Universal Connector

The EmpowerID Universal Connector was developed to address an important need expressed by organizations seeking to lower their costs and to gain more control over their IAM implementation by allowing them to use their own internal DB resources to create both simple and advanced connectors for their directories and applications. Now IT staff using common skill-sets, such as Microsoft SQL, can quickly build their own connectors without a knowledge of the EmpowerID API or its connector technology. This greatly simplifies connecting EmpowerID to a custom system, saving time by allowing staff to start building connectors immediately without specialized training and it eliminates the need to pay for professional services to build system connectors, whether of basic or advanced functionality.

How the Universal Connector Works

The Universal Connector is an out-of-the-box standard connector like the AD connector that connects to a middleware repository or queue that sits between the EmpowerID Identity Warehouse and the custom system. The Universal Connector does not connect EmpowerID directly to a target resource system for inventory or data discovery. Rather, the Universal Connector serves as a bridge between that system and EmpowerID. This bridge is an intermediate SQL database and is in fact the object to which the Universal Connector connects. Since this intermediate database is always identical for each custom application, no custom code is required for EmpowerID to bidirectionally inventory and manage users, groups, roles, and locations. In this model, organizations export the data they want EmpowerID to manage from their custom identity store to the intermediate database via their preferred technology, including scripting, an ETL tool like Microsoft SSIS, or code in the language of their choice. EmpowerID then inventories the data from that database and provisions objects in EmpowerID, such as user accounts, groups, locations, business roles, and EmpowerID Persons. From a high level, the flow for this can be represented by the below image:

The Universal Connector uses a standard schema to define the types of data organizations can export to the connector. Organizations simply need to export the data to the Universal Connector's database and turn on any jobs they want to use in EmpowerID, such as the inventory, attribute flow, and password sync jobs.

The schema for the Universal Connector provides six tables for importing data:

  • User — This table is used to manage user information. Each record inserted into the table is represented in EmpowerID as an account that can be linked to an EmpowerID Person. The data in this table is typically used to manage users and the information associated with people.

  • Group — This table is used to manage group information. Each record inserted into the table is represented as a generic group in EmpowerID. The data in this table is typically used to represent a collection of individuals, such as the Sales team, and can also be used to represent system roles, such as the Administrator role.

  • BusinessRole — This table is used to manage Business Role information. Each record inserted into the table is represented as an External Business Role in EmpowerID that can be mapped to any EmpowerID Business Roles.

  • Location — This table is used to manage location information. Each record inserted into the table is represented as an External Location in EmpowerID. The schema for this table allows organizations to insert data to represent all possible locations to which users can belong within the organization, including departments, divisions, geographical sites, org charts and functional areas. As with the Business Role table, each location inserted into the table can be mapped to an EmpowerID Location.

  • UserGroup — This table is used to associate users with groups and define group membership.

  • UserBusinessRoleLocation — This table is used to associate users with Business Role and Location combinations. The data in this table can be used in conjunction with or as a replacement for the Business Role and Location fields in the User table.

In addition to these features, the Universal Connector also supports bidirectional functionality or the ability to write changes back to the managed system. This allows organizations to internally process the updates occurring in EmpowerID, either in real-time or in batches. The changes that occur to any connected object in EmpowerID can be executed directly against the custom system or sent over to a ChangeLog queue for delayed batch processing. For the bidirectional functionality to be processed by EmpowerID, some basic operations, such as the Update operation, the Create operation, the Delete operation, etc., need to be defined by the organization. If the connector is set to not use the ChangeLog queue, any changes occurring to its objects will be executed immediately; otherwise, those changes will be sent to the queue. EmpowerID provides an out-of-the-box job, called the "Universal Connector Inbox Processor" job, to claim and process any changes in the batch queue. Organizations can, however, choose not to implement these functions and directly claim the changes from the queue, processing them using their preferred technology.

Creating the Universal Connector Database

EmpowerID provides a set of scripts to populate the tables and default data records for the universal connector database. All the DBA needs to do is create a blank database with whatever name they want to use and then execute the two scripts below to populate the schema and default data.

  • SchemaGeneration.sql — This script generates the tables, stored procedures and other database objects used by EmpowerID to store and maintain the identity information imported into the intermediary database from an external data store. You can download the script (UCv2SchemaGenerationScript) here -  Download Link for SchemaGeneration script.

  • DataGeneration.sql — This script generates data that is used by EmpowerID to explain the type of changes that have occurred to any of the business objects in the Universal Connector database via an EmpowerID workflow. You can download this script here - Download link for the DataGeneration script. The script is only necessary if you are using the Changelog to batch process changes. When possible, EmpowerID recommends real-time processing over batch processing.

Creating the Universal Connector Account Store

Once the database has been established, all that then needs to be done in the EmpowerID UI is to run the same Create Account Store workflow that you run for creating any other account store such as Active Directory. The system will ask for the system type, which is “Universal Connector.” It will then ask for the name of the account store and whether it is requires the Cloud Gateway. After answering these basic questions, the workflow will create the base account store definition. You then need to edit the account store to enter the remaining configuration parameters. The parameters that can be configured for a Universal Connector are substantially the same as with any other account store with the exception of one field which is the “Universal Connector SQL Connection String.” This is the standard Microsoft SQL connection string that points to the universal connector database you previously created.

All other processes relating to account store processing such as inventory, attribute flow, and group membership reconciliation will function the same as with any other account store.

Important notes to consider

The universal connector was designed mainly to provide a way to get account and group information from an application or system into EmpowerID and maintain synchronization with the least amount of effort and knowledge of EmpowerID required. We have provided a changelog capability to allow the system to synchronize data back out to the external system but it still requires the DBA to write the middleware process to read the log and post the changes to the external system. In other words, it can be done but is not the best choice.

EmpowerID offers an out-of-the-box universal flat file connector that can take CSV files as source data and then export CSV files back out for outbound changes. This feature is covered in a separate learning topic in this training. It is up to you, the administrator to decide if this code-free flat file connector is a better fit.

Demonstration

The following video provides a demonstration of the creation and configuration of a universal connector account store.

https://youtu.be/UZOIAh3PgWw

 

Related Docs Topics:

https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/1446550002

https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/1446550038