Key Downstream Systems
Downstream systems are identity-aware systems that acquire data from EmpowerID regarding the changes in the identity of a person. By connecting to the downstream system you can flow the data of role changes, status changes, terminations, and policy changes in EmpowerID. This helps you manage the identity lifecycle in external systems by just managing the identity of the Person in EmpowerID. Downstream systems can be connected using connectors to transfer data to/from other's identity-aware systems and applications. A simple example of the use case would be when you have group/role membership changes of a person in EmpowerID, you would want that change to be reflected on a connected Active Directory.
To connect EmpowerID to a downstream system, you create an account store object in EmpowerID for that system and then configure the account store for how you want EmpowerID to manage the identity information in that system. Important aspects regarding the flow of data into downstream systems like inventory processing, provisioning and join logic, group membership assignments, naming conventions, and decisions regarding deleting or disabling accounts are handled through the system's workflows in EmpowerID. You have already explored that Attribute Flow rules can be configured, which would trigger the changes into downstream systems whenever there is a change in attributes of the Person object in EmpowerID.
Such user directories and resource systems can be managed and synchronized using Scheduled Connector Jobs. These jobs read current state data from the target systems and reconcile it with the data in the identity warehouse to maintain synchronization with the external system.
In this section, we will learn two important connectors for the Downstream Systems,
Active Directory: Out-of-the-box connector for Microsoft Active Directory that inventories and performs CRUD (Create, Update, Delete) operations for the user, contact, group, user/group assignments, and Organizational Unit objects in the domain.
Azure Active Directory: Azure Active Directory connector is a SCIM-compliant REST API microservice that you can deploy to Azure Active Directory to inventory user, group, group membership, role, and license information from an Azure tenant.