Sun Identity Manager 8.1 Business Administrator's Guide

Account Reconciliation

Use the reconciliation feature to periodically compare resource accounts in Identity Manager with the accounts actually present on the resources. Reconciliation correlates account data and highlights differences.

Note –

The pages in this section focus on how to perform reconciliation tasks using the Administrator interface. To learn about reconciliation in depth, see Chapter 4, Data Loading and Synchronization, in Sun Identity Manager Deployment Guide.

Reconciliation in a Nutshell

Because reconciliation is designed for ongoing comparison, it has the following characteristics:

You can also configure reconciliation to launch an arbitrary workflow at each of the following points in processing a resource:

Access Identity Manager reconciliation features from the Resources area. The Resources list shows when each resource was last reconciled and its current reconciliation status.

Note –

Reconciliation is carried out by Identity Manager’s reconciler component. For information about reconciler configuration settings, see .

About Reconciliation Policies

Reconciliation policies allow you to establish a set of responses, by resource, for each reconciliation task. Within a policy, you select the server to run reconciliation, determine how often and when reconciliation takes place, and set responses to each situation encountered during reconciliation. You can also configure reconciliation to detect changes made natively (not made through Identity Manager) to account attributes.

Editing Reconciliation Policies

ProcedureTo Edit a Reconciliation Policy

  1. In the Administrator interface, click Resources in the menu.

  2. Select a resource in the Resource List.

  3. In the Resource Actions list, select Edit Reconciliation Policy.

    Identity Manager displays the Edit Reconciliation Policy page, where you can make these policy selections:

    • Reconciliation Servers. In a clustered environment, each server may run reconciliation. Specify which Identity Manager server will run reconciliation against resources in the policy.

    • Reconciliation Modes. Reconciliation can be performed in different modes, which optimize different qualities:

      • Full reconciliation. Optimizes for thoroughness at a cost of speed.

      • Incremental reconciliation. Optimizes for speed at the expense of some thoroughness.

        Select the mode in which Identity Manager should run reconciliation against resources in the policy. Select Do not reconcile to disable reconciliation for targeted resources.

    • Full Reconciliation Schedule. If full mode reconciliation is enabled, it is performed automatically on a fixed schedule. Specify how frequently full reconciliation should be run against resources in the policy.

      • Select the Inherit default policy option to inherit the indicated schedule from a higher-level policy.

      • Clear the Inherit default policy option to specify a schedule. Use the fields provided to establish a recurring schedule, or, to create a custom adjustment to the reconciliation schedule, use a Task Schedule Repetition rule. For information on creating a Task Schedule Repetition rule, see Using Task Schedule Repetition Rules.

    • Incremental Reconciliation Schedule. If incremental mode reconciliation is enabled, it is performed automatically on a fixed schedule.

      • Select the Inherit default policy option to inherit the schedule from a higher-level policy.

      • Clear the Inherit default policy option to specify a schedule. Use the fields provided to establish a recurring schedule, or, to create a custom adjustment to the reconciliation schedule, use a Task Schedule Repetition rule. For information on creating a Task Schedule Repetition rule, see Using Task Schedule Repetition Rules.

      Note –

      Not all resources support incremental reconciliation.

    • Attribute-level Reconciliation. Reconciliation can be configured to detect changes made natively (that is, not made through Identity Manager) to account attributes. Specify whether reconciliation should detect native changes to the attributes specified in Reconciled Account Attributes.

    • Account Correlation Rule. An account correlation rule selects Identity Manager users that might own each unowned resource account. Given the attributes of an unowned resource account, a correlation rule returns a list of names or a list of attribute conditions that will be used to select potential owners. Select a rule to look for Identity Manager users that may own each unowned resource account.

    • Account Confirmation Rule. An account confirmation rule eliminates any non-owner from the list of potential owners that the correlation rule selects. Given the full View of an Identity Manager user and the attributes of an unowned resource account, a confirmation rule returns true if the user owns the account and false otherwise. Select a rule to test each potential owner of a resource account. If you select No Confirmation Rule, Identity Manager accepts all potential owners without confirmation.

