About the EmpowerID Schema

All objects of any type (such as EmpowerID Persons, user accounts, and groups, etc.) managed by EmpowerID have an entry in a table of the EmpowerID Identity Warehouse that corresponds to the object’s type. Whenever you create a new object in EmpowerID, you are creating a new instance of that object, which adds a new entry for that instance to the appropriate table. The properties or attributes of the object determine the table where these can be inserted.

The EmpowerID schema defines which objects can have which properties, what values those properties can have and how users might interact with them. EmpowerID has two types of attributes:

  • Built-in: Properties that are predefined by the EmpowerID schema.

  • Extension: Properties that are provided for adding custom attributes. For example, if you’ve connected to an external directory with a user attribute not defined by the EmpowerID Schema, you can flow that attribute to the EmpowerID Account and Person tables by using an extension property on those objects.

 

When it comes to defining objects by object type, the EmpowerID Schema provides the following components. These components make is possible to map attributes in an external system to EmpowerID.

Object Attributes

Object Attributes represent a catalog of abstract properties in EmpowerID that an object can have in any given system. Object attributes are conceptual; they are not the actual name of properties in those systems. For example, “Last Name” is a concept. Each user has a Last Name element in most directory systems. Depending on the system, this information can be referred to as surname, FamilyName, last_name and so on. Active Directory’s field to store this data is simply labeled sn. EmpowerID has a single Object Attribute for LastName to represent a user’s Last Name in each of those systems.

 

Example object attributes

Object Attribute (EmpowerID)

Object Attribute Type Name

Object Attribute (EmpowerID)

Object Attribute Type Name

AboutMe

String

AccountExpires

DateTime

Active

Boolean

LastName

String

Security Boundary Attributes

In order to relate fields, such as the last name field in a given system to EmpowerID objects, there needs to be a way to describe whether a system supports the concept of a last name, and if so, to specify the name for that field each system. Security Boundary Attributes fulfill that role. Security Boundary Attributes are entries in EmpowerID that list any relevant properties in a directory system – including the EmpowerID directory – and provide actual native names for that type of system.

 

Example Security Boundary Attributes

Security Boundary Attribute

Security Boundary Type

Object Attribute (EmpowerID)

Attribute Type

Security Boundary Attribute

Security Boundary Type

Object Attribute (EmpowerID)

Attribute Type

AboutMe

Microsoft SharePoint

AboutMe

String

accountExpires

Active Directory Domain Services

AccountExpires

DateTime

address[?(@.type=='work')].streetAddress

Azure AD SCIM

StreetAddress

String

last_name

ServiceNow

LastName

String

 

The above table demonstrates the relationship between Object Attributes and Security Boundary Attributes. In the table, there are four example Security Boundary Attributes from four different systems (Security Boundary Types). Each of these map to a specific Object Attribute in EmpowerID. This ensures that attributes in external directories flow correctly to Person and account records in EmpowerID at inventory and that any changes to those values update when attribute flow is configured for those systems.

 


Next Steps

Overview of Attribute Flow

Add Attributes to the EmpowerID Schema

Configure Attribute Flow