Configuring EmpowerID Server Roles

Each server and the role it plays in EmpowerID, as described in the below table, can be managed from Configuration Manager via the EmpowerID Management Console.

EmpowerID Role Front-End (Web) Back-End (App) Description
Account Lockout Detection Job No Optional This is not commonly used. Sends password resets to a queue so they can be processed offline. BatchPasswordReset must be set to TRUE on the Account Store.
Account Password Reset Inbox No Optional This is not commonly used. Sends password resets to a queue so they can be processed offline. BatchPasswordReset must be set to TRUE on the Account Store.
Attestation Policy Compiler No Yes This evaluates any active Attestation policies, queues any attestation tasks that need to be processed and sets up the attestation tasks.
Attestation Processor No Yes This processes the records in the Attestation Task Queue table and initiates the appropriate workflows in response to those records.
Attribute Flow - Directory Change Processor Job No Yes This takes the attribute changes from the attribute inbox that were discovered during inventory and processes them using the attribute flow rules to update the Person object. Changes to the Person object can then lead to changes being pushed to the attribute outbox that will flow to other systems. This job is scheduled per Account Store.
Database Archiving Rule Processor No Yes This performs database archiving rules and processes.
Dynamic Hierarchy Generation Job No Yes This calculates which groups should be provisioned and deprovisioned in group hierarchy policies.
Dynamic Hierarchy Membership Inbox Processor Job No Yes This syncs the group membership for each group in the hierarchy membership inbox.
Dynamic Hierarchy Membership Recalculation Job No Yes This calculates which groups in the group hierarchy policies should have their membership refreshed.
Dynamic Hierarchy Provision Inbox Processor No Yes This calculates which groups should be provisioned or deprovisioned in group hierarchy policies.
Exchange Membership Web Service Optional* Yes

This provides Exchange functionality. Allows server to be selected as an agent for an Exchange Resource System and processes Exchange PowerShell commands. This is a WCF web service hosted by the Worker Role Windows Service.

*If workflows on the Front-End are modifying Exchange mailboxes directly, enable this on the Front-End server as well to avoid WCF call performance degradation.

Federation Server Web Service Yes Yes This provides a distributed claim-based STS for the EmpowerID platform. This is a WCF service.
Group Membership Reconciliation Job No Yes This projects group memberships based on EmpowerID RBAC policies and acts upon the target resource system based on the Enforcement level set for the Account Store.
Inventory Job No Yes This processes all inventory jobs for external system connectors.
LDAP Management Web Service Yes Yes This processes all calls to AD / ADAM / LDAP directories. This is a WCF service hosted by IIS and must be installed on a machine with connectivity to the LDAP directories that it manages.
Lotus Notes Web Service XX XX This is a WCF web service hosted by IIS and must be installed ona machine with Lotus Notes. Do not use without guidance from EmpowerID Implementation or Support.
Password Manager Web Service Optional* Yes

This performs password management functions, such as validation and receives password change notification messages form the EmpowerID Password Change Detection Agent Windows Service. This is a WCF web service hosted by IIS.

*If workflows on the Front-End are changing / resetting passwords directly, enable this on the Front-End as well to avoid WCF call perfomance degradation.

