Account Inbox Overview

Because of the key role of Person objects in EmpowerID, the process by which EmpowerID joins inventoried accounts to these objects is foundational to how EmpowerID manages your user identities. As was mentioned in the Understanding Inventory topic, when EmpowerID inventories a resource system with user accounts, it does more than just write a copy of those user accounts to a table in the EmpowerID Identity Warehouse. It evaluates those accounts to determine whether or not they are owned by users, and based on that evaluation it does one of the following three things:

  • It ignores them;
  • It joins them to existing EmpowerID Persons;
  • It provisions new EmpowerID Persons, joining those new Persons to the accounts.

The criteria for this process is defined by four database scalar functions that can be customized as needed. These functions are as follows.

You can edit these filters, as well as the default logic for the Join and Provision Rules that uses to determine whether inventoried accounts meet the criteria for being joined to existing EmpowerID Persons or used to provision new EmpowerID Persons directly from the EmpowerID Web application. For the details, see Reviewing Join and Provision Rules.

AccountInboxing_GetJoinFilter

This function specifies which accounts can be joined to People. To be joined, accounts must meet the criteria specified by the function AS WELL AS the filter specified in the AccountInboxing_GetJoinAndProvisionFilter function. The default logic for this function states that all inventoried accounts are eligible for joining. If the value of AllowJoin was set to 0, no accounts would be eligible.

DECLARE @JoinFilter NVARCHAR(MAX) = N'A.AllowJoin = 1'

This function can be customized to filter or exclude accounts from being targets for joining to People. For example, if you wanted only those accounts in a specific account store to be eligible targets for joining, you could alter the function in the following way:

DECLARE @JoinFilter NVARCHAR(MAX) = N'A.AllowJoin = 1' AND A.AccountStoreID = 1002

AccountInboxing_GetProvisionFilter

This function specifies the accounts from which Persons can be provisioned. To be provisioned, accounts must meet the criteria specified the function AS WELL AS the filter specified in the AccountInboxing_GetJoinAndProvisionFilter function. The default logic for this function states that Persons can be provisioned from an accounts store when AllowPersonProvisioning is set to true on the account store from which the account originates.

DECLARE @ProvisionFilter NVARCHAR(MAX) =
    N'A.AllowProvision = 1 AND EXISTS(SELECT 1 FROM AccountStore S WHERE A.AccountStoreID = S.AccountStoreID AND S.AllowPersonProvisioning = 1)'

This function can be customized to filter or exclude accounts within an eligible account store from being targets for provisioning new Persons. For example, if you wanted only those accounts with a Department value of Sales to be eligible targets for provisioning new Persons, you could alter the function in the following way:

DECLARE @ProvisionFilter NVARCHAR(MAX) =
    N'A.AllowProvision = 1 AND EXISTS(SELECT 1 FROM AccountStore S WHERE A.AccountStoreID = S.AccountStoreID AND S.AllowPersonProvisioning = 1 AND A.Department = N''Sales'')'

AccountInboxing_GetJoinAndProvisionFilter

This function specifies logic that the above two functions, AccountInboxing_GetJoinFilter and AccountInboxing_GetProvisionFilter, could have in common. This prevents duplicating this logic in the other two functions. To be joined or used to provision new Persons, accounts must meet the criteria specified by the function AS WELL AS the filters specified in the AccountInboxing_GetJoinFilter function (for joining) and the AccountInboxing_GetProvisionFilter function (for provisioning). The default logic for this function ensures that for joining or provisioning, an account must meet the following criteria:

  • The account is not currently owned by a Person (The account's PersonID field IS NULL)
  • The account is active (The account's Disabled and Deleted fields are 0)
  • The account is not an Active Directory contact account or a non-personal account (The AccountTypeID field is not equal to 2 and the AccountUsageTypeID equals 1.
  • The account has valid FirstName and LastName values (The length of each field is greater than 0)
DECLARE @JoinAndProvisionFilter NVARCHAR(MAX) =
            N'A.PersonID IS NULL AND A.Disabled = 0 AND A.Deleted = 0 AND A.AccountTypeID <> 2 AND A.AccountUsageTypeID = 1
            AND LEN(A.FirstName) > 0 AND LEN(A.LastName) > 0'

This function should be customized in situations where the same filter would be applied to accounts that are both join and provision targets. For example, if you wanted only those accounts with an EmployeeType of Contractor to be targets for joining or provisioning, you could alter the function in the following way:

DECLARE @JoinAndProvisionFilter NVARCHAR(MAX) =
            N'A.PersonID IS NULL AND A.Disabled = 0 AND A.Deleted = 0 AND A.AccountTypeID <> 2 AND A.AccountUsageTypeID = 1
            AND LEN(A.FirstName) > 0 AND LEN(A.LastName) > 0 AND A.EmployeeType = ''Contractor''

AccountInboxing_GetJoinLogic

This function specifies whether an account can be joined to a person based on the presence of certain corresponding fields between the account in question and an EmpowerID Person. By default, the logic looks matches between the FirstName and LastName attributes. If matches are found, the logic looks for any one of the following matches. If a match is found, (and the conditions of the above mentioned join functions are met), EmpowerID will join the account to the Person. This function can be modified to define custom matching logic.

  • EmployeeID
  • DateOfBirth
  • PersonalEmail
  • Email
EmpowerID provides several functions that allow you to preview the outcome of the above the Join and Provision functions before enabling those features. To do so, you can run any of the previewing functions in the EmpowerID Identity Warehouse. These functions are as follows.
  • EXEC [dbo].[AccountInboxing_Preview_JoinCandidates] - Allows you to preview which accounts are targets for being joined to Persons
  • EXEC [dbo].[AccountInboxing_Preview_ProvisionCandidates] - Allows you to preview from which accounts new Persons would be provisioned if they are not joined.
  • EXEC [dbo].[AccountInboxing_Preview_Joins] - Allows you to preview the accounts and the Persons to which they would be joined.