What is Reconciliation
What is Reconciliation in Identity Management
Reconciliation is a term used in Identity Management for recognizing changes to Identity attributes and their subsequent synchronization with other user stores or an Identity Manager. Identity Manager is a product (e.g. Oracle Identity Manager, SailPoint IIQ Identity Manager) that provides full view and management of user's Life cycle, from creating an account to its final disablement or management of user account on-boarding, off-boarding or user provisioning/de-provisioning. Here User on-boarding/off-boarding is in terms of Business Processes whereas provisioning/de-provisioning is in terms of technical steps.Reconciliation or "Recon" is a generic term used for various Identity Management products, such as Oracle Identity Manager, SailPoint IIQ, IBM Security Identity Manager.
Here is how Oracle defines Reconciliation: When changes in the identities are made directly in a user store, for example an LDAP identity store, these changes must be replicated to Oracle Identity Manager through authoritative source reconciliation. The identities include users and roles. (What is authoritative source - read below)
Above definition is from Oracle Identity Manager (OIM).
Note: In SailPoint IIQ Identity Management system reconciliation is referred as Aggregation.
Here Reconciliation refers to the flow of identity information from an external LDAP/compatible identity store (such as OID, OUD, ODSEE, Active Directory), to OIM. The flow is inwards to OIM from external directory.
So if there are other Identity stores where identity attributes are added, changed, deleted, then these changes need to be recognized at the central Identity Manager where a holistic view of all identities and their attributes can be maintained and managed. Using this central Identity Manager an organization can enforce uniform set of policies, instead of managing each of the different Identity stores separately or in silos.
Below note is from Oracle (OIM integration with AD with Recon and Trusted Recon)
All components that are used by Oracle Identity Manager to communicate with a particular resource, for the purposes of performing either provisioning or reconciliation with that resource, are placed into a container. This container is known as an Oracle Identity Manager Connector. Provisioning or reconciliation occurs as a result of the components of this connector working with one another. The Active Directory connector can be used in the following ways:
- Provisioning Only: In this mode, users, organizations, groups, and group memberships are provisioned to Active Directory (or any other directory, OID, OUD etc). There is no return flow of information from Active Directory to Oracle Identity Manager. Here the flow of identity data is outwards, from OIM to AD/directory.
- Provisioning with Reconciliation: In this mode, users, organizations, groups, and group memberships are provisioned to Active Directory (or any other directory, OID, OUD etc). Reconciliation detects changes in the user’s profile in Active Directory and updates the Oracle Identity Manager AD Resource profile for the user corresponding to the AD user. To enable Oracle Identity Manager in matching the AD user to the Oracle Identity Manager user, a reconciliation rule is defined (this rule will compare and match the user's profile in AD with the user's profile in AD). If a match is found, the Oracle Identity Manager user's AD account profile is updated.
- Provisioning with Trusted Reconciliation: When the connector runs in this mode, users that exist in Active Directory but are nonexistent in Oracle Identity Manager are created as Oracle Identity Manager users. The provisioning functionality remains the same in this case. Trusted Reconciliation should be used (or enabled) if you trust the external data source or directory to be Authoritative.
Below is from Oracle docs
What is Reconciliation:
It is a process of bringing identities and accounts into OIM/Oracle Identity Manager from an external resource, such Active Directory or some User Directory
What are the 2 types of Reconciliation
Trusted (Authoritative) Reconciliation
Process of loading identities into OIM is known as Trusted or Authoritative Reconciliation. In this process we load user profiles into OIM. User gets created into OIM.
Example: User data is stored in Active Directory which is designated as Authoritative. Meaning OIM will trust all user identities which exist Active Directory- so OIM can run process to bring these identities from AD into OIM. By running trusted reconciliation against Active Directory the user will get created into OIM. If user already exists in OIM with that user id (or samAccount name in this particular case) then the user's profile will get updated with new values from Active Directory (If any changes detected in existing user's AD account).
