Reconciliation properties

Reconciliation properties are used to configure the reconciliation process where data retrieved from agents is synchronized in the IBM Verify Identity Governance database.

Reconciliation properties page defines the properties used to configure the values that affect the reconciliation process where data retrieved from agents is synchronized in the IBM Verify Identity Governance database.

Reconciliation properties

Reconciliation configuration

enrole.reconciliation.accountcachesize

Do not change this property key and value unless you are a qualified administrator.

Specifies the maximum size of the cache for existing accounts cache that is used for the reconciliation process. Setting a value larger than the default might cause processing of reconciliations to fail.

Example (default):

enrole.reconciliation.accountcachesize=2000

enrole.reconciliation.threadcount

Do not change this property key and value unless you are a qualified administrator.

Specifies the number of threads that are used to handle reconciled entries. This number of threads is created for each reconciliation process.

Example (default):

enrole.reconciliation.threadcount=8

enrole.reconciliation.failurethreshold

Do not change this property key and value unless you are a qualified administrator.

Specifies the maximum number of local accounts to delete at the end of reconciliation. If the value is exceeded, then no local account or supporting data entries are deleted. If the value is followed by a percent sign (%), specifies the maximum as percentage compared with total of (local accounts at reconciliation start plus the new accounts returned by reconciliation). A value of 100% specifies that there is no limit.

Tip: In IBM Security Verify Governance Version 10.0.1 Fix Pack 2 and later versions, this setting can also be used for preventing mass deletion of groups and other supporting data from the reconciliation. This helps to prevent accidental removal of groups due to user errors, especially when those groups have accesses defined on them.

Example (default, commented out):

#enrole.reconciliation.failurethreshold=100%

Note the following scenarios for deletion of local data (accounts, groups and supporting data):

If recon failure threshold exceeds for accounts, then the local accounts, groups, or supporting data are not deleted.
If recon failure threshold exceeds for groups, then the local groups or supporting data are not deleted.
However, if there are accounts to delete and recon failure threshold does not exceed for accounts, then local accounts are deleted.
If recon failure threshold exceeds for supporting data, then the supporting data is not deleted.
However, if there are accounts & groups to delete and recon failure threshold does exceed for accounts/groups, then the local accounts & groups are deleted.

enrole.reconciliation.logTimeInterval

Do not change this property key and value unless you are a qualified administrator.

Specifies the time interval in seconds for reconciliation progress trace log messages. A value of zero disables this time interval.

Example (default, commented out):

#enrole.reconciliation.logTimeInterval=600

enrole.reconciliation.logEveryNResults

Do not change this property key and value unless you are a qualified administrator.

Specifies the count for reconciliation progress trace log messages. A value of zero disables this count.

Example (default, commented out):

#enrole.reconciliation.logEveryNResults=5000