Account Stores and Security Boundaries
- Phillip Hanegan
We’ve previously discussed that EmpowerID is capable of managing and inventorying resources from resource systems. Another essential aspect that EmpowerID manages is the accounts and groups that have access to these resources within their resource system. In most cases, these accounts and groups exist within the same resource system as the resources they access. However, for some resource systems like Microsoft Exchange, Microsoft SharePoint, Windows File Servers, and others, the accounts and groups do not belong to the same resource system as the resources.
To understand this relationship, EmpowerID maintains a record in the AccountStore table for directories containing account and group objects. This record denotes that these resource systems contain security principals that can access resources in other resource systems. For example, in the case of Active Directory and Exchange, the mailboxes exist in a resource system for the Exchange Organization, and the Active Directory users and groups exist in a resource system specific to their AD domain.
Additionally, Microsoft Exchange allows mailboxes to be associated with and accessed by accounts and groups from multiple Active Directory domains within a single forest. This can create a complex security picture with multiple resource systems, account stores, and security boundaries that EmpowerID needs to understand in order to accurately manage entitlements. To represent the trust relationships between these domains and the Active Directory forest, EmpowerID has a table called SecurityBoundary. Each Account Store in the Active Directory forest belongs to a single Security Boundary in EmpowerID that represents the forest. These Security Boundaries are part of a specific SecurityBoundaryType, which defines the connector used for creating, updating, and deleting objects in the external system and their attribute schema. Therefore, for resources contained in account stores, there will always be at least one resource system, account store, security boundary, and security boundary type in EmpowerID.
Account Store Identity Entry
The Account Store Identity Entry (ASIE) is the actual live representation of an object in an external system modified by EmpowerID. The ASIE is the implementation of the CRUD methods and the attributes that are specific to that Security Boundary Type and object type in that system.
Key Concept: EmpowerID workflows and API calls operate against Components, not AccountStoreIdentityEntry. This means that the same workflows will work for objects in any system. Any new connected system can use the existing workflows.