Management of reconciliation schedules
Reconciliation is the process of synchronizing the accounts and supporting data to the IBM® Security Identity Manager Server central data repository from a managed resource. Reconciliation is required when accounts and supporting data can be changed on the managed resource so that IBM Security Identity Manager Server data is consistent and up-to-date with the remote resource.
During the reconciliation process, new accounts created on the managed resource will be created in the IBM Security Identity Manager Server repository and assigned to the user based on the adoption policy that is applicable for the service. If there is no user match for the account, the account will be displayed in IBM Security Identity Manager Server as an orphan account that can be manually assigned to a user by a IBM Security Identity Manager Server administrator. Modified accounts on the managed resource will be updated to the IBM Security Identity Manager Server repository. Removed accounts on the managed resource are also removed from IBM Security Identity Manager Server.
You can manage schedules for reconciliation, or initiate a reconciliation activity immediately. To determine an ownership relationship, reconciliation compares account information with existing user data stored on the IBM Security Identity Manager Server by first looking for the existing ownership within the IBM Security Identity Manager Server and, secondly, applying adoption rules configured for the reconciliation.
If there is a match of user login IDs to an account, the IBM Security Identity Manager Server creates the ownership relationship between the account and the person. The IBM Security Identity Manager Server also verifies that the accounts fit within the constraints of a defined policy. If there is not a match, the IBM Security Identity Manager Server lists the unmatched accounts as orphaned accounts.
- Load accounts and account supporting data information, including
groups, into IBM Security Identity Manager
Promptly after IBM Security Identity Manager is installed, you should submit reconciliation requests for all resources whose accounts are managed by IBM Security Identity Manager. Reconciliation inserts accounts from the managed resources into the IBM Security Identity Manager directory.
- Monitor accesses granted outside of IBM Security Identity Manager
During reconciliation, records of all accesses granted outside of IBM Security Identity Manager are inserted into the IBM Security Identity Manager directory. You can view these records by user after your data is reconciled.
Reconciliation allows you to enable policy checking. In this case, you should reconcile your data on a scheduled basis for your organization's ongoing security audits.
Managed service accounts can be excluded from reconciliation on the IBM Security Identity Manager Server and, for some adapters, on the managed service itself. If you filter accounts from reconciliation at the adapter and do not also filter them when you define your server-side scheduled or immediate reconciliations, the server will consider the reconciliation a "full" reconciliation for all accounts and will remove any accounts from its directory that it does not receive during the reconciliation (because it will appear to the server that they have been removed from the managed resource).
- Perform supporting data reconciliation separately from accounts. The separation is useful during initial deployment for the service and also useful for sync up changes of metadata without accounts, which is very time-consuming. Supporting data includes group configuration information, which contains key information about access privileges on the resource. Bringing back the group data ahead of time allows policies to be configured promptly before accounts are reconciled, so that the policies can be enforced.
- Set up reconciliation schedules appropriately based on the frequency of data changes. Leave enough time between two reconciliations. Avoid unnecessary reconciliations.
- Queries are used to break reconciliation into smaller packets. Reconcile only the data that is changed by using Query. Reconciliation is an expensive process, especially when policy checking is enabled.
- If you are working with a large data repository (that is, a large number of accounts), consider using Query to segment the data and perform the reconciliation in smaller chunks on different schedules.
- Specify a subset of account attributes to bring back to improve performance.
Overview of the reconciliation process
The following illustration is an overview of the reconciliation process. In this example, IBM Security Identity Manager reconciles Windows Server data.
The numbered steps in the table below correspond to the illustration.
| Step | Description |
|---|---|
| 1 | An administrator submits a reconciliation request to a system whose security is managed by IBM Security Identity Manager. |
| 2 | The IBM Security Identity Manager Server sends the reconciliation request to the selected service. |
| 3 | The service collects information from the system and sends the information to the IBM Security Identity Manager Server. |
| 4 | The IBM Security Identity Manager Server reads the information and reconciles the IBM Security Identity Manager directory with account information from the service. |
| 5 | The IBM Security Identity Manager Server attempts to find the account owner. |
| 6 | If an owner is found, the changes to the account are evaluated against a provisioning policy. |
| 7 | The account is modified according to configured policy enforcement options. |