Creating a Tracking Only Account Store
Overview of Tracking Only Account Stores in EmpowerID
A Tracking Only Account Store in EmpowerID is a non-connected account store used to track accounts, groups, and memberships without directly integrating with an external system. Unlike other EmpowerID account stores, Tracking Only Account Stores do not establish live connections to external directories, databases, or SaaS applications. Instead, they act as placeholders within EmpowerID, allowing organizations to track identity-related information and manually fulfill provisioning tasks for external systems.
This approach is particularly useful when:
- The external system does not support direct integration.
- The organization does not want to establish an API-based or direct database connection.
- A manual approval and fulfillment process is required for governance and compliance.
- EmpowerID needs to track accounts, groups, and memberships for security, auditability, or recertification purposes.
How Tracking Only Account Stores Work
When accounts or groups are created in a Tracking Only Account Store, they exist only within EmpowerID and are not automatically pushed to an external system. However, organizations can establish a manual fulfillment process where system administrators or application owners are assigned collaboration tasks to manually provision accounts, create groups, or update memberships in an external system.
This is facilitated by EmpowerID’s System Change Outbox, which generates business request tasks for administrators or application owners. Once they complete the requested changes in the external system, they approve the task in EmpowerID, providing an auditable record of the action.
Key Features of a Tracking Only Account Store
✔ Exists only within EmpowerID—No direct connection to an external system.
✔ Supports manual fulfillment workflows for identity tracking and provisioning.
✔ Creates collaboration tasks for system owners to fulfill requests manually.
✔ Enables auditability—Actions are logged for compliance and recertification.
✔ Tracks accounts, groups, and memberships for security and governance purposes.
✔ Can be created manually or automatically through the Protected Applications feature.
Common Use Cases for a Tracking Only Account Store
📌 Representing an External System Without a Direct Connector
- Organizations may want to track user accounts and group memberships in a system that does not support API-based integration.
- For example, if a legacy HR system does not provide a way to integrate with EmpowerID, an organization can create a Tracking Only Account Store for it.
📌 Manual Fulfillment of Provisioning Requests
- Instead of automated provisioning, EmpowerID can generate manual fulfillment tasks.
- When a new user account is created in the Tracking Only Account Store, a system administrator receives a task to manually create that account in the external system.
- Once the administrator completes the task, they approve it in EmpowerID, maintaining an audit trail.
📌 Access Certification and Compliance Audits
- Even if an account does not exist directly in EmpowerID’s connected account stores, it can still be tracked.
- A Tracking Only Account Store allows identity administrators to see which users have accounts in external systems.
- This enables certification processes, such as periodic access reviews, without requiring direct integration.
📌 Risk Analysis and Governance
- Organizations can monitor which users have accounts in external applications that are not natively integrated with EmpowerID.
- Helps in detecting orphaned accounts or unauthorized access.
How a Tracking Only Account Store is Created
There are two ways to create a Tracking Only Account Store in EmpowerID:
-
Manual Creation via the Account Stores Section
- Admins can manually create a Tracking Only Account Store in the EmpowerID Admin Console.
- This is useful for organizations that want full control over the setup and configuration.
-
Automatic Creation via a Protected Application
- When a Protected Application is created, EmpowerID can automatically generate a Tracking Only Account Store associated with it.
- This method is preferred when managing application-specific identities and group memberships.
The next sections will cover both methods in detail, along with configuration options and manual fulfillment processes for ensuring governance and compliance.
Creating a Tracking Only Account Store
There are two ways to create a Tracking Only Account Store in EmpowerID:
- Manual Creation via the Account Stores Section
- Automatic Creation via a Protected Application
This section will guide you through both methods and provide detailed configuration steps.
1. Manually Creating a Tracking Only Account Store
This method allows administrators to manually define a Tracking Only Account Store without associating it with a specific application. This is ideal when you need to track accounts and groups in an external system without creating a direct integration.
Steps to Create a Tracking Only Account Store Manually:
-
Navigate to the Account Store Management Page
- Log in to EmpowerID as an administrator.
- Go to Admin → Account Stores and Systems.
- Click on Create Account Store.
-
Select Tracking Only as the Account Store Type
- In the list of available account store types, search for and select "Tracking Only".
- Click Submit to proceed.
-
Provide Account Store Details
- Name: Enter a descriptive name for the account store.
- Display Name: This is how the account store will appear in the EmpowerID interface.
-
Submit the Account Store Creation
- Click Submit to finalize the creation process.
Once created, the Tracking Only Account Store will appear in the list of account stores and behave like any other EmpowerID account store except it does not connect to an external system.
2. Configuring the Tracking Only Account Store
After creating the account store, it must be configured to define how accounts, groups, and memberships will be tracked and managed.
General Settings
- Open the Account Store Definition.
- The Account Store Properties page will display settings similar to any other account store.
- Enable or disable features such as:
- Allow Provisioning by Provisioning Policies
- Allow Attribute Flow Between Accounts and Person Objects
- Enable Business Role and Location Processing
💡 Tip: Since the Tracking Only Account Store does not have an external system, there is no need to configure inventory or membership processes.
3. Automatic Creation via a Protected Application
Another way to create a Tracking Only Account Store is to associate it with a Protected Application. This method is useful when tracking access for a specific system or SaaS application without integrating directly.
Steps to Create a Protected Application with a Tracking Only Account Store:
-
Navigate to the Applications Section
- Go to Admin → Apps and Authentication → Applications.
- Click on Create Application.
-
Enter Application Details
- Name: Provide a descriptive name (e.g.,
Sales Rep System). - Description: Optional, but useful for documentation.
- Name: Provide a descriptive name (e.g.,
-
Enable the Tracking Only Account Store Option
- Select "Create a Tracking Only Account Store for this Application".
- Choose the Default Organization (e.g.,
All Business LocationsorDefault Organization). - Set an Owner for the application.
-
Configure IAM Shop Publishing
- Enable publishing to the IAM Shop to allow user requests.
-
Select the Application Authorization Model
- Choose Standard Application (no PBAC or Azure role management).
-
Set Up Outbox Fulfillment Processing
- Select whether to batch process outbox entries by group or by person:
- By Group: Sends a single collaboration task per group with all users in a CSV file.
- By Person: Sends a separate collaboration task per user, listing all their required memberships.
- Select whether to batch process outbox entries by group or by person:
-
Finalize the Creation
- Click Add to Cart and then Submit Cart.
- The Tracking Only Account Store will be automatically created along with the application.
-
Verify the Account Store
- Navigate to Admin → Account Stores.
- Locate the newly created Tracking Only Account Store.
- Configure it as needed, following the same steps as for a manually created account store.
Comparison of the Two Methods
| Method | Best Use Case | Setup Effort | Key Benefits |
|---|---|---|---|
| Manual Creation | Tracking an external system with no direct integration | Quick & Simple | Full control over account store settings |
| Protected Application | Managing identities for a specific application | More setup required | Creates both a protected application and a Tracking Only Account Store |
Summary of Key Steps
✔ Created a Tracking Only Account Store manually.
✔ Configured key settings for provisioning, attribute flow, and business roles.
✔ Created a Tracking Only Account Store via a Protected Application.
✔ Set up manual fulfillment workflows for identity tracking.
Next Steps:
Now that the Tracking Only Account Store is configured, the next step is to enable manual fulfillment processes using the System Change Outbox. This will ensure that all account and membership changes are properly tracked and approved in EmpowerID. 🚀