The EmpowerID Identity Management Framework is built on the concept of a Services Oriented Architecture (SOA). As such, EmpowerID functionality is broken down into a large number of granular "jobs," which are hosted and run in Windows services that communicate back to the EmpowerID Identity Warehouse over WCF Web services. Jobs are either specific tasks that run on a scheduled basis (such as Inventory) or they are WCF Web Services used in workflow processes (such as the Exchange Management Host, which is called when performing Exchange management tasks using PowerShell). All Jobs can run on more than one server at a time for load-balancing and fail-over, with each server sending a periodic heartbeat to the Identity Warehouse specifying whether the server is online and which Jobs it is hosting. If a server hosting a specific service moves offline for maintenance or other reasons, EmpowerID moves those processes to another server hosting the same Job.
As all communication occurs over WCF, the EmpowerID Web server plays an important role, directing the various calls that occur in EmpowerID—whether those calls are automated processes like attribute flow or user-initiated processes like logging in to the EmpowerID Management Console—to the appropriate EmpowerID Windows service responsible for carrying out the call, such as the EmpowerID Workflow server. To ensure this process flows without interruption, the EmpowerID Web server uses the following criteria to determine which Workflow server it uses:
if the Web server itself is an "online" Workflow server, the Web server uses itself;
otherwise, it calls the EmpowerID Identity Warehouse to request an "online" Workflow server in the same Communication Zone.
A server is considered "online" if it has completed a heartbeat check-in to the metadirectory within the last 3 minutes. The hearbeat is written to the EmpowerID ServerServices table and can be viewed from the EmpowerID Servers and Roles node in Configuration Manager by right-clicking on the Server column header in the grid and viewing the date/time information. By default the services send this notification every two minutes, which allows fail-over in case a service is down or disconnected.
Each of the various services that make up the processing operations of the system can be assigned to any number of distributed servers within Configuration Manager. A brief overview of the purpose of each of these Jobs follows below:
Attribute Flow - Directory Change Processor - This is a job hosted by the EmpowerID Worker Role Windows service that takes the attribute changes from the attribute inbox that were discovered during inventory and processes them using the attribute flow rules to update the attributes for the EmpowerID Person object. Changes to the Person object can then lead to changes being pushed to the attribute outbox that will flow to other systems. This job is scheduled per Account Store.
Audit Event Log Monitoring - This is a job hosted by the EmpowerID Worker Role Windows service that actively gathers event logs from remote Windows Server systems. This is in contrast to the Windows Server Event Log Monitor that runs locally on managed Windows servers. Either can be used; however, this agent can be used instead of the Windows Server Event Log Monitor for a polling style of event log change detection versus the push method offered by the Windows Server Event Log Monitor.
Exchange Management Host - This is a WCF web service end point that can execute any of the PowerShell cmdlets for managing Microsoft Exchange 2007 or greater. This job is hosted by EmpowerID Agent Windows service and must be installed on a machine loaded with the Exchange Management Console tools.
Exchange Public Folder Path Sync - This Job maintains the correct path value for the mail-enabled public folders in their corresponding AD object. This value is not maintained by Exchange when Public Folders are moved but its accuracy is required for managing Public Folders.
Group Membership Reconciliation - This is a job hosted by the EmpowerID Worker Role Windows service that evaluates the current "as is" membership of groups versus the "should be" state of membership, based upon dynamic RBAC assignments of the "Member" Resource Role in EmpowerID. This job is scheduled per resource system or account store.
Inventory - This is a Job hosted by the EmpowerID Worker Role Windows service that claims inventory jobs for resource systems and account stores on a scheduled basis, calling the specific inventory method for that system. For account stores, the inventory process is responsible for populating the attribute inbox and running the initial Person provision process using the same Join and Provision Rule logic used by the Account Inbox One by One or Account Inbox Bulk permanent workflow. The actual implementation of how each system is inventoried is specific to the type of system and the implementation in its connector. This Job is scheduled per resource system or account store.
LDAP Management Host WCF Service - This is a WCF web service hosted by the EmpowerID Agent Windows service that ;manages any communication that occurs between EmpowerID and any LDAP directories.
Password Manager Service - This is a WCF web service that hosts logic specific to password management, such as validation, and is the service that receives password change notification messages from the EmpowerID Password Change Detection Agent Window service.
Permanent Workflow Job - This is a Job hosted by the EmpowerID Worker Role Windows service that ensures permanent workflows are kept in a continuously running state. The parameters for the loop are set for each workflow added to the Permanent Workflow job.
Person Default Attributes Reinforcement - This Job is responsible for making sure each EmpowerID Person has the mandatory attributes they should have based on your Default Attribute Values policies . It also populates the Attribute outbox to ensure the corresponding account properties are changed, if needed.
PowerShell Service - This Job is a WCF web service end point hosted by the EmpowerID Agent Windows service for executing any type of PowerShell cmdlets. This service is used by workflows that execute PowerShell cmdlets. Applicable PowerShell snap-ins should be loaded on each server hosting this service.
RBAC Maintenance - Empty; this is purposely left blank for customer-specific maintenance, if needed.
RBAC Security Compiler - This is a Job hosted by the EmpowerID RBAC Services Windows service that is responsible for building the Location and Business Role trees used in the various EmpowerID applications. It also calculates the location of resource locations and which security delegations affect them.
RBAC Person Business Role Compiler - This is a Job hosted by the EmpowerID RBAC Services Windows service that is responsible for calculating theBusiness Roles and Locations an EmpowerID Person will have based on all possible assignments.
Resource Entitlement Inbox Recalculation - This is a Job hosted by the EmpowerID Worker Role Windows service that evaluates the current "as is" status of Resource Entitlement policies (RETs) versus the "should be" state. This entails determining what Accounts, Home Folders, Exchange Mailboxes, etc., people currently own versus what they should own by policy. The delta to normalize what they have with what they should have is written to the Resource Entitlement Inbox as a series of actions to be performed (Provision, Disable, Move, De-provision).
Resource Entitlement Inbox Processor - This is a Job hosted by the EmpowerID Worker Role Windows service that performs the actions specified by the Resource Entitlement Inbox entries.
Resource Role Reconciliation - This is a Job hosted by the EmpowerID Worker Role Windows service that manages the membership of EmpowerID Resource Role groups (RRGs). It determines who should currently be a member of those RRGs and then modifies the membership to match. This job is scheduled per resource system or account store.
Rights Enforcement - This is a Job hosted by the EmpowerID Worker Role Windows service that adds or removes native permissions for resources in external systems based upon the current state of RBAC delegations. The actual granting or revoking of rights for external systems can result in calls to other agents in order to complete the action. This Job is scheduled per resource system or account store.
Rights Inventory - This is a Job hosted by the EmpowerID Worker Role Windows service that inventories native permissions for external system resources. The actual inventory of rights for the external system in question can result in calls to other agents in order to complete the action.
Role and Location Compiler - This is a Job hosted by the EmpowerID Worker Role Windows service that determines the Business Roles and Locations that should be assigned to an EmpowerID Person based on information coming from an external custom system like an HR system. The Role and Location Compiler does not support using AD or LDAP for its functions. Only account stores where the Allow Role and Location Recalculation is set to Enabled will be considered. If multiple account stores are being monitored, those with a higher Role and Location Re-Eval Order value are given precedence. The following account store information is used by this job:
Accounts related to an EmpowerID Person
Associations between accounts, external roles, and external locations in an Account Store and whether the association is "Primary" (only one association can be designated as "Primary" for a given account per Account Store)
Mappings managed in the EmpowerID Role and Location Mapper:
Mappings between external roles and EmpowerID Roles (an external role can be mapped to multiple EmpowerID Roles, but only one of these mappings is considered "Primary")
Mappings between external locations and EmpowerID Locations
Role and Location Processor - This is a Job hosted by the EmpowerID Worker Role Windows service that makes Business Role and Location changes as determined by the Role and Location Compiler. The processor performs the following actions:
Changes a Person's primary Business Role and Location (only affects people whose primary role and location were not explicitly assigned)
Assigns secondary roles and locations to a Person
Removes secondary roles and locations from a Person
Handles ambiguous assignments by reassigning people whose Business Role and Location is uncertain to the role and location specified in the EmpowerID Resource System's "Default User Creation Path. This only occurs when a Person's primary Business Role and Location was previously determined by Role and Location Compiler and set by the processor, but can no longer be ascertained due to insufficient or inconclusive information.
Set Compiler - This is a job hosted by the EmpowerID Worker Role Windows service that evaluates saved searches or Sets against connected account stores. The results of these compiled searches can be used for assigning Management Roles and Resource Roles as well as query-based assignments of Person objects to Business Roles and Locations.
SharePoint Management Host - This is a WCF web service end point that can execute any of the SharePoint object model calls required for managing Microsoft SharePoint 2007 or greater. This Job is hosted by the EmpowerID Agent Windows service and must be installed on a machine that is a SharePoint server in the farm to be managed.
WCF Service Bus Management Host - This is the Management Host for the EmpowerID Service Bus hosted by the EmpowerID Agent Windows service. The EmpowerID Service Bus provides distributed WCF endpoint hosting facilities for integrating external resource systems and applications with the rest of the EmpowerID platform.
Windows Server Event Log Monitor - This Job gathers raised notifications when a new event is added to the Windows event log and decides whether or not to track the event based on the monitoring policy defined for that system in EmpowerID. This can be used to push notification of changes, in place of the pull method offered by the Audit Event Log Monitoring job.
Windows Server Management Host WCF Service - This is a WCF web service hosted by the EmpowerID Agent Windows service that can execute any of the local Windows server OS management actions required for shared folder creation or other system management tasks. This service must be installed on a machine that is the intended target for management.