, issuing commands to update any affected attributes in either the EmpowerID Identity Warehouse or the connected account store, depending on the origin of the change. If the change occurred through actions originating in EmpowerID, commands are issued to update the user objects in all connected resource systems via each system's respective connector. If the changes occurred through actions originating in a resource system, EmpowerID retrieves those changes and records them in the Identity Warehouse, where they are evaluated and either used to update the Identity Warehouse or discarded as appropriate. The process by which this synchronization occurs can be represented by the below image.



 

The above image demonstrates how EmpowerID syncs user attributes in three iterations to show you the full spectrum of the process. This image shows how synchronization occurs between users with three user identities: one in an HR System, one in Active Directory, and one in the EmpowerID Identity Warehouse. The process is as follows:

In this way, the change to the Job Title attribute that occurred to the user account in the HR System occurs to that user's accounts in all managed systems. EmpowerID ensures these changes occur regardless of the direction in which they originate, as demonstrated by the "C" loop. In that loop, the logic and process is identical, with the only difference being the change to an attribute is discovered during the inventory of Active Directory. In that case, the changes flow from Active Directory to EmpowerID to the HR System.
Although the process appears intensive, the mechanism by which it occurs is silent and invisible to your users when EmpowerID is appropriately configured. What EmpowerID does with the attribute changes it discovers is up to you. For EmpowerID to follow the process outlined above, you only need to make a few configuration selections for each of your connected account stores. These include: enabling attribute flow to occur and setting the Attribute Flow Rules. Attribute Flow Rules determine what EmpowerID should do when it discovers attribute changes. These rules can be configured for each account store in one of the following ways: