Managing IT resources in expansive environments demands a holistic approach, especially when it comes to creating a unified "identity layer." This identity layer serves as a centralized hub for managing user accounts, roles, and entitlements. EmpowerID excels at this by functioning as both a directory and an Identity Warehouse. It establishes this identity layer through a specialized inventory process, linking each user account in a managed account store to a corresponding EmpowerID Person entity.
However, the challenge extends beyond simply creating an identity layer. Organizations require an authoritative system that can enforce policy and manage these identities within the central repository and across all connected systems. This article elaborates on how EmpowerID's synchronization engine, in conjunction with its inventory process, achieves this through a mechanism known as "Attribute Flow."
Attribute Flow Mechanism
Attribute Flow is a dynamic process within EmpowerID designed to identify and synchronize changes in managed identities. It constantly compares the attributes of each EmpowerID Person object with those of the user accounts that are linked to it. If discrepancies in attributes are detected, EmpowerID processes these changes as per predefined rules.
Configurable Attribute Flow Rules
EmpowerID's Attribute Flow behavior is governed by rules that can be customized for each connected account store. The available configurations are:
No Sync: Disables any synchronization between EmpowerID and the connected account store.
Bidirectional Flow: This enables a two-way attribute sync, allowing changes to propagate freely between EmpowerID and connected systems.
Account Store Changes Only: Only accepts changes that originate from a connected account store, excluding changes made within EmpowerID.
EmpowerID Changes Only: Only accepts changes initiated within EmpowerID, ignoring those that come from connected account stores.
Attribute Change Processing
When an attribute change is detected, commands are issued to update the relevant attributes in either the EmpowerID Identity Warehouse or the connected account store. The target of these commands is contingent on the origin of the attribute change and the configured Attribute Flow rules:
EmpowerID-Originated Changes: If changes are initiated within EmpowerID, commands update the user objects in all connected resource systems via their specific connectors.
Resource System-Originated Changes: If changes originate from an external resource system, they are pulled into EmpowerID's Identity Warehouse, where they are either incorporated into existing records or discarded based on set criteria.
Insert Image 2: Workflow of Attribute Change Processing
Synchronization Steps
To provide a more detailed insight, below is a step-by-step explanation of the attribute synchronization process, which is illustrated by the image below. This image shows how synchronization occurs between users with three user identities: one in an HR System, one in Active Directory, and one in the EmpowerID Identity Warehouse.
Initiation: The EmpowerID Worker Role service kicks off the Inventory Job for a specific account store, such as the HR System.
Evaluation: This service reviews the accounts, identifying changes by cross-referencing current attributes with those stored in the EmpowerID Identity Warehouse.
Change Detection: Identified changes, like a modified Job Title attribute, are forwarded to the Attribute Inbox. Depending on Attribute Flow rules, the change either updates the corresponding EmpowerID Person or is ignored.
Change Propagation: The change is then relayed to the Attribute Outbox, making it accessible to the EmpowerID Worker Role service.
Change Processing: The service triggers the Attribute Flow: Directory Change Processor Job, passing the changes to the EmpowerID Agent's LDAP Management Host.
Final Update: The change is then implemented in the linked user account within systems like Active Directory.