Attribute Flow

Owned by
Phillip Hanegan
Last updated: Oct 19, 2023
5 min read

Managing IT resources in expansive environments demands a holistic approach, especially when it comes to creating a unified "identity layer." This identity layer serves as a centralized hub for managing user accounts, roles, and entitlements. EmpowerID excels at this by functioning as both a directory and an Identity Warehouse. It establishes this identity layer through a specialized inventory process, linking each user account in a managed account store to a corresponding EmpowerID Person entity.

However, the challenge extends beyond simply creating an identity layer. Organizations require an authoritative system that can enforce policy and manage these identities within the central repository and across all connected systems. This article elaborates on how EmpowerID's synchronization engine, in conjunction with its inventory process, achieves this through a mechanism known as "Attribute Flow."

 

Attribute Flow Configuration Processes

Attribute Flow is a dynamic process within EmpowerID designed to identify and synchronize changes in managed identities continually. It continuously compares the attributes of each EmpowerID Person object with those of the user accounts linked to it. When discrepancies in attributes are detected, EmpowerID processes these changes based on predefined rules.

Configurable Attribute Flow Rules

EmpowerID's Attribute Flow behavior is governed by rules that can be customized for each connected account store, providing administrators with flexibility and control over the identity management process. These rules operate at the lowest level of granularity and enable administrators to determine which attributes should flow, the direction of flow, and the priority of each attribute. The available configurations include:

  1. No Sync: Disables any synchronization between EmpowerID and the connected account store.

  2. Bidirectional Flow: This enables a two-way attribute sync, allowing changes to propagate freely between EmpowerID and connected systems.

  3. Account Store Changes Only: Only accepts changes that originate from a connected account store, excluding changes made within EmpowerID.

  4. EmpowerID Changes Only: Only accepts changes initiated within EmpowerID, ignoring those that come from connected account stores.

Flow Rules – Weighting and Scoring (Data Quality)

In addition to attribute flow configuration, administrators can implement Weighting and Scoring rules to enhance data quality management. These rules play a pivotal role in determining attribute precedence and ensuring data consistency when conflicts arise between updates from separate accounts.

Attribute Flow Rule for Email Attribute

Create Score

In the event of conflicting updates from 2 separate accounts, this weighting determines which account attribute value will take precedence if the current person attribute is null.

Update Score

In cases of conflicting updates when the current person's attribute already holds a value, the Update Score takes precedence. This weighting value determines which account's attribute value should take precedence.

Delete Score

When one account store's attribute value is populated while another has a null value, the Delete Score plays a pivotal role. This weighting value decides whether the value should be nulled or retained. If the account store with the null value has a higher weighting, the attribute will be nulled; otherwise, it remains unchanged.

These scoring mechanisms are vital for ensuring data quality assurance by providing clear guidelines on how conflicting attribute data should be managed during the attribute flow process. Administrators can configure these scoring rules to align with their organization's specific data management policies.

By meticulously configuring attribute flow rules, weighting, and scoring at different levels, administrators can precisely manage how attributes are processed and synchronized within the EmpowerID system. This meticulous approach ensures data consistency and integrity throughout the entire identity management process.

Attribute Change Processing

When an attribute change is detected, commands are issued to update the relevant attributes in either the EmpowerID Identity Warehouse or the connected account store. The target of these commands is contingent on the origin of the attribute change and the configured Attribute Flow rules:

  1. EmpowerID-Originated Changes: If changes are initiated within EmpowerID, commands update the user objects in all connected resource systems via their specific connectors.

  2. Resource System-Originated Changes: If changes originate from an external resource system, they are pulled into EmpowerID's Identity Warehouse, where they are either incorporated into existing records or discarded based on set criteria.

 

Synchronization Steps

To gain a more detailed understanding of the attribute synchronization process, let's examine the step-by-step explanation below, complemented by the below diagram.

The above diagram illustrates how EmpowerID syncs user attributes in three iterations to show you the full spectrum of the process. This image shows how synchronization occurs between users with three user identities: one in an HR System, one in Active Directory, and one in the EmpowerID Identity Warehouse. The process is as follows:

  • Step A1 - The EmpowerID Worker Role service calls the Inventory Job for the HR System account store.

  • Steps A2, A3, and A4 - The EmpowerID Worker Role service evaluates the accounts, discovering the change to the Job Title attribute by comparing the attributes of the returned accounts with the corresponding attributes of those same user accounts currently in the Account table of the EmpowerID Identity Warehouse.

  • Step A5 and A6 - The change to the Job Title attribute is pushed to the Attribute Inbox, which is based on the configuration of the Attribute Flow rules, which either updates the Job Title attribute for the linked EmpowerID Person object in the Person table of the EmpowerID Identity Warehouse or ignores the change.

  • Steps A7 and A8 - The change to the Job Title attribute on the EmpowerID Person is pushed to the Attribute Outbox, which flows those changes back to the EmpowerID Worker Role service.

  • Step B1 - The EmpowerID Worker Role service calls the Attribute Flow: Directory Change Processor Job, which passes the Job Title attribute change to the LDAP Management Host on the EmpowerID Agent.

  • Step B2 - The LDAP Management Host pushes the Job Title attribute change to the user account in Active Directory that is joined to the EmpowerID Person.

In this way, the change to the Job Title attribute that occurred to the user account in the HR System occurs to that user's accounts in all managed systems. EmpowerID ensures these changes occur regardless of the direction in which they originate, as demonstrated by the "C" loop. In that loop, the logic and process are identical, with the only difference being the change to an attribute is discovered during the inventory of Active Directory. In that case, the changes flow from Active Directory to EmpowerID to the HR System.