Target (Non Authoritative) Reconciliation
Process of loading account profile into OIM is known as Target or Non Authoritative Reconciliation. Here also there are user accounts/data in Active Directory but it is not designated as an Authoritative. In this process we load user’s account profile i.e. user’s target account information. In this reconciliation only Resource profile of user is created not user profile. (In this scenario since Active Directory is not designated as an Authoritative source of User Identity; you cannot (or should not) create user accounts into OIM from AD)
Example: User data is stored in Active Directory. If we run target reconciliation against Active Directory then the user's Resource Profile will get created into OIM. Resource profile shows that User has account into Active Directory. For creation of resource profile, it is required that user must be present in OIM already. (You cannot or are not creating a user account in OIM by running this task/process)
What is Authoritative source:
If you have selected an external directory as the Trusted Source of your User Identity then it is considered to be Authoritative. So what this means is that now you can run a Trusted Recon task in OIM to bring user identities from this Authoritative source into OIM.
What is Provisioning:
Provisioning is the process of creating user accounts in the target resource from OIM or the Identity Management System. Target resource are typically User directories which are external to OIM.
Example: User already exists in OIM. We create a user account in the target resource, such as Active Directory from OIM user account.
Provisioning is of two categories - Request based Provisioning and Direct Provisioning. As per Oracle documentation In OIM there are 3 types of Provisioning available - Direct, Policy based, Request based.
In simple terms, Provisioning is a process initiated from OIM to create, modify, delete a user/role/organizational information in an external resource. In Provisioning the flow of data is from OIM towards or into external resource. The Provisioning system in OIM end includes the AD User management connector (for example) that directly communicates with AD for provisioning the user account (create/delete/modify)
What is Resource Object:
It is the logical or virtual representation of a target resource in OIM. It is called as Resource Object in OIM where a logical representation of the target resource exists..
Example: OIM may have a Resource object defined for an external target resource such as Active Directory. This Resource Object is configured with properties so that OIM can connect to the external target resource such as Active Directory
What is Role:
Oracle Identity Manager (OIM) provides easy and controlled privilege management through roles. Roles are named groups of related privileges that you grant to users or other roles. Roles are designed to ease the administration of end-user system and schema object privileges. For detailed information about roles, see Chapter 12, "Managing Roles".
What is Entitlement:
Entitlement is for a user defined in OIM or Identity Management System. An Entitlement is a target account of user represented inside of OIM. Entitlement holds the multivalued attribute for a user account such as Role, Group, Responsibility etc. Entitlements can be defined and created on OIM and then provisioned to users depending upon their role in the organization.
What do you do with an Entitlement after you have defined it in OIM?
You grant an entitlement to a user so that this user upon getting his entitlement can perform a specific task on the target system. For example, an entitlement such as login account on target Server with read/write permissions. First this entitlement is created in OIM. And then a user may be granted this entitlement. Once this user gets his entitlement he will be able to login to the remote server with read/write permissions.
----------------------------------------------------------------------------------------------
Objects in OIM: Resource Object represents the an account on the target system. This account is of an OIM user which has an actual account on remote target system.
Provisioning process: actual code that runs and provisions tasks, typically calling an adapter which is the software component which makes the low level connection between OIM and remote host/target.
IT Resource is another object which requires to be populated/created in OIM which stores all the physical representation/data about the remote target such as hostname, IP address, login info (user/pass).
A scheduled task will typically reference a particular IT Resource and Resource object
----------------------------------------------------------------------------------------------
What is Reconciliation:
It is a process of bringing identities and accounts into OIM/Oracle Identity Manager from an external resource, such Active Directory or some User Directory
What are the 2 types of Reconciliation
- Trusted Reconciliation (Authoritative)
- Target Reconciliation (Non Authoritative)
Trusted (Authoritative) Reconciliation
Process of loading identities into OIM is known as Trusted or Authoritative Reconciliation. In this process we load user profiles into OIM. User gets created into OIM.
Example: User data is stored in Active Directory which is designated as Authoritative. Meaning OIM will trust all user identities which exist Active Directory- so OIM can run process to bring these identities from AD into OIM. By running trusted reconciliation against Active Directory the user will get created into OIM. If user already exists in OIM with that user id (or samAccount name in this particular case) then the user's profile will get updated with new values from Active Directory (If any changes detected in existing user's AD account).
