Universal Connector Integration Details
- Phillip Hanegan
EmpowerID provides a Universal Connector that can be used for inventorying and managing resources originating in account stores for which EmpowerID does not provide a specific out of the box connector, like HR systems and custom applications via an Universal Connector database. (EmpowerID currently has out-of-the-box connectors for Active directory, LDAP, Google Apps, Office 365, and others). Using the Universal Connector requires the data in your external system be imported into the Universal Connector database via the technology of your choice—including scripting, an ETL tool like Microsoft SSIS, or code in the language of their choice—according to the schema defined for it by EmpowerID.
To find this topic helpful, you should have a good understanding of SQL and database principles.
Inbound Data
EmpowerID provides the following tables for importing data from an external system to the Universal Connector database. These tables are as follows:
User Table
Field | Data Type | Max Length (Bytes) | Optional | Default | Description |
---|---|---|---|---|---|
UserGUID | uniqueidentifier | 16 | No | (newid()) | Uniquely identifies a user account in EmpowerID. If this field is blank, EmpowerID will generate the guid. This field should never be updated for the life of the record. |
UserID | nvarchar(200) | 400 | No | Specifies the UserID for a user in the external system. This value is derived from the external system and must be unique for each user. This field should never be deleted or updated for the life of the record. | |
LogonName | nvarchar(200) | 400 | No | Specifies the logon name for the user account. This value must be unique for each user and can be set to any desired value, such as a user's EmployeeID contained within an external system or a combination of data that can be found, derived or calculated from an external system. If this field is blank, EmpowerID will generate a unique logon name for each user record. | |
Active | bit | 1 | No | ((1)) | Specifies whether a user is active. This field can be used in place of the Status field. |
FriendlyName | nvarchar(255) | 510 | Yes | Specifies the name shown to users in EmpowerID user interfaces. The field maps to the DisplayName attribute in Active Directory. | |
Name | nvarchar(255) | 510 | Yes | Specifies the account name. This value should be unique and maps to the CNor DistinguishedName in Active Directory. | |
FirstName | nvarchar(50) | 100 | Yes | Specifies the first name of the user and maps to the givenName attribute in Active Directory. | |
MiddleName | nvarchar(50) | 100 | Yes | Specifies the middle name of the user and maps to the middleName attribute in Active Directory. | |
LastName | nvarchar(50) | 100 | Yes | Specifies the last name of the user. Maps to the LastName field in Active Directory. | |
nvarchar(255) | 510 | Yes | Specifies the email address of the user. The value of this field can be used to set the email address of the user in Exchange when an Exchange Resource Entitlement exists. Additionally, this field is used by EmpowerID to determine whether the specific user account needs to be joined to an EmpowerID Person. For more information, see Overview of the Account Inbox. | ||
EmployeeID | nvarchar(50) | 100 | Yes | Specifies the Employee ID of the user in the external system and will set the EmployeeID attribute of the user in Active Directory. When used, this value must be unique for each user. Additionally, this field is used by EmpowerID to determine whether the specific user account needs to be joined to an EmpowerID Person. For more information, see Overview of the Account Inbox. | |
BusinessRoleID | nvarchar(200) | 400 | Yes | Specifies the Business Role ID of the Business Role associated with the user in EmpowerID. When populating Business Role data, you can elect to set this field or the BusinessRoleName field. If BusinessRoleID is selected, this field will be set to the ID of the corresponding Business Role in the Business Role table of the EmpowerID Identity Warehouse. If the user does not have a Business Role, both fields can be left blank. If the user has more than one Business Role and Location, the UserBusinessRoleLocation table can used instead of, or in conjunction with, this field as EmpowerID performs a union of the Business Role and Location data in the User table and the Business Role and Location data in the UserBusinessRoleLocation table. If this field is left blank and multiple entries exist in the UserBusinessRoleLocation table for a specific user, the record with the lowest priority will be set as the primary Business Role.
| |
BusinessRoleName | nvarchar(200) | 400 | Yes | Specifies the Business Role Name of the Business Role associated with the user in EmpowerID. When populating Business Role data, you can elect to set this field or the BusinessRoleID field. If BusinessRoleName is selected, this field will be set to the name of the corresponding Business Role in the Business Role table of the EmpowerID Identity Warehouse. If the user does not have a Business Role, both fields can be left blank. If the user has more than one Business Role and Location, the UserBusinessRoleLocation table can used instead of, or in conjunction with, this field as EmpowerID performs a union of the Business Role and Location data in the User table and the Business Role and Location data in the UserBusinessRoleLocation table. If this field is left blank and multiple entries exist in the UserBusinessRoleLocation table for a specific user, the record with the lowest priority will be set as the primary Business Role.
| |
LocationID | nvarchar(200) | 400 | Yes | Specifies the ID of the Location associated with the user in EmpowerID. When populating Location data, you can elect to set this field or the LocationNamefield. If LocationID is selected, this field will be set to the ID of the corresponding Location in the Location table of the EmpowerID Identity Warehouse. If the user does not have a Location, both fields can be left blank. If the user has more than one Location, the UserBusinessRoleLocation table can used instead of, or in conjunction with, this field as EmpowerID performs a union of the Business Role and Location data in the User table and the Business Role and Location data in the UserBusinessRoleLocation table. If this field is left blank and multiple entries exist in the UserBusinessRoleLocation table for a specific user, the record with the lowest priority will be set as the primary Location.
