2. Stay connected to Allidm
Find us on Facebook:
http: //www. facebook.com/allidm
Follow us on Twitter:
http: //twitter.com/aidy_idm
Look for us on LinkedIn:
http: //www. linkedin.com/allidm
Visit our blog:
http://www.allidm.com/blog
3. Disclaimer and Acknowledgments
The contents here are created as a own personal endeavor and
thus does not reflect any official stance of any Identity and
Access Management Vendor on any particular technology
4. Contact Us
On this presentation we’ll talk about some useful topics that
you can use no matter which identity and access management
solution or product you are working on.
If you know one that make a big difference please tell us to
include it in the future
aidy.allidm@gmail.com
5. What’s a Reconciliation
Reconciliation is the process of synchronizing accounts
between the managed resource and the Identity Manager
Server.
To determine an ownership relationship, reconciliation
compares account information with existing user data
stored on the Identity Manager Server by first looking for
the existing ownership within the Identity Manager Server
and, then applying bussiness rules configured for the
reconciliation.
6.
7. What’s a Reconciliation…
During the reconciliation process, new accounts created on
the managed resource will be created in the Identity
Manager Server repository and assigned to the user based
on the adoption policy that is applicable.
If there is no user match for the account, the account will be
displayed in Identity Manager Server as an orphan account
that can be manually assigned to a user by an Identity
Manager Server administrator.
Modified accounts on the managed resource will be
updated to the Identity Manager Server repository.
Removed accounts on the managed resource are also
removed from Identity Manager Server.
9. Reconciliation Modes
Some products offer the next reconciliation types:
Full Reconciliation
Full reconciliation recalculates the existence, ownership, and situation
for each account ID listed by the adapter. It examines each Identity
Manager user that claims the resource to recalculate ownership.
Full reconciliation is performed by default during the first
reconciliation run performed on a target system.
Full Reconcile is a comprehensive evaluation of Identity Manager
Users and all Resource Accounts and typically a first time account
seeding step. Also is used to "refresh" the system after downtime.
Because does not trust account index; can fix problems with both
users and account index and it is recommended to run weekly (or
less) to refresh user links, account index
10. Reconciliation Modes…
Incremental Reconciliation
Incremental reconciliation is analogous to incremental backup: it is
faster than full reconciliation, and does most of what you need, but is
not as complete as full reconciliation.
Incremental reconciliation trusts that the information maintained in
the account index is correct. Trusting that the list of known account
IDs is correct, and that ownership of the account by any Identity
Manager owner is correctly recorded, allows incremental
reconciliation to skip or shorten several processing phases.
Incremental Reconcile trusts the Account Index and only processes
Accounts that have been added or deleted, that why is much faster
than a Full Reconcile by virtue of processing add/deletes only. Must
still list all accounts on the resource, which can potentially be time
consuming, it is recommended to run daily (or hourly) to refresh
account index
11. Reconciliation Modes…
Batched Reconciliation
In batched reconciliation, the total set of records to be
reconciled is divided into batches containing the number
of records that you specify as the batch size.
Limited Reconciliation
You implement this form of limited reconciliation by
creating customized queries for reconciliation.
12. Reconciliation Modes…
Periodic Reconciliation
reconciliation is reconciliation that is run at regular intervals. Typically,
periodic reconciliation is scheduled using a scheduled task.
For example, for a particular connector, you can schedule reconciliation to
run on a daily, weekly, or monthly basis.
On-Demand Reconciliation
On-demand reconciliation refers to a reconciliation run that you start
when required.
Usually is run by an Identity Manager Administrator
manually start the reconciliation
Real-Time Reconciliation
Real-time reconciliation involves an immediate transfer of created or
modified data from the target system to Identity Manager.
13. Best Practices
Set up reconciliation schedules appropriately based on the
frequency of data changes.
Leave enough time between two reconciliations.
Avoid unnecessary reconciliations.
Reconciliation is an expensive process, then try to analyze
when needs implemented
If you are working with a large data repository (that is, a
large number of accounts), consider using a Query to
segment the data and perform the reconciliation in smaller
chunks on different schedules.