      Note –

      In your environment, if the correlation rule will select at most one owner for each account, then you do not need a confirmation rule.

    • Proxy Administrator. Specify the administrator to use when reconciliation responses are performed. The reconciliation can perform only those actions that the designated proxy administrator is permitted to do. The response will use the user form (if needed) that is associated with this administrator.

      You can also select the No Proxy Administrator option. When selected, reconciliation results are available to view, but no response actions or workflows are run.

    • Situation Options (and Response). Reconciliation recognizes several types of situations. Situations are described below. Specify in the Response column any action reconciliation should take.

      • CONFIRMED. The expected account exists.

        To be marked as CONFIRMED, the following must be true:

        • Identity Manager expects the account to exist.

        • The account exists on the resource.

      • COLLISION. Two or more Identity Manager users are assigned the same account on a resource.

      • DELETED. The expected account does not exist.

        To be marked as DELETED, the following must be true:

        • Identity Manager expects the account to exist.

        • The account does not exist on the resource.

      • FOUND. The reconciliation process found a matching account on an assigned resource.

        To be marked as FOUND, the following must be true:

        • Identity Manager expects that the account may or may not exist. (An account may or may not exist on a resource if the resource has been assigned to the user, but has not yet been provisioned.)

        • The account exists on the resource.

      • MISSING. No matching account exists on a resource assigned to the user.

        To be marked as MISSING, the following must be true:

        • Identity Manager expects that the account may or may not exist. (An account may or may not exist on a resource if the resource has been assigned to the user, but has not yet been provisioned.)

        • The account does not exist on the resource.

      • UNASSIGNED. The reconciliation process found a matching account on a resource not assigned to the user.

        To be marked as UNASSIGNED, the following must be true:

        • Identity Manager does not expect the account to exist. (Identity Manager does not expect an account to exist if that resource is not assigned to the user.)

        • The account exists on the resource.

      • UNMATCHED. The resource account does not match any users.

      • DISPUTED. The resource account matches more than one user.

        Select from one of these response options (available options vary by situation):

        • Create new Identity Manager user based on resource account. Runs the user form on the resource account attributes to create a new user. The resource account is not updated as a result of any changes.

        • Create resource account for Identity Manager user. Recreates the missing resource account, using the user form to regenerate the resource account attributes.

        • Delete resource account and Disable resource account. Deletes/disables the account on the resource.

        • Link resource account to Identity Manager user and Unlink resource account from Identity Manager user. Adds or removes the resource account assignment to or from the user. No form processing is performed.

        • Do nothing. Select this option if you do not want reconciliation to perform repairs.

          You can manually repair any account situation discovered by reconciliation. In the menu click Resources -> Examine Account Index. From there you can browse the recorded situation for all accounts which have been reconciled. Right-click on an account and you will see a list of valid repair options. See Examining the Account Index for more information.

    • Pre-reconciliation Workflow. Reconciliation can be configured to run a user-specified workflow prior to reconciling a resource. Specify the workflow that reconciliation should run. Select Do not run workflow if no workflow should be run.

    • Per-account Workflow. Reconciliation can be configured to run a user-specified workflow after responding to the situation of a resource account. Specify the workflow that reconciliation should run. Select Do not run workflow if no workflow should be run.

    • Post-reconciliation Workflow. Reconciliation can be configured to run a user-specified workflow after completing reconciliation for a resource. Specify the workflow that reconciliation should run. Select Do not run workflow if no workflow should be run.

    • Explain Situation. If enabled, reconciliation will record additional information explaining how it classified account situations. By default, this option is disabled. Recording explanations will cause the reconciliation process to run longer.

    • Error Limit. If enabled, reconciliation will automatically terminate once the specified number of errors have occurred during processing. A value of 0 indicates that there is no limit on errors. Deselect the Inherit default policy option to display the Maximum errors allowed field and enter a value.

    • Maximum Natively Removed Accounts. This option is a safeguard that evaluates the number of missing accounts on the resource and, if a threshold is exceeded, prevents the reconciler from unlinking them.

