EmpowerID supports the configuration of attribute synchronization rules for flowing attribute changes between directories and the EmpowerID Identity Warehouse. Attribute Flow rules are visually configured and are always relative to the relationship between an attribute in a directory and the corresponding attribute in the EmpowerID Identity Warehouse. Attribute Flow rules define the specific fields and attributes that are synchronized between the EmpowerID Identity Warehouse person objects and the external user accounts to which they are linked. By default, all attribute flow rules are set to Bidirectional, except for the mail attribute, which is set to flow from Exchange to EmpowerID.
The following flow rules are available:
No Sync - When this option is selected, no information flows between EmpowerID and the native system.
Bidirectional Flow - When this option is selected, changes made within EmpowerID update the native system and vice-versa.
Account Store Changes Only - When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.
EmpowerID Changes Only - When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.
For attribute flow to occur, the following prerequisites must be met:
Each involved account store must have the Enable Attribute Flow setting set to true.
The Attribute Flow - Directory Change Processor Job must be enabled on at least one EmpowerID server hosting the Worker Role service.
By default, EmpowerID retrieves attribute values for each user account in a connected account store and maps them value for value to the corresponding Person attributes stored in the EmpowerID Identity Warehouse. In this way, if the value of "State" for an AD user account is "Massachusetts" then the value of "State" for that account's Person object in EmpowerID is "Massachusetts." However, EmpowerID allows you to create your own Attribute Flow Handlers to customize these values. You do this by creating a class library in Workflow Studio that inherits from the DefaultAttributeflowHandler class and by overriding the method specific to the account store (external or EmpowerID) you wish to effect. For more information on customizing Attribute Flow, see Creating Custom Attribute Flow Handlers in the Developer's Guide.
The Mail attribute should always flow from Exchange to EmpowerID.
To configure Attribute Flow rules
From the EmpowerID Management Console, click the EmpowerID logo and select Configuration Manager from the menu.
In Configuration Manager, expand User Directories in the navigation tree on the left of the screen and then click Attribute Flow Rules.
Select the appropriate Account Store from the drop-down list at the top of the screen.
The attributes from the EmpowerID Person object are displayed in the left column with the corresponding attributes from the account store displayed in the right column.
Click the Attribute Flow button located between the EmpowerID Person Attribute column and the Account Store Attributes column, and select a flow direction from the context menu.