Target (Non Authoritative) Reconciliation
Process of loading account profile into OIM is known as Target or Non Authoritative Reconciliation. Here also there are user accounts/data in Active Directory but it is not designated as an Authoritative. In this process we load user’s account profile i.e. user’s target account information. In this reconciliation only Resource profile of user is created not user profile. (In this scenario since Active Directory is not designated as an Authoritative source of User Identity; you cannot (or should not) create user accounts into OIM from AD)
Example: User data is stored in Active Directory. If we run target reconciliation against Active Directory then the user's Resource Profile will get created into OIM. Resource profile shows that User has account into Active Directory. For creation of resource profile, it is required that user must be present in OIM already. (You cannot or are not creating a user account in OIM by running this task/process)
What is Authoritative source:
If you have selected an external directory as the Trusted Source of your User Identity then it is considered to be Authoritative. So what this means is that now you can run a Trusted Recon task in OIM to bring user identities from this Authoritative source into OIM.
What is Provisioning:
Provisioning is the process of creating user accounts in the target resource from OIM or the Identity Management System. Target resource are typically User directories which are external to OIM.
Example: User already exists in OIM. We create a user account in the target resource, such as Active Directory from OIM user account.
Provisioning is of two categories - Request based Provisioning and Direct Provisioning. As per Oracle documentation In OIM there are 3 types of Provisioning available - Direct, Policy based, Request based.
In simple terms, Provisioning is a process initiated from OIM to create, modify, delete a user/role/organizational information in an external resource. In Provisioning the flow of data is from OIM towards or into external resource. The Provisioning system in OIM end includes the AD User management connector (for example) that directly communicates with AD for provisioning the user account (create/delete/modify)
What is Resource Object:
It is the logical or virtual representation of a target resource in OIM. It is called as Resource Object in OIM where a logical representation of the target resource exists..
Example: OIM may have a Resource object defined for an external target resource such as Active Directory. This Resource Object is configured with properties so that OIM can connect to the external target resource such as Active Directory
What is Role:
Oracle Identity Manager (OIM) provides easy and controlled privilege management through roles. Roles are named groups of related privileges that you grant to users or other roles. Roles are designed to ease the administration of end-user system and schema object privileges. For detailed information about roles, see Chapter 12, "Managing Roles".
What is Entitlement:
Entitlement is for a user defined in OIM or Identity Management System. An Entitlement is a target account of user represented inside of OIM. Entitlement holds the multivalued attribute for a user account such as Role, Group, Responsibility etc. Entitlements can be defined and created on OIM and then provisioned to users depending upon their role in the organization.
What do you do with an Entitlement after you have defined it in OIM?
You grant an entitlement to a user so that this user upon getting his entitlement can perform a specific task on the target system. For example, an entitlement such as login account on target Server with read/write permissions. First this entitlement is created in OIM. And then a user may be granted this entitlement. Once this user gets his entitlement he will be able to login to the remote server with read/write permissions.
----------------------------------------------------------------------------------------------
Objects in OIM: Resource Object represents the an account on the target system. This account is of an OIM user which has an actual account on remote target system.
Provisioning process: actual code that runs and provisions tasks, typically calling an adapter which is the software component which makes the low level connection between OIM and remote host/target.
IT Resource is another object which requires to be populated/created in OIM which stores all the physical representation/data about the remote target such as hostname, IP address, login info (user/pass).
A scheduled task will typically reference a particular IT Resource and Resource object
----------------------------------------------------------------------------------------------
Hey, thanks for the blog article.Really thank you! Great.
ReplyDeleteoffice 365 online training
office 365 training
tuotruccontmo Kimberly Sammons https://wakelet.com/wake/q9vXF7Qtcj-ytflprbMDb
ReplyDeletesilangatshand
Varneolau_bu Leslie Holloway FonePaw
ReplyDeleteInternet Download Manager
ScreenHunter Pro
afininhar
Account reconciliations are likely to be performed regularly, regardless of the size of your firm. Automation solutions can help to simplify this critical procedure.
ReplyDelete