test

Sun Identity Manager 8.1 Business Administrator's Guide

Editing Reconciliation Policies

ProcedureTo Edit a Reconciliation Policy

  1. In the Administrator interface, click Resources in the menu.

  2. Select a resource in the Resource List.

  3. In the Resource Actions list, select Edit Reconciliation Policy.

    Identity Manager displays the Edit Reconciliation Policy page, where you can make these policy selections:

    • Reconciliation Servers. In a clustered environment, each server may run reconciliation. Specify which Identity Manager server will run reconciliation against resources in the policy.

    • Reconciliation Modes. Reconciliation can be performed in different modes, which optimize different qualities:

      • Full reconciliation. Optimizes for thoroughness at a cost of speed.

      • Incremental reconciliation. Optimizes for speed at the expense of some thoroughness.

        Select the mode in which Identity Manager should run reconciliation against resources in the policy. Select Do not reconcile to disable reconciliation for targeted resources.

    • Full Reconciliation Schedule. If full mode reconciliation is enabled, it is performed automatically on a fixed schedule. Specify how frequently full reconciliation should be run against resources in the policy.

      • Select the Inherit default policy option to inherit the indicated schedule from a higher-level policy.

      • Clear the Inherit default policy option to specify a schedule. Use the fields provided to establish a recurring schedule, or, to create a custom adjustment to the reconciliation schedule, use a Task Schedule Repetition rule. For information on creating a Task Schedule Repetition rule, see Using Task Schedule Repetition Rules.

    • Incremental Reconciliation Schedule. If incremental mode reconciliation is enabled, it is performed automatically on a fixed schedule.

      • Select the Inherