Select accounts to exclude from reconciliations

Learn how to excluded selected accounts from reconciliations.

To select accounts to exclude from reconciliations, do the following steps:
  1. Create an LDIF file and specify the accounts to exclude from reconciliation and the services on which these accounts exist.
  2. Import the LDIF file to the LDAP Directory Server.

Exclude accounts from reconciliation

During reconciliations, all accounts are returned from the managed resource, unless otherwise specified by a query. Accounts are automatically adopted if the account is owned by a recognized user in the system or if an alias exists for any account.

However, the Verify Identity Governance Server can be configured to prevent automatic adoption of specified accounts. This feature can be used to prevent system accounts, such as root, lp, sys, and etc in UNIX resources, from automatically being adopted. This precaution prevents users from accidentally or maliciously adopting and modifying sensitive accounts.

Although these accounts are not automatically adopted, these accounts can still be manually adopted by an administrative user.

The accounts to exclude from reconciliations are specified in an LDIF file. The following excerpt is an example of entries in an LDIF file:

dn: ou=excludeAccounts, ou=itim, <TENANT_DN>
ou: excludeAccounts
objectClass: top
objectClass: organizationalunit

dn: cn=SolarisProfile, ou=excludeAccounts, ou=itim, <TENANT_DN>
erObjectProfileName: SolarisProfile
objectClass: top
objectClass: eridentityexclusion
cn: SolarisProfile
erAccountID: root
erAccountID: admin

The cn and erObjectProfileName is the name of the service profile. Excluded accounts are defined by the erAccountID attribute. The example excludes the root and admin accounts from automatically being adopted when a reconciliation is run on a Solaris service.