Attribute Flow

Key Points

• Attribute Flow is a flexible process that is used to detect changes that occur to a managed identity by comparing the attributes of each EmpowerID Person object with the attributes of each user account that has been joined to those Person objects.

• When attribute changes are detected for an attribute configured to flow, EmpowerID flags the account and processes those changes, issuing commands to update any affected attributes in either the EmpowerID Identity Warehouse (metadirectory) or the connected account store, depending on the origin of the change.

• If the changes occurred through actions originating in an Account Store, EmpowerID retrieves those changes and records them in the Identity Warehouse, where they are evaluated and either used to update the Identity Warehouse or discarded as appropriate.

Attribute Flow Configuration Processes

• Attribute flow rules are defined per attribute per account store to determine what attributes should flow, in what direction, and with what priority.  This is the lowest level of granularity in the configuration process.

• At the account store configuration level, attribute flow can be disabled for the entire account store so that attributes will not be evaluated for any accounts in the account store.

• At the system level, attribute flow processing can be either disabled or enabled to facilitate the flow of attributes from external accounts to the EmpowerID Person identity.Attribute flow rules are defined per attribute per account store to determine what attributes should flow, in what direction, and with what priority.  This is the lowest level of granularity in the configuration process.

• At the account store configuration level, attribute flow can be disabled for the entire account store so that attributes will not be evaluated for any accounts in the account store.

• At the system level, attribute flow processing can be either disabled or enabled to facilitate the flow of attributes from external accounts to the EmpowerID Person identity.

Flow Rules – Type and Direction

Open

Attribute Flow Rule for Email Attribute

Flow Rules – Weighting and Scoring (Data Quality)

Open

Attribute Flow Rule for Email Attribute

• Create Score – In the event of conflicting updates from 2 separate accounts, this weighting determines which account attribute value will take precedence if the current person attribute is null

• Update Score - In the event of conflicting updates from 2 separate accounts, this weighting determines which account attribute value will take precedence if the current person attribute has a value

• Delete Score – In the event that an attribute value from one account store has a value in it and another has a null value, this weighting determines if the value should be nulled or not.  If the account store with the null value has a higher weighting, then the attribute will be nulled.  Otherwise, it will be left alone.

Inventory and Attribute Flow

Open

Attribute Flow Handlers

• By default, EmpowerID retrieves attribute values for each user account in a connected account store and maps them value for value to the corresponding Person attributes stored in the EmpowerID Identity Warehouse.

• In this way, if the value of "State" for an AD user account is "Massachusetts" then the value of "State" for that account's Person object in EmpowerID is "Massachusetts."

• Attribute Flow Handlers allow you to customize this logic by writing your own code to handle value transformations on a per attribute basis