Permanent Workflow Job No Yes This runs permanent workflows, such as the Account Inbox and Password Expiration Notification workflows, keeping them in a continuously running state if they are enabled.
Person Default Attributes Reinforcement Job No Yes This evaluates and enforces the Person Default Attribute Assignment policies and writes the attributes to the person record. Attribute to any external accounts are then handled by the Attribute Flow processor.
Pipeline Service Yes Yes This sends approval and password expiration emails via the SMTP server defined in the Local Settings tool. This service is also used in Workflow Business Rule Engine (BRE) and Business Rule Web services and is required for BRE applications to function correctly. This is a WCF web service hosted by IIS.
PowerShell Service No Yes This processes any non-Exchange PowerShell commands. This is a WCF service hosted by IIS.
RBAC Maintenance Job No Yes Pre-compiles the delegations and pre-compiled operations for the Initiate, Edit, Use and Review workflow operations. Also provides RBAC for the combination of the actors and their target resources (Step 3 of RBAC).
RBAC Security Compiler No Yes This pre-compiles the Business Roe tree, the Location tree and the locations for resources to provide RBAC security. Also provides RBAC for the target of an actor (Step 1 of RBAC).
RBAC Security Person Business Role Compiler Job No Yes This pre-compiles any relationships between a Person and groups, Business Roles and Locations, Management Role and SetGroups. Also provides RBAC for the Actors themselves (Step 2 of RBAC).
Resource Entitlement Inbox Processor Job No Yes This processes all records in the Resource Entitlements Inbox and creates or manipulates the external resources, such as AD accounts and Exchange mailboxes, based on the rules of the related Resource Entitlement policies.
Resource Entitlement Recalculation Job no Yes This recalculates Resource Entitlements and populates the Resource Entitlement Inbox table to await processing by the Resource Entitlement Inbox Processor.
Resource Role Reconciliation Job No Yes This evaluates all active Resource Role (Access Level) assignments and effects any changes to resources. Create EID local groups and assigns actors to the groups for permissions assignments in the local system. Local group is not created until an actor is applicable and local group is removed when the last actor is removed.
Rights Enforcement Job No Yes This manipulates the security assignments in external systems based on RBAC Resource Role (Access Level) assignments in EmpowerID.
Rights Inventory Job No Yes This manipulates the security assignments in external systems, such as File Shares and Exchange.
Risk Factor Recalculation Job No Yes This recalculates the risk factor and last risk evaluation fields on Management Roles, people, etc. The risk factor is pulled from Resource Role (Access Level) properties.
Role and Location Compiler No Optional This compiles Role and Locations for external systems/connectors (not used for AD, only external systems / connectors like ADP HR, etc).
Search Tag Compilation No Optional This compiles meta data for tags on resources based on their location and properties. Enable this job if client is using the tagging feature.
Separation of Duties Policy Compiler No Optional This compiles Separation of Duties(SoD) policies and violations and makes them available in the SoD audit space.
Separation of Duties Violation Processor XX XX This processes workflows or actions to be performed in the event a SoD violation occurs. By default, the processor does nothing. There is no UI for this; you must configure this in SQL.
Service Bus Management Web Service Yes No This is a listener service that processes any external Web service or .NET calls to EmpowerID. It provides endpoints for WCF and SOAP Web services.
SharePoint Management Web Service SP Servers Only SP Servers Only This provides SharePoint federation, RET and attribute flow for SharePoint user profiles.This allows a server to be selected as an agent for a SharePoint resource system.
Windows Server Management Web Service No Yes This executes any of the local Windows server OS management actions required for shared folder creation or other system management tasks. This is a WCF web service hosted by IIS and must be installed on a machine that is the intended target for management.
Workflow Server Web Service Yes Yes This processes all workflow activity in the environment. This is a WCF web service hosted by IIS.

To configure EmpowerID Server Roles

  1. From the EmpowerID Management Console, click the EmpowerID icon and select Configuration Manager from the context menu.
  2. In Configuration Manager, click the EmpowerID Servers and Roles node in the application navigation tree. You should see a list of each EmpowerID job as a grid item and the servers hosting the Windows services that process those jobs as grid columns.
  3. The status of a job is as follows:

    • Jobs that are running on a server are checked under that server's column
    • Jobs that are not running on any server are unchecked in all server columns
    • Jobs that cannot run on a server have grayed out selection boxes. These grayed out selection boxes indicate that a job cannot be run on the server because the Windows service that hosts the job is not installed on the service.
  4. To activate or deactivate a service from a particular server, right-click the server name in the column header and toggle the Service State icon beside the service you want to change. A green check box indicates the service is active on the particular server, while a red sphere indicates the ;service is not active on that server. Thus if you want to make a service active on a particular EmpowerID server, you right-click the Server Name header and then toggle the Service State icon from a red sphere to a green check box; conversely, if you want to make a service inactive on a particular EmpowerID server, you right-click the Server Name header and toggle the Service State icon from a green check box to a red sphere. When moving a server offline, be sure to transfer any active EmpowerID services from that server to another server(s) before changing the state of those services to inactive on the server being moved offline for continuity of resource management.
  5. Each service (other than the Web Server) sends a heartbeat to the EmpowerID Identity Warehouse to indicate that it is active. If a heartbeat does not occur after three minutes, EmpowerID moves the service to another server hosting the service if you have configured your environment with multiple servers hosting the services. Heartbeat status is displayed to the right of each service.