IDM Reconciliation

5,230 views

Published on

The Identity management solutions required specific skill to successfully deploy it. This presentation will help you to star build some of them.

Published in: Technology
  • Be the first to comment

IDM Reconciliation

  1. 1. Allidm.com Discovering Identity and Access Management Solutions Identity and Access Management Introduction http://academy.allidm.com
  2. 2. Stay connected to Allidm Find us on Facebook: http: //www. facebook.com/allidm Follow us on Twitter: http: //twitter.com/aidy_idm Look for us on LinkedIn: http: //www. linkedin.com/allidm Visit our blog: http://www.allidm.com/blog
  3. 3. Disclaimer and Acknowledgments The contents here are created as a own personal endeavor and thus does not reflect any official stance of any Identity and Access Management Vendor on any particular technology
  4. 4. Contact Us On this presentation we’ll talk about some useful topics that you can use no matter which identity and access management solution or product you are working on. If you know one that make a big difference please tell us to include it in the future aidy.allidm@gmail.com
  5. 5. What’s a Reconciliation Reconciliation is the process of synchronizing accounts between the managed resource and the Identity Manager Server. To determine an ownership relationship, reconciliation compares account information with existing user data stored on the Identity Manager Server by first looking for the existing ownership within the Identity Manager Server and, then applying bussiness rules configured for the reconciliation.
  6. 6. What’s a Reconciliation… During the reconciliation process, new accounts created on the managed resource will be created in the Identity Manager Server repository and assigned to the user based on the adoption policy that is applicable. If there is no user match for the account, the account will be displayed in Identity Manager Server as an orphan account that can be manually assigned to a user by an Identity Manager Server administrator. Modified accounts on the managed resource will be updated to the Identity Manager Server repository. Removed accounts on the managed resource are also removed from Identity Manager Server.
  7. 7. Reconciliation features The reconciliation process might provide you the next features Reconciliation Schedule Create,Update,Delete Users Reconciliation Reports
  8. 8. Reconciliation Modes Some products offer the next reconciliation types: Full Reconciliation Full reconciliation recalculates the existence, ownership, and situation for each account ID listed by the adapter. It examines each Identity Manager user that claims the resource to recalculate ownership. Full reconciliation is performed by default during the first reconciliation run performed on a target system. Full Reconcile is a comprehensive evaluation of Identity Manager Users and all Resource Accounts and typically a first time account seeding step. Also is used to "refresh" the system after downtime. Because does not trust account index; can fix problems with both users and account index and it is recommended to run weekly (or less) to refresh user links, account index
  9. 9. Reconciliation Modes… Incremental Reconciliation Incremental reconciliation is analogous to incremental backup: it is faster than full reconciliation, and does most of what you need, but is not as complete as full reconciliation. Incremental reconciliation trusts that the information maintained in the account index is correct. Trusting that the list of known account IDs is correct, and that ownership of the account by any Identity Manager owner is correctly recorded, allows incremental reconciliation to skip or shorten several processing phases. Incremental Reconcile trusts the Account Index and only processes Accounts that have been added or deleted, that why is much faster than a Full Reconcile by virtue of processing add/deletes only. Must still list all accounts on the resource, which can potentially be time consuming, it is recommended to run daily (or hourly) to refresh account index
  10. 10. Reconciliation Modes… Batched Reconciliation In batched reconciliation, the total set of records to be reconciled is divided into batches containing the number of records that you specify as the batch size. Limited Reconciliation You implement this form of limited reconciliation by creating customized queries for reconciliation.
  11. 11. Reconciliation Modes… Periodic Reconciliation reconciliation is reconciliation that is run at regular intervals. Typically, periodic reconciliation is scheduled using a scheduled task. For example, for a particular connector, you can schedule reconciliation to run on a daily, weekly, or monthly basis. On-Demand Reconciliation On-demand reconciliation refers to a reconciliation run that you start when required. Usually is run by an Identity Manager Administrator manually start the reconciliation Real-Time Reconciliation Real-time reconciliation involves an immediate transfer of created or modified data from the target system to Identity Manager.
  12. 12. Best Practices Set up reconciliation schedules appropriately based on the frequency of data changes. Leave enough time between two reconciliations. Avoid unnecessary reconciliations. Reconciliation is an expensive process, then try to analyze when needs implemented If you are working with a large data repository (that is, a large number of accounts), consider using a Query to segment the data and perform the reconciliation in smaller chunks on different schedules.
  13. 13. Allidm.com Discovering Identity and Access Management Solutions Allidm Academy http://academy.allidm.com

×