Understanding the Relationship Between Persons and Accounts
EmpowerID manages organizational identity through two distinct but interconnected object types: Persons and Accounts. Understanding the relationship between these objects is fundamental to effective identity governance and access management.
Figure 1: Person object serves as the central identity, linked to accounts across multiple systems
Persons: The Central Identity
In EmpowerID, the Person object serves as the primary identity for any individual who authenticates to the system. This differs from traditional user accounts in external systems:
- Person objects are stored in the EmpowerID Person table
- Every individual who uses EmpowerID must have a Person object
- All identity-related activities in EmpowerID revolve around the Person object:
- Role assignments
- Access granting and certification
- Risk assessment
- Reporting and auditing
Employees, partners, and customers can authenticate and interact with EmpowerID applications using only a Person object, even without user accounts from external systems.
Accounts: External System Identities
Accounts represent user objects imported from external systems, referred to as Account Stores. These include:
- Active Directory
- Cloud-based applications (Azure AD, AWS, Office 365)
- SaaS platforms
- On-premises applications
- Legacy systems
Account objects are stored in the EmpowerID Account table. EmpowerID periodically inventories and imports these accounts to provide unified visibility across all organizational systems.
Linking Accounts to Persons
A core function of EmpowerID is linking Accounts from various systems to their corresponding Person object. This linkage enables:
Unified Identity View
- Holistic visibility of an individual's access across all systems
- Consolidated identity management from a single interface
- Complete audit trail of all account activities
Lifecycle Management
Managing Accounts as part of a Person's identity enables seamless lifecycle operations:
- Creation: Automatically provision Accounts and link them to Person objects
- Modification: Update access and attributes based on role or organizational changes
- Deletion: Ensure proper deprovisioning of all linked Accounts when a Person leaves the organization
This unified management approach ensures access assignments align with organizational risk policies and the principle of "compliant access" – verifying that access is appropriate to the person's role and business context.
Non-Person Accounts: Technical Identities
Not all accounts represent human users. External systems often include Non-Person Accounts such as:
- Service accounts
- Application accounts
- Device accounts
- Bot accounts
In EmpowerID, Non-Person Accounts do not always require a corresponding Person object. However, linking is beneficial in these scenarios:
When to Link Non-Person Accounts
- Enabling login access to EmpowerID applications, UIs, or APIs
- Managing access through the IT Shop
- Providing self-service password reset capabilities to account owners
- Assigning EmpowerID roles for policy-driven access control
- Synchronizing attributes between the Account and related objects
For scenarios outside these requirements, Non-Person Accounts can be managed independently.
Managing Multiple Person Objects
Some individuals require multiple Person objects, commonly when they need both standard and privileged access within the same system (e.g., separate user and administrator accounts in Active Directory).
Challenges with Multiple Linked Accounts
While EmpowerID supports linking multiple Accounts to a single Person, this creates potential issues:
- Attribute Flow: EmpowerID synchronizes attributes across all linked Accounts owned by a Person, potentially causing unintended updates (e.g., email or title) across all Accounts
- Access Calculation: Access assignments apply at the Person level, meaning all Accounts owned by a Person inherit the same group memberships and role-based access
Core Identity: A Solution for Complex Scenarios
To address these complexities, EmpowerID introduces the Core Identity concept:
Figure 2: Core Identity linking multiple Person objects with separate standard and privileged accounts
- A Core Identity represents the central identity of an individual
- Multiple Person objects can be linked to a single Core Identity
- Each Person object represents distinct professional roles or privilege levels
- This structure ensures:
- Separation of access and attributes tied to specific roles
- Automated deprovisioning of additional identities when the primary Person terminates
- Simplified management of core attributes (name, birth date) independent of job roles
Resource Responsibility Assignment
Beyond account ownership, Persons in EmpowerID can be assigned as responsible parties for organizational resources:
- User accounts
- Groups
- Computers
- Management roles
- Locations
- Shared credentials
Understanding Resource Responsibility
Resource responsibility is distinct from account ownership and signifies accountability for:
- Managing the security of IT objects
- Overseeing resource lifecycle
- Ensuring compliance with organizational policies
While EmpowerID supports assigning responsibility to any RBAC actor type, most organizations restrict this to Person objects for clarity and accountability.
Responsibility Tracking
EmpowerID tracks resource responsibilities using the OwnerAssigneeID field in relevant object tables. This enables:
- Clear accountability for resource management
- Audit trails of responsibility changes
- Automated workflows for responsibility transfer
Transferring Responsibilities
When individuals leave the organization or change roles, their responsibilities can be transferred:
- Manual transfer: Using the Transfer Responsibilities workflow
- Automatic transfer: During a Planned Leaver Event
- Reporting: EmpowerID provides reports to identify resources without assigned responsible parties
Key Takeaways
- Person objects serve as the central identity in EmpowerID for all access management activities
- Account objects represent identities in external systems and are linked to Persons for unified management
- Linking Accounts to Persons enables comprehensive lifecycle management and compliant access
- Core Identity solves complexity when individuals require multiple privileged or role-based identities
- Resource responsibility establishes accountability for managing IT objects beyond account ownership