Attribute Flow

Introduction To Attribute Flow

Attrbiute Flow, is the key processes of identity management which enables to have updated identity data across all your systems. Attribute flow rules define what attribute changes in any connected system (Source), triggers changes in EmpowerID person object and subsequently on other managed systems (Subscriber) the person has account in. For e.g., Job title, EmployeeID is updated in HR system and you want this information to be updated in outlook address, Attribute flow will automate the process .

• Attribute Flow is a flexible process that is used to detect changes that occur to a managed identity by comparing the attributes of each EmpowerID Person object with the attributes of each user account that has been joined to those Person objects.

• As you understand the Person object is the main identity in EmpowerID system, you can set Attribute Flow rules to update EmpowerID person, EmpowerID can evaluate flow and makes updates in the Identity Warehouse and other external systems. When attribute changes are detected for an attribute configured to flow, EmpowerID flags the account and processes those changes, issuing commands to update any affected attributes in either the EmpowerID Identity Warehouse (metadirectory) or the connected account store, depending on the origin of the change.

• If the changes occurred through actions originating in an Account Store, EmpowerID retrieves those changes and records them in the Identity Warehouse, where they are evaluated and either used to update the Identity Warehouse or discarded as appropriate.

Attribute Flow Configuration Processes

EmpowerID supports three levels of configration to setup Attribute Flow, supported levels are per attribute per account store, account store level, system level.

• Attribute flow rules are defined per attribute per account store to determine what attributes should flow, in what direction, and with what priority.  This is the lowest level of granularity in the configuration process. At the account store configuration level, attribute flow can be disabled for the entire account store so that attributes will not be evaluated for any accounts in the account store.

• At the system level, attribute flow processing can be either disabled or enabled to facilitate the flow of attributes from external accounts to the EmpowerID Person identity.Attribute flow rules are defined per attribute per account store to determine what attributes should flow, in what direction, and with what priority.  This is the lowest level of granularity in the configuration process.At the system level, attribute flow processing can be either disabled or enabled to facilitate the flow of attributes from external accounts to the EmpowerID Person identity.

• At the account store configuration level, attribute flow can be disabled for the entire account store so that attributes will not be evaluated for any accounts in the account store.

Flow Rules – Type and Direction

Attribute flow should be enabled for attribute flow to execute the changes among EmpowerID and Account stores. The service responsible for attribute flow changes is “Attribute Flow - Directory Change Processor” job and should be running in at least one of your servers to accomplish attribute flow. This job picks the attribute changes from the attribute inbox that were discovered during inventory and processes them using the attribute flow rules to update the attributes for the EmpowerID Person object. Changes to the Person object can then lead to changes being pushed to the attribute outbox that will flow to other systems. This entire process happens on a scheduled basis.

To determine how the data flows between the native system and EmpowerID, you can determine visually determine relationship between an attribute in a directory and the corresponding attribute in the EmpowerID Identity Warehouse.

Flow Rules – Weighting and Scoring (Data Quality)

There might be conflicts within the flow rules when same attribute might have been configured to be updated from two or multiple systems. To resolve this issue when multiple systems might be providing different values of the same attribute for a EmpowerID Person and there is a conflict, you can use the weighting technique to resolve the conflict automatically.

Open

Attribute Flow Rule for Email Attribute

Higher the value, higher the precedence , you will have to set the score to the highest in the account store that is authoritative for that particular attribute.

• Create Score – In the event of conflicting create actions for a attribute from 2 separate accounts, this weighting determines which account attribute value will take precedence if the current person attribute is null

• Update Score - In the event of conflicting updates from 2 separate accounts into the same attribute, this weighting determines which account attribute value will take precedence if the current person attribute has a value. This score determines value from which system would be selected when there is an update

• Delete Score – In the event that an attribute value from one account store has a value in it and another has a null value, this weighting determines if the value should be nulled or not.  If the account store with the null value has a higher weighting, then the attribute will be nulled.  Otherwise, it will be left alone.

Inventory and Attribute Flow

Open

• Step A1 - The EmpowerID Worker Role service calls the Inventory Job for the HR System account store.

• Steps A2, A3, and A4 - The EmpowerID Worker Role service evaluates the accounts, discovering the change to the Job Title attribute by comparing the attributes of the returned accounts with the corresponding attributes of those same user accounts currently in the Account table of the EmpowerID Identity Warehouse.

• Step A5 and A6 - The change to the Job Title attribute is pushed to the Attribute Inbox, which is based on the configuration of the Attribute Flow rules which either updates the Job Title attribute for the linked EmpowerID Person object in the Person table of the EmpowerID Identity Warehouse or ignores the change.

• Steps A7 and A8 - The change to the Job Title attribute on the EmpowerID Person is pushed to the Attribute Outbox, which flows those changes back to the EmpowerID Worker Role service.

• Step B1 - The EmpowerID Worker Role service calls the Attribute Flow: Directory Change Processor Job , which passes the Job Title attribute change to the LDAP Management Host on the EmpowerID Agent.

• Step B2 - The LDAP Management Host pushes the Job Title attribute change to the user account in Active Directory that is joined to the EmpowerID Person.

Attribute Flow Handlers

By default, EmpowerID retrieves attribute values for each user account in a connected account store and maps them value for value to the corresponding Person attributes stored in the EmpowerID Identity Warehouse.In this way, if the value of "State" for an AD user account is "Massachusetts" then the value of "State" for that account's Person object in EmpowerID is "Massachusetts." However, in some scenarios you might need Attribute Flow Handlers which allow you to customize this logic by writing your own code to handle value transformations on a per attribute basis. A simple use case is when you have different format of date time in your external system and they should be conversed into a standard format for EmpowerID Person. You can also use it for conversing the format when attributes flow from EmpowerId into external systems.