| |
LocationName | nvarchar(200) | 400 | Yes | Specifies the name of the Location associated with the user in EmpowerID. When populating Location data, you can elect to set this field or the LocationID field. If LocationName is selected, this field will be set to the name of the corresponding Location in the Location table of the EmpowerID Identity Warehouse. If the user does not have a Location, both fields can be left blank. If the user has more than one Location, the UserBusinessRoleLocation table can used instead of, or in conjunction with, this field as EmpowerID performs a union of the Business Role and Location data in the User table and the Business Role and Location data in the UserBusinessRoleLocation table. If this field is left blank and multiple entries exist in the UserBusinessRoleLocation table for a specific user, the record with the lowest priority will be set as the primary Location.
| |
ManagerLogonName | nvarchar(200) | 400 | Yes | Specifies the LogonName of the user's manager, if any. If populated, the field will be used to set the user's direct manager in EmpowerID. When populating user manager data, you can elect to set this field or the ManagerAccountIDfield. If the user does not have a manager, both fields can be left blank. | |
ManagerAccountID | nvarchar(200) | 400 | Yes | Specifies the User ID of the user's manager, if any. If populated, the field will be used to set the user's direct manager in EmpowerID. When populating user manager data, you can elect to set this field or the ManagerLogonNamefield. If the user does not have a manager, both fields can be left blank. | |
Telephone | nvarchar(50) | 100 | Yes | Specifies the primary telephone number of the user's place of business and and maps to the telephoneNumber attribute in Active Directory. | |
MobileNumber | nvarchar(50) | 100 | Yes | Specifies the mobile number of the user and maps to the mobile attribute in Active Directory. | |
BusinessPhone | nvarchar(50) | 100 | Yes | Specifies the business telephone number of the user. | |
HomePhone | nvarchar(50) | 100 | Yes | Specifies the home telephone number of the user and maps to the homePhone attribute in Active Directory. | |
StreetAddress | nvarchar(255) | 510 | Yes | Specifies the street address of the user and maps to the streetAddress attribute in Active Directory. | |
StreetAddress2 | nvarchar(255) | 510 | Yes | Specifies a secondary street address of the user. | |
City | nvarchar(100) | 200 | Yes | Specifies the city where the user is located and maps to the l attribute in Active Directory. | |
State | nvarchar(100) | 200 | Yes | Specifies the state where the user is located and maps to the st attribute in Active Directory. | |
Country | nvarchar(50) | 200 | Yes | Specifies the country where the user is located and maps to the co attribute in Active Directory. | |
Province | nvarchar(100) | 200 | Yes | Specifies the province where the user is located. | |
Company | nvarchar(256) | 512 | Yes | Specifies the user's company name and maps to the company attribute in Active Directory. | |
Department | nvarchar(256) | 512 | Yes | Specifies the user's department name and maps to the department attribute in Active Directory. | |
DepartmentNumber | nvarchar(50) | 100 | Yes | Specifies the user's department number and maps to the departmentNumber attribute in Active Directory. | |
OfficeLocation | nvarchar(450) | 900 | Yes | Specifies the location or address of the user's office and maps to the physicalDeliveryOfficeName attribute in Active Directory. | |
Location | nvarchar(450) | 900 | Yes | Specifies the user's location within an organization, such as their office number and maps to the location attribute in Active Directory. | |
Division | nvarchar(450) | 900 | Yes | Specifies the user's division and maps to the division attribute in Active Directory. | |
PersonalTitle | nvarchar(255) | 510 | Yes | Specifies the user's personal title, such as "Mr", "Mrs" or "Ms." This field maps to the personalTitle attribute in Active Directory | |
Description | nvarchar(255) | 510 | Yes | Specifies a description for the user and maps to the description attribute in Active Directory. | |
SecondLastName | nvarchar(50) | 100 | Yes | Specifies a second last name for the user, where such is used. | |
GenerationalSuffix | nvarchar(10) | 20 | Yes | Specifies a generational suffix for the user, such as "JR" or "SR." This field maps to the generationQualifier attribute in Active Directory. | |
Initials | nvarchar(6) | 12 | Yes | Specifies the user's initials and maps to the initials attribute in Active Directory. | |
BirthName | nvarchar(255) | 510 | Yes | Specifies the name given to the user at birth. | |
DisplayNamePrintable | nvarchar(255) | 510 | Yes | Specifies the printable name for the user and maps to the displayNamePrintable attribute in Active Directory. | |
PreferredFirstName | nvarchar(50) | 100 | Yes | Specifies the preferred first name of the user. | |
PreferredLastName | nvarchar(50) | 100 | Yes | Specifies the preferred last name of the user. | |
JobTitle | nvarchar(255) | 100 | Yes | Specifies the user's job title within an organization and maps to the titleattribute in Active Directory. | |
AboutMe | nvarchar(max) | max | Yes | Specifies user-defined demographic information about the user. | |
PreferredLanguage | nvarchar(50) | 100 | Yes | Specifies the preferred written or spoken language of the user. If this value is set on the person, then EmpowerID displays its user interfaces to that user in that language when localization is applied. | |
PostOfficeBox | nvarchar(50) | 100 | Yes | Specifies the post office box for the user and maps to the postOfficeBoxattribute in Active Directory. | |
SocialSecurityNumber | nvarchar(50) | 100 | Yes | Specifies the social security number for the user. Please not that EmpowerID does not mask these characters. It is up to you to mask this or just include the last four digits if not. | |
NationalIdentificationNumber | nvarchar(50) | 100 | Yes | Specifies the national identification number for the user. | |
CarLicense | nvarchar(50) | 100 | Yes | Specifies the vehicle license or registration plate of the user's vehicle. This field maps to the carLicense attribute in Active Directory. | |
Ethnicity | nvarchar(50) | 100 | Yes | Specifies the ethnicity of the user. | |