      To enable this feature, clear the Inherit default policy checkbox and specify a percentage in the Maximum natively removed accounts allowed field. The threshold must be set to a whole percentage from 0 to 100. (0 turns this feature off.)

      If the percentage of removed accounts exceeds the threshold, reconciliation continues all processing not related to the missing accounts and completes with an error.

    Click Save to save policy changes.

Starting Reconciliation

This section describes two options for starting reconciliation tasks:

ProcedureTo Run Reconciliation at Regular Intervals

  1. Open the Edit Reconciliation Policy page as described in Editing Reconciliation Policies.

  2. Specify the reconciliation schedule parameters.

    Reconciliation will run according to the parameters you set in the policy.

ProcedureTo Run Reconciliation Immediately

  1. In the Administrator interface, click Resources in the menu.

  2. Choose a resource in the Resource List.

  3. Choose an option from the Resource Actions list.

    The options include:

    • Full Reconcile Now

    • Incremental Reconcile Now

      Reconciliation will run according to the parameters you have set in the policy. If the policy has a regular schedule set for reconciliation, it will continue to run as specified.

ProcedureTo Cancel Reconciliation

  1. In the Administrator interface, click Resources in the menu.

  2. Choose the resource in the Resource List for which you want to cancel reconciliation.

  3. Locate the Resource Actions list and select Cancel Reconciliation.

Viewing Reconciliation Status

There are two main ways to view reconciliation status. To view detailed reconciliation status, open the Reconciliation Summary Results page for a specific resource. Limited reconciliation status is also available directly in the Resource List.

ProcedureTo View Detailed Reconciliation Status

View detailed reconciliation status using the Reconciliation Summary Results page.

  1. In the Administrator interface, click Resources in the menu.

  2. Select the resource in the Resource List for which you want to view reconciliation status.

  3. Locate the Resource Actions list and select View Reconciliation Status.

    The Reconciliation Summary Results page for the resource opens.

ProcedureTo View Reconciliation Status in the Resource List

You can also view Reconciliation status from the Resource List.

  1. Open the Administrator interface.

  2. Click Resources in the main menu.

    The Status column reports the following reconciliation status conditions:

    • unknown. Status is not known. Results for the latest reconciliation task are not available.

    • disabled. Reconciliation is disabled.

    • failed. The latest reconciliation failed to complete.

    • success. The latest reconciliation completed successfully.

    • completed with errors. The latest reconciliation completed, but with errors.

    Note –

    You must refresh this page to view status changes. (The information does not automatically refresh.)

Working with the Account Index

The Account Index records the last known state of each resource account known to Identity Manager. It is primarily maintained by reconciliation, but other Identity Manager functions will also update the Account Index, as needed.

Discovery tools do not update the Account Index.

ProcedureTo Search the Account Index

Search the account index to view the last known state of a given resource account.

  1. In the Administrator interface, click Resources in the menu.

  2. Select the resource in the Resource List for which you want to search the account index.

  3. Locate the Resource Actions list and select Search Account Index.

    The Search Account Index page opens.

  4. Select a search type, and then enter or select search attributes.

    • Resource account name. Select this option, select one of the modifiers (starts with, contains, or is), and then enter part or all of an account name.

    • Resource is one of. Select this option, and then select one or more resources from the list to find reconciled accounts that reside on the specified resources.

    • Owner. Select this option, select one of the modifiers (starts with, contains, or is), and then enter part or all of an owner name. To search for unowned accounts, search for accounts in the UNMATCHED or DISPUTED situation.

    • Situation is one of. Select this option, and then select one or more situations from the list to find reconciled accounts in the specified situations.

  5. Click Search to search for accounts according to your search parameters. To limit the results of the search, optionally specify a number in the Limit results to first field. The default limit is the first 1000 accounts found.

    Click Reset Query to clear the page and make new selections.

Examining the Account Index

It is also possible to view all Identity Manager user accounts and optionally reconcile them on a per-user basis.

ProcedureTo Examine the Account Index

  1. In the Administrator interface, click Resources in the menu.

  2. Click Examine Account Index in the secondary menu.

    The Examine Account Index page opens.

    The table displays all of the resource accounts that Identity Manager knows about (whether or not an Identity Manager user owns the account). This information is grouped by resource or by Identity Manager organization. To change this view, make a selection from the Change index view list.

Working with Accounts

To work with the accounts on a resource, select the Group by resource index view. Identity Manager displays folders for each type of resource. Navigate to a specific resource by expanding a folder. Click + or - next to the resource to display all resource accounts that Identity Manager knows about.

Accounts that have been added directly to the resource since the last reconciliation on that resource are not displayed.

Depending on the current situation of a given account, you may be able to perform several actions. Right-click on an account and you will see a list of valid repair options. You can also view account details or choose to reconcile that one account.

Working with Users

To work with Identity Manager users, select the Group by user index view. In this view, Identity Manager users and organizations are displayed in a hierarchy similar to the Accounts List page. To see accounts currently assigned to a user in Identity Manager, navigate to the user and click the indicator next to the user name. The user’s accounts and the current status of those accounts that Identity Manager knows about are displayed under the user name.

Depending on the current situation of a given account, you may be able to perform several actions. You can also view account details or choose to reconcile that one account.

Using Task Schedule Repetition Rules

Use Task Schedule Repetition Rules to make adjustments to a reconciliation schedule. For example, if you want to push reconciliations scheduled for Saturday to the following Monday, use a Task Schedule Repetition Rule.

Task Schedule Repetition Rules can be used to adjust schedules for both full and incremental reconciliations.

For information on how to select Task Schedule Repetition rules, see Editing Reconciliation Policies.

How Reconciliation Run Times are Scheduled

Upon completing a reconciliation job, the reconciler component checks for its next scheduled run time.

First, the reconciler looks at the default schedule to obtain its next run time. Next, the reconciler runs all applicable Task Schedule Repetition Rules to see if schedule adjustments needs to be made. If an adjustment is needed, the rule schedule overrides the default schedule for that reconciliation.

Note –

Task Schedule Repetition Rules cannot overwrite the default schedule. They can only override scheduled start times on a per-job basis.

ProcedureTo View the Accept All Dates Sample Rule

This section describes the built-in Accept All Dates sample rule.

  1. In a text editor, open ReconRules.xml, which is located in Identity Manager’s sample directory.

  2. Search for the rule named SCHEDULING_RULE_ACCEPT_ALL_DATES.

    In order for a rule to be listed in the TaskSchedule Repetition Rule drop-down menu (on the Edit Reconciliation Policy page), the rule’s subtype attribute must be set to SUBTYPE_TASKSCHEDULE_REPETITION_RULE:


    As noted previously, Task Schedule Repetition rules can modify the default reconciliation schedule.

    The variable calculatedNextDate can either accept the next date, which is calculated in the default manner, or return a different date. As it is written in the sample rule, calculatedNextDate unconditionally accepts the default date, as shown in the following excerpt:

    <RuleArgument name=’calculatedNextDate’/>

    To create a custom schedule, replace the rule logic in between the <block> elements. For example, to change the reconciliation start time to 10:00 AM on Saturdays, include the following JavaScript in between the <block> elements:

         var calculatedNextDate = env.get(’calculatedNextDate’);
        // Test to see if this task is scheduled for a Saturday
        // (Note that 6 is used to denote Saturday in JavaScript)
        if(calculatedNextDate.getDay() == 6) {
          // If so, set the time to 10:00:00
        // Return the modified date

    In To View the Accept All Dates Sample Rule, calculatedNextDate is initially set to the default scheduled time. If the next scheduled run date is a Saturday, then the rule schedules reconciliation to start at 10:00. If the next scheduled run date is not a Saturday, To View the Accept All Dates Sample Rule returns calculatedNextDate without making any time adjustments, and the default schedule is used.

    For more information about creating custom rules for use in Identity Manager, see Chapter 5, Working with Rules, in Sun Identity Manager Deployment Reference.