Attribute Flow
One of the biggest challenges associated with securing IT resources in large environments is creating a comprehensive "identity layer" that can be used as a singular reference point for managing users and all of their associated accounts, roles, and entitlements. As a directory and Identity Warehouse, EmpowerID is capable of creating this comprehensive identity layer via the inventory process that joins each user account in a managed account store to a corresponding EmpowerID Person. But this is only half the solution. Beyond creating and depositing a comprehensive identity layer into a central repository, what is needed is an authoritative system with the power and reach to control not only what can happen to those identities within its own repository, but also what can happen to those identities within each connected resource system as well. If changes happen to "Bob" in directory "A," those changes should also happen to "Bob" in directory "B" and "C" if those changes are authoritative—or discarded if they are not. Additionally, this should happen without requiring continual vigilance on the part of administrators and other power users. The EmpowerID synchronization engine joins the EmpowerID inventory process to provide just this solution. Whereas the inventory process creates the identity layer, the synchronization engine maintains it via a process known as "Attribute Flow."
In EmpowerID, Attribute Flow is a flexible process that is used to detect changes that occur to a managed identity by comparing the attributes of each EmpowerID Person object with the attributes of each user account that has been joined to those Person objects. When attribute changes are detected, EmpowerID flags the account and processes those changes, issuing commands to update any affected attributes in either the EmpowerID Identity Warehouse or the connected account store, depending on the origin of the change. If the change occurred through actions originating in EmpowerID, commands are issued to update the user objects in all connected resource systems via each system's respective connector. If the changes occurred through actions originating in a resource system, EmpowerID retrieves those changes and records them in the Identity Warehouse, where they are evaluated and either used to update the Identity Warehouse or discarded as appropriate. The process by which this synchronization occurs can be represented by the below image.
The above image demonstrates how EmpowerID syncs user attributes in three iterations to show you the full spectrum of the process. This image shows how synchronization occurs between users with three user identities: one in an HR System, one in Active Directory, and one in the EmpowerID Identity Warehouse. The process is as follows:
- Step A1 - The EmpowerID Worker Role service calls the Inventory Job for the HR System account store.
- Steps A2, A3, and A4 - The EmpowerID Worker Role service evaluates the accounts, discovering the change to the Job Title attribute by comparing the attributes of the returned accounts with the corresponding attributes of those same user accounts currently in the Account table of the EmpowerID Identity Warehouse.
- Step A5 and A6 - The change to the Job Title attribute is pushed to the Attribute Inbox, which is based on the configuration of the Attribute Flow rules which either updates the Job Title attribute for the linked EmpowerID Person object in the Person table of the EmpowerID Identity Warehouse or ignores the change.
- Steps A7 and A8 - The change to the Job Title attribute on the EmpowerID Person is pushed to the Attribute Outbox, which flows those changes back to the EmpowerID Worker Role service.
- Step B1 - The EmpowerID Worker Role service calls the Attribute Flow: Directory Change Processor Job , which passes the Job Title attribute change to the LDAP Management Host on the EmpowerID Agent.
- Step B2 - The LDAP Management Host pushes the Job Title attribute change to the user account in Active Directory that is joined to the EmpowerID Person.
In this way, the change to the Job Title attribute that occurred to the user account in the HR System occurs to that user's accounts in all managed systems. EmpowerID ensures these changes occur regardless of the direction in which they originate, as demonstrated by the "C" loop. In that loop, the logic and process is identical, with the only difference being the change to an attribute is discovered during the inventory of Active Directory. In that case, the changes flow from Active Directory to EmpowerID to the HR System.
Although the process appears intensive, the mechanism by which it occurs is silent and invisible to your users when EmpowerID is appropriately configured. What EmpowerID does with the attribute changes it discovers is up to you. For EmpowerID to follow the process outlined above, you only need to make a few configuration selections for each of your connected account stores. These include: enabling attribute flow to occur and setting the Attribute Flow Rules. Attribute Flow Rules determine what EmpowerID should do when it discovers attribute changes. These rules can be configured for each account store in one of the following ways:
- No Sync - When this option is selected, information between EmpowerID and a managed account store is not synchronized and no attribute flow occurs. Using the image above as an example, this means that if someone changes the Job Title attribute for an account in the HR System that change will not update the EmpowerID Person objector the Active Directory. The changed value, however, will be stored in the account table.
- Bidirectional Flow - When this option is selected, changes made to an account within a managed account store will occur to that account in EmpowerID and vice-versa. Depending on the Attribute Flow Rules set for any other managed account stores, those changes may or may not be pushed into other directories. In our example above, Attribute flow is set to Bidirectional for both the HR System and the Active Directory. In this way, changes originating in both the HR System and Active Directory can be passed from one to another because EmpowerID accepts those changes as being authoritative.
- Account Store Changes Only - When this option is selected, only changes to attributes that originate in a connected account store will be accepted as authoritative by EmpowerID. Changes originating in the account store will flow to the EmpowerID Identity Warehouse, but changes originating in EmpowerID will not update the account store.
- EmpowerID Changes Only - When this option is selected, only changes to attributes that originate within EmpowerID will be accepted as authoritative. Changes originating in EmpowerID will be pushed to the account store, but changes originating in the account store will not update EmpowerID. Any change in the account store will be rolled back by EmpowerID.