Gender | nvarchar(15) | 30 | Yes | Specifies the gender of the user. | |
District | nvarchar(256) | 512 | Yes | Specifies the district of the user. | |
Assistant | nvarchar(450) | 900 | Yes | Specifies an assistant to the user. | |
PhotoUrl | nvarchar(256) | 512 | Yes | Specifies the location of the user's photo. | |
IMAddress | nvarchar(256) | 512 | Yes | ||
SIPAddress | nvarchar(256) | 512 | Yes | ||
IdentityURL | nvarchar(256) | 512 | Yes | ||
URLPersonal | nvarchar(256) | 512 | Yes | Specifies a person URL for the user. | |
URLBusiness | nvarchar(256) | 512 | Yes | Specifies the business URL for the user. | |
URLOWA | nvarchar(256) | 512 | Yes | Specified the OWA URL for the user. | |
Pager | nvarchar(50) | 512 | Yes | Specifies the pager number for the user. | |
IpPhone | nvarchar(50) | 100 | Yes | Specifies the user's IP phone number. | |
Fax | nvarchar(50) | 100 | Yes | Specifies a fax number for the user. | |
Notes | nvarchar(1024) | 100 | Yes | Field for inserting notes. | |
DateOfBirth | datetime | 8 | Yes | Specifies the date of birth for the user. | |
CityOfBirth | nvarchar(50) | 100 | Yes | Specifies the city of birth for the user. | |
CountryOfBirth | nvarchar(50) | 100 | Yes | Specifies the country of birth for the user. | |
EmployeeIDOther | nvarchar(50) | 100 | Yes | Specifies an alternative Employee ID for the user. | |
EmployeeType | nvarchar(50) | 100 | Yes | Specifies the user's employee type. | |
ExtensionAttribute1 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute2 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute3 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute4 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute5 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute6 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute7 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute8 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute9 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute10 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute11 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute12 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute13 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute14 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute15 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute16 | xml | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute24 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute25 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute26 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute27 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
Alias | nvarchar(100) | 200 | Yes | ||
TargetAddress | nvarchar(255) | 510 | Yes | ||
Deleted | bit | 1 | No | ((0)) | Specifies whether a user has been deleted in the external system. DO NOT delete the record from the table. If the record no longer exists in the external system, then you can set this value to true. If the user has been deleted, the LogonName will need to be updated if the same values might be reused later by a new user. |
DeletedDate | datetime | 8 | Yes | Specifies the date and time when the user was deleted from the external system. For information purposes only. | |
TerminationDate | datetime | 2048 | Yes | Specifies the date and time when the user was terminated from a hired condition. | |
Disabled | bit | 1 | No | ((0)) | |
LockedOut | bit | 1 | No | ((0)) | |
LockedOutTime | bigint | 8 | Yes | ||
ExpiresOn | datetime | 8 | Yes | ||
ValidFrom | datetime | 8 | Yes | ||
ValidUntil | datetime | 8 | Yes | ||
PasswordNeverExpires | bit | 1 | No | ((0)) | Specifies whether the user's password is set to never expire. |
CannotChangePassword | bit | 1 | No | ((0)) | Specifies whether the user can change their password. |
PasswordExpires | datetime | 8 | Yes | Specifies the date and time a user's password expires. | |
PasswordLastChanged | datetime | 8 | Yes | Specifies the date and time the user last changed their password. | |
MustChangePasswordAtNextLogon | bit | 1 | No | ((0)) | Specifies whether the user must change their password the next time they log in to the system. |
RequiresSmartCardForInteractiveLogon | bit | 1 | No | ((0)) | |
EnableSyncPassword | bit | 1 | No | ((1)) | Specifies whether EmpowerID will synchronize the password set on the user's Person object back to the account for the user in the external system. This setting does not affect Active Directory or any other type of "downstream" identity store. password for that user in the external system, if applicable. This has no correlation to any account Flag that controls if EmpowerID will reset the password for that account in reset password workflows. Set to false to prevent password resets to flow to this account. |
DoNotAllowDelete | bit | 1 | No | ((0)) | Specifies whether the user can be deleted in EmpowerID workflows. |
LastLogonTime | datetime | 8 | Yes | ||
Status | nvarchar(50) | 100 | Yes | Used to specify the condition of the user in an external system, such as whether they are in a "pre-hire" condition, full-standing, on leave or terminated. This field can be used to invoke other logic in EmpowerID, such as triggering RET policies that provision and deprovision resources like Exchange mailboxes, etc. | |
SecurityIdentifier | nvarchar(255) | 510 | Yes | Specifies the unique value used to identity the user account and maps to the securityIdentifier attribute in Active Directory. | |
SID | nvarchar(255) | 510 | Yes | Specifies the unique value that identifies the user as a security principle. This field maps to the objectSid attribute in Active Directory. | |
DistinguishedName | nvarchar(2048) | 4096 | Yes | Specifies the location of the user object in the external system. | |
UserPrincipalName | nvarchar(255) | 510 | Yes | Specifies the UPN of the user. | |
ProfilePath | nvarchar(450) | 900 | Yes | Specifies the path to the user's profile and maps to the profilePath attribute in Active Directory. | |
LogonScript | nvarchar(450) | 900 | Yes | Specifies the logon script to run for the user, if any. | |
HomeDirectory | nvarchar(450) | 900 | Yes | Specifies the home directory for the user account and maps to the homeDirectory attribute in Active Directory. | |
HomeDrive | nvarchar(5) | 10 | Yes | Specifies the drive letter to which to map the UNC path set for HomeDirectory. This field maps to the homeDrive attribute in Active Directory. | |
AllowDialin | bit | 1 | Yes | Specifies whether the user can connect remotely. | |
HideInEmpowerID | bit | 1 | No | ((0)) | Specifies whether the account will be hidden from most views in EmpowerID. |
AllowJoin | bit | 1 | No | ((1)) | Specifies whether EmpowerID will join the user account to an EmpowerID Person. |
AllowProvision | bit | 1 | No | ((1)) | Specifies whether EmpowerID will provision a new EmpowerID Person for the user account upon inventory. |
ConfigurationXml | xml | max | Yes | Extensibility field. Reserved. | |
SystemChangedDate | datetime | 8 | Yes | This field is optional. It is meant to help you track changes to records in the external system. A best practice for writing code to synchronize these tables is to compare the ID field of the object and the SystemChangedDate field in this table and comparing them with the value of those fields in the external system. If it is discovered that the SystemChangedDate in the external system is greater, then those records should be synced. | |
CreatedDate | datetime | 8 | No | (getutcdate()) | This field is auto-populated with the UTC time corresponding to the date and time the user record is created. |
ChangedTime | timestamp | 8 | No | This field is time-stamped corresponding to the time any values associated with the user record are modified. This field should not be manually updated or inserted. When EmpowerID initially inventories the records in the tables of the Universal Connector database, it pulls all the data it discovers there into the EmpowerID Identity Warehouse, provisioning the appropriate business objects therein. Then on subsequent inventory calls, EmpowerID checks the ChangedTime field on those records to see if the value of that field is greater than the last time inventory ran. If the value is greater, EmpowerID updates the corresponding record for that object in the EmpowerID Identity Warehouse. |
Group Table
Field | Data Type | Max Length (Bytes) | Optional | Default | Description |
---|---|---|---|---|---|
GroupGUID | uniqueidentifier | 16 | No | (newid()) | Uniquely identifies a group in EmpowerID. If this field is blank, EmpowerID will generate the guid. This field should never be updated for the life of the record |
GroupID | nvarchar(200) | 400 | No | Specifies the ID for group from the external system. The value of this field must be unique for each group. This field should never be deleted or updated for the life of the record. | |
LogonName | nvarchar(200) | 400 | No | Specifies the group LogonName. The value of this field should be unique. | |
Name | nvarchar(200) | 400 | Yes | Specifies the name of the group. This value should be unique. | |
FriendlyName | nvarchar(255) | 510 | Yes | Specifies the name of the group shown to users in EmpowerID user interfaces. | |
Description | nvarchar(max) | max | Yes | Specifies a description for the group. | |
IsMailEnabled | bit | 1 | No | ((0)) | Specifies whether the group is mail-enabled. |
nvarchar(100) | 512 | Yes | Specifies the email address for the group. | ||
MailNickName | nvarchar(256) | 512 | Yes | ||
Notes | nvarchar(max) | max | Yes | ||
ExtensionAttribute1 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute2 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute3 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute4 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute5 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute6 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute7 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute8 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute9 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute10 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute11 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute12 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute13 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute14 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute15 | nvarchar(1024) | 2048 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute16 | xml | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute17 | varbinary(max) | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute18 | varbinary(max) | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute19 | bit | 1 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute20 | bit | 1 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute21 | bit | 1 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute22 | bit | 1 | Yes | Can be used for setting a unique attribute value. | |
Deleted | bit | 1 | No | ((0)) | Specifies whether the group has been deleted. DO NOT delete the record from the table. If the group has been deleted, the LogonName will need to be updated if the same values might be reused for a new group later. |
DeletedDate | datetime | 8 | Yes | Specifies the date and time when the group was deleted. For information purposes only. | |
DoNotAllowDelete | bit | 1 | No | ((0)) | Specifies whether the group can be deleted in EmpowerID workflows. |
AllowJoinRequests | bit | 1 | No | ((1)) | Specifies whether the group will be visible in workflows that allow users to request group membership. Also specifies whether the group appears in the IT Shop as a requestable resource. |
AutoAcceptJoinLeaveRequests | bit | 1 | No | ((0)) | Specifies whether users can join or leave the group without requiring access permission to the JoinGroup or LeaveGroup workflows. |
HIdeInEmpowerID | bit | 1 | No | ((0)) | Specifies whether the group will be hidden in most EmpowerID views. |
HIdeMembership | bit | 1 | No | ((0)) | Specifies whether group membership will be hidden in most EmpowerID views. |
IsHighSecurityGroup | bit | 1 | No | ((0)) | Specifies whether the group is a high security group. If true, the group will be flagged and appear in some reports and SetGroups as such. |
ValidFrom | datetime | 8 | Yes | ||
ValidUntil | datetime | 8 | Yes | ||
DistinguishedName | nvarchar(2048) | 4096 | Yes | Specifies the location of the group in the external system. | |
ConfigurationXml | xml | max | No | ((1)) | Extensibility field. Reserved. |
SystemChangedDate | datetime | 8 | Yes | This field is optional. It is meant to help you track changes to records in the external system. A best practice for writing code to synchronize these tables is to compare the ID field of the object and the SystemChangedDate field in this table and comparing them with the value of those fields in the external system. If it is discovered that the SystemChangedDate in the external system is greater, then those records should be synced. | |
CreatedDate | datetime | 8 | Yes | This field is auto-populated with the UTC time corresponding to the date and time the record is created. | |
ChangedTime | timestamp | 8 | No | (getutcdate()) | Auto-populated timestamp corresponding to the time a modification occurs to the group. Do not update or insert. When EmpowerID initially inventories the records in the tables of the Universal Connector database, it pulls all the data it discovers there into the EmpowerID Identity Warehouse, provisioning the appropriate business objects therein. Then on subsequent inventory calls, EmpowerID checks the ChangedTime field on those records to see if the value of that field is greater than the last time inventory ran. If the value is greater, EmpowerID updates the corresponding record for that object in the EmpowerID Identity Warehouse. |
Location Table
This table is used to manage location information. Each record inserted into the table is represented as an external location in EmpowerID. The schema for this table allows organizations to insert data to represent all possible locations to which users can belong within the organization, including departments, divisions, geographical sites, org charts and functional areas. As with the Business Role table, each location inserted into the table can be mapped to an EmpowerID Location. Assigning users to one or more locations in this table assigns to those users to one or more locations in EmpowerID according to the mapping rules set for those locations.
In order to avoid resource-intensive calls to the EmpowerID synchronization engine, the records in this table should only be updated when a change occurs to those records in the external system.
Field | Data Type | Max Length (Bytes) | Optional | Default | Description |
---|---|---|---|---|---|
LocationGUID | uniqueidentifier | 16 | No | (newid()) | Uniquely identifies a location in EmpowerID. If this field is blank, EmpowerID will generate the guid. This field should never be updated for the life of the record |
LocationID | nvarchar(200) | 400 | No | Specifies the ID for location in the external system. The value of this field must be unique for each location. This field should never be deleted or updated for the life of the record. | |
Name | nvarchar(200) | 400 | Yes | Specifies the name of the location. This value should be unique. | |
ParentLocationID | nvarchar(200) | 400 | Yes | Specifies the ID of the location's parent. If populated, this sets the location parent in EmpowerID. When populating the parent of a location, you can elect to use this field or the ParentName field. If the location does not have a parent, both fields can be left empty. | |
ParentName | nvarchar(200) | 400 | Yes | Specifies the name of the location's parent. If populated, this sets the location parent in EmpowerID. When populating the parent of a location, you can elect to use this field or the ParentLocationID field. If the location does not have a parent, both fields can be left empty. | |
FriendlyName | nvarchar(255) | 510 | Yes | Specifies the name of the location shown to users in EmpowerID user interfaces. | |
Description | nvarchar(512) | 1024 | Yes | Specifies a description for the location. | |
ExtensionAttribute1 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute2 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute3 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute4 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute5 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute6 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute7 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute8 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute9 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute10 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute11 | nvarchar(max) | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute12 | nvarchar(max) | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute13 | xml | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute14 | varbinary(max) | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute15 | varbinary(max) | max | Yes | Can be used for setting a unique attribute value. | |
Deleted | bit | 1 | No | ((0)) | Specifies whether the location has been deleted in the external location. DO NOT delete the record from the table. If the location has been deleted, the Name field will need to be updated if the same values might be reused for a new location later. |
DeletedDate | datetime | 8 | Yes | Specifies the date and time when the location was deleted. For information purposes only. | |
IsAssignable | bit | 1 | No | ((1)) | Specifies whether the location can be selected from the Location trees in EmpowerID. Set to false if you do not want users to be assigned to the Location. |
ShowInTree | bit | 1 | No | ((1)) | Specifies whether the location appears in the Location trees in EmpowerID. |
ConfigurationXml | xml | max | No | ((1)) | Extensibility field. Reserved. |
SystemChangedDate | datetime | 8 | Yes | This field is optional. It is meant to help you track changes to records in the external system. A best practice for writing code to synchronize these tables is to compare the ID field of the object and the SystemChangedDate field in this table and comparing them with the value of those fields in the external system. If it is discovered that the SystemChangedDate in the external system is greater, then those records should be synced. | |
CreatedDate | datetime | 8 | Yes | (getutcdate()) | This field is auto-populated with the UTC time corresponding to the date and time the record is created. |
ChangedTime | timestamp | 8 | No | Auto-populated timestamp corresponding to the time a modification occurs to the location. Do not update or insert. When EmpowerID initially inventories the records in the tables of the Universal Connector database, it pulls all the data it discovers there into the EmpowerID Identity Warehouse, provisioning the appropriate business objects therein. Then on subsequent inventory calls, EmpowerID checks the ChangedTime field on those records to see if the value of that field is greater than the last time inventory ran. If the value is greater, EmpowerID updates the corresponding record for that object in the EmpowerID Identity Warehouse. |
Business Role Table
This table is used to manage Business Role information. Each record inserted into the table is represented as an External Business Role in EmpowerID that can be mapped to any EmpowerID Business Roles.
In order to avoid resource-intensive calls to the EmpowerID synchronization engine, the records in this table should only be updated when a change occurs to those records in the external system.
Field | Data Type | Max Length (Bytes) | Optional | Default | Description |
---|---|---|---|---|---|
BusinessRoleGUID | uniqueidentifier | 16 | No | (newid()) | Uniquely identifies a Business Role in EmpowerID. If this field is blank, EmpowerID will generate the guid. This field should never be updated for the life of the record |
BusinessRoleID | nvarchar(200) | 400 | No | Specifies the ID for Business Role. The value of this field must be unique for each Business Role. This field should never be deleted or updated for the life of the record. | |
Name | nvarchar(200) | 400 | Yes | Specifies the name of the Business Role. This value should be unique. | |
ParentName | nvarchar(200) | 400 | Yes | Specifies the name of the Business Role's parent. If populated, this sets the Business Role parent in EmpowerID. When populating the parent of a Business Role, you can elect to use this field orthe ParentName field. If the Business Role does not have a parent, both fields can be left empty. | |
FriendlyName | nvarchar(255) | 510 | Yes | Specifies the name of the Business Role shown to users in EmpowerID user interfaces. | |
Description | nvarchar(512) | 1024 | Yes | Specifies a description for the Business Role. | |
ExtensionAttribute1 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute2 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute3 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute4 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute5 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute6 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute7 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute8 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute9 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute10 | nvarchar(500) | 1000 | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute11 | nvarchar(max) | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute12 | nvarchar(max) | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute13 | xml | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute14 | varbinary(max) | max | Yes | Can be used for setting a unique attribute value. | |
ExtensionAttribute15 | varbinary(max) | max | Yes | Can be used for setting a unique attribute value. | |
Deleted | bit | 1 | No | ((0)) | Specifies whether the Business Role has been deleted. DO NOT delete the record from the table. If the Business Role has been deleted, the Name will need to updated if the same values might be reused for a new Business Role later. |
DeletedDate | datetime | 8 | Yes | Specifies the date and time when the Business Role was deleted. For information purposes only. | |
IsAssignable | bit | 1 | No | ((1)) | Specifies whether the Business Role can be selected from the Business Role trees in EmpowerID. Set to false if you do not want users to be assigned to the Business Role. |
ShowInTree | bit | 1 | No | ((1)) | Specifies whether the Business Role appears in the Business Role trees in EmpowerID. |
ConfigurationXml | xml | max | No | ((1)) | Extensibility field. Reserved. |
SystemChangedDate | datetime | 8 | Yes | This field is optional. It is meant to help you track changes to records in the external system. A best practice for writing code to synchronize these tables is to compare the ID field of the object and the SystemChangedDate field in this table and comparing them with the value of those fields in the external system. If it is discovered that the SystemChangedDate in the external system is greater, then those records should be synced. | |
CreatedDate | datetime | 8 | Yes | (getutcdate()) | This field is auto-populated with the UTC time corresponding to the date and time the record is created. |
ChangedTime | timestamp | 8 | No | Auto-populated timestamp corresponding to the time a modification occurs to the group. Do not update or insert. When EmpowerID initially inventories the records in the tables of the Universal Connector database, it pulls all the data it discovers there into the EmpowerID metadirectory, provisioning the appropriate business objects therein. Then on subsequent inventory calls, EmpowerID checks the ChangedTime field on those records to see if the value of that field is greater than the last time inventory ran. If the value is greater, EmpowerID updates the corresponding record for that object in the EmpowerID metadirectory. | |
CreatedDate | datetime | 8 | Yes | (getutcdate()) | This field is auto-populated with the UTC time corresponding to the date and time the record is created. |
ChangedTime | timestamp | 8 | No | Auto-populated timestamp corresponding to the time a modification occurs to the location. Do not update or insert. When EmpowerID initially inventories the records in the tables of the Universal Connector database, it pulls all the data it discovers there into the EmpowerID Identity Warehouse, provisioning the appropriate business objects therein. Then on subsequent inventory calls, EmpowerID checks the ChangedTime field on those records to see if the value of that field is greater than the last time inventory ran. If the value is greater, EmpowerID updates the corresponding record for that object in the EmpowerID Identity Warehouse. |
UserGroup Table
This table is used to map users with multiple group entries. The data in this table should be synchronized with the state of information from the external system.
When changes to the objects in your external system originate in the external system, you should not remove and repopulate any data contained this table with new values as EmpowerID may be performing an inventory of the data during a moment when the table contains no information. If this occurs, EmpowerID could interpret that to mean that your users have been removed from their groups and will update any related records in EmpowerID to that end. It is best to use a strategy of syncing changes only.
When a user is added to or removed from a group, the ChangedTime field on the appropriate records in the User table of the Universal Connector database are updated. At the next inventory, EmpowerID detects the change and updates the corresponding records in the EmpowerID metadirectory.
Field | Data Type | Max Length (Bytes) | Optional | Default | Description |
---|---|---|---|---|---|
GroupID | nvarchar(200) | 400 | No | Specifies the GroupID for the group to which the user belongs. | |
UserID | nvarchar(200) | 400 | No | Specifies the UserID of the user belonging to the group. | |
CreatedDate | datetime | 8 | Yes | (getutcdate()) | This field is auto-populated with the UTC time corresponding to the date and time the record is created. |
UserBusinessRoleLocation Table
This table is used to associate users with Business Role and Location combinations. The data in this table can be used in conjunction with, or as a replacement for, the Business Role and Location fields in the User table as EmpowerID performs a union of the Business Role and Location data in the User table and the Business Role and Location data in the UserBusinessRoleLocation table.
When changes to the objects in your external system originate in the external system, you should not remove and repopulate any data contained this table with new values as EmpowerID may be performing an inventory of the data during a moment when the table contains no information. If this occurs, EmpowerID could interpret that to mean that your users have been removed from their Business Roles and Locations and will update any related records in EmpowerID to that end. It is best to use a strategy of syncing changes only.
Data populated in the UserBusinessRoleLocation table should not overlap with the Business Role and Location specified in the User table. Additionally, the priority specified in the UserBusinessRoleLocation table should be greater than 0.
When a user is added to or removed from a Business Role and Location, the ChangedTime field on the appropriate records in the User table of the Universal Connector database is updated. At the next inventory, EmpowerID detects the change and updates the corresponding records in the EmpowerID metadirectory.
Field | Data Type | Max Length (Bytes) | Optional | Default | Description |
---|---|---|---|---|---|
UserID | nvarchar(200) | 200 | No | Specifies the UserID of the user in the Business Role and Location. | |
BusinessRoleID | nvarchar(200) | 200 | No | Specifies the BusinessRoleID of the user's Business Role. | |
LocationID | nvarchar(200) | 200 | No | Specifies the LocationID of the user's location. | |
Priority | int | 4 | No | ((0)) | Used to help order the Business Role and Location combinations to which the user is associated. In EmpowerID this field can be used to help break ties between any Resource Entitlements, or Default Person Attributes where the policies which applies to the higher priority combination would be chosen. |
Outbound Data
Once data has been imported into EmpowerID, you can use the bidirectional capabilities of the Universal Connector to write any changes occurring to that data in EmpowerID back to the originating system. The Universal Connector gives you two options for doing so:
- You can process the updates in real-time as they occur in EmpowerID. This is the recommended method.
- You can process the updates in batches.
The method by which EmpowerID handles change processing depends on the settings applied to the Universal Connector account store in the EmpowerID Management Console. See Custom Directories in the EmpowerID Administrator's Guide for more information about these settings.
Real-time Processing
When using real-time processing, you will need to write a .NET module that references the TheDotNetFactory.Framework.Connectors.StandardConnector.dlland implements the IChangeLogProcessor interface. The IChangeLogProcessor provides methods that you can use to process any changes occurring to the state of your business objects against your backend systems.
The IChangeLogProcessor is provided as a reference example; however, any type of coding or scripting could be used to read the changes from the change log and execute them in the custom directory or application.
The IChangeLogProcessor provides the following methods:
Method | Description |
---|---|
bool CreateBusinessRole(Dictionary<string, object> attributes, out string businessRoleID) | This method is invoked when a new Business Role is created in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool CreateGroup(Dictionary<string, object> attributes, out string GroupID) | This method is invoked when a new group is created in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool CreateUser(Dictionary<string, object> attributes, out string userID) | This method is invoked when a new user is created in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool CreateLocation(Dictionary<string, object> attributes, out string locationID) | This method is invoked when a new location is created in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool DeleteBusinessRole(string businessRoleID) | This method is invoked when a Business Role is deleted in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool DeleteGroup(string groupID) | This method is invoked when a group is deleted in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool DeleteUser(string userID) | This method is invoked when a user is deleted in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool DeleteLocation(string locationID) | This method is invoked when a location is deleted in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool Disable(string userID) | This method is invoked when a user becomes disabled in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool Enable(string userID) | This method is invoked when a previously disabled user becomes enabled in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool ResetPassword(string userID, string password) | This method is invoked when a user's password is reset in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool RestoreGroup(string groupID) | This method is invoked when a previously deleted group is restored in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool RestoreUser(string userID) | This method is invoked when a previously deleted user is restored in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool Unlock(string userID) | This method is invoked when a previously locked out user is unlocked in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool UpdateBusinessRole(string businessRoleID, Dictionary<string, object> attributes) | This method is invoked when one or more Business Role attributes are updated in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool UpdateGroup(string groupID, Dictionary<string, object> attributes) | This method is invoked when one or more group attributes are updated in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool UpdateLocation(string locationID, Dictionary<string, object> attributes) | This method is invoked when one or more location attributes are updated in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool UpdateUser(string userID, Dictionary<string, object> attributes) | This method is invoked when one or more user attributes are updated in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool RemoveFromGroup(List<string> userIDs, string groupID) | This method is invoked when a user is removed from a group in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool AddToGroup(string userID, string groupID) | This method is invoked when a user is added to a group in EmpowerID. Should return true if successful. Parameters are as follows:
|
bool SetGroupMembers(List<string> userIDs, string groupID) | This method is invoked when a group's membership is being explicitly/definitively set by EmpowerID. Should return true if successful. Parameters are as follows:
|
Batch Processing
When the Universal Connector account store is set for batch processing, EmpowerID writes information about each change occurring to a business object via EmpowerID as a record in the ChangeLog table of the Universal Connector database.
To employ batch processing, you need to write application-specific code that reads from the ChangeLog table and process the data against your managed system.
The ChangeLog table contains the following fields:
Field | Description | |||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ChangeLogID | This specifies the unique identifier for the change log event. | |||||||||||||||||||||||||||||||||||||||
ObjectID | This is the unique identifier (the object GUID) that corresponds to the changed object. This identifier is generated by EmpowerID for the object during inventory. | |||||||||||||||||||||||||||||||||||||||
ChangeLogObjectTypeID | This specifies what type of object was changed as defined by the ChangeLogObjectType table of the Universal Connector database. This field can contain the following four values:
| |||||||||||||||||||||||||||||||||||||||
ChangeLogTypeID | This specifies what type of change occurred to the object as defined by the ChangeLogType table of the Universal Connector database. For each entry in the ChangeLog table, changes can be of one of the following types:
| |||||||||||||||||||||||||||||||||||||||
ChangeLogData | This field contains an XML-formatted list any the change that occurred. | |||||||||||||||||||||||||||||||||||||||
ProcessTime | This is an optional field that can be used by developers to specify when a change event is processed by their system. | |||||||||||||||||||||||||||||||||||||||
ProcessStatus | This is an optional field that can be used by developers to specify the status of the change event. The following status codes are suggested as these are the codes EmpowerID uses within its own system to indicate the status of an event; however, you are free to use other codes in addition to these or implement your own status scheme altogether.
| |||||||||||||||||||||||||||||||||||||||
FailedCount | This is an optional field that can be used to specify the number of times a changed event has failed to process in a client application. Developers can use this data to perform certain tasks, such as firing a retry mechanism in their system. | |||||||||||||||||||||||||||||||||||||||
LockedByServer | This is an optional field that can be used by developers to specify which server has claimed a change event. This field is useful in the event multiple servers could process the change event. | |||||||||||||||||||||||||||||||||||||||
ModifiedDate | Specifies the date and time in UTC that an object was modified in EmpowerID. | |||||||||||||||||||||||||||||||||||||||
ConfigurationXml | ||||||||||||||||||||||||||||||||||||||||
CreatedDate | Specifies the date and time in UTC that a change event was created in EmpowerID. As entries in the ChangeLog table are written chronologically based on the created date, it is suggested that developers use this field to process these changes against their systems ordered by oldest to newest CreatedDate. |
Once you have developed your module, you will need to register the assembly in EmpowerID by updating the ChangeLogAdapterAssembly and the ChangeLogAdapterType fields for your organization's Universal Connector. You can do so by editing the resource system in the EmpowerID Web interface. To edit these fields, do the following:
- From the Navigation Sidebar of the EmpowerID Web interface, expand Admin > Applications and Directories and click Account Stores and Systems.
- Click the Resource Systems tab and then locate your specific Universal Connector resource system.
- Click the Display Name link for the resource system.
- On the Resource System Details page that opens, click the Edit link.
- In the Edit page that opens, locate the ChangeLogAdapterAssemblyandChangeLogAdapterTypefields, update them appropriately and then clickSave.
Please note that these fields must contain the name of your assembly and the namespace-qualified name of the assembly and the assembly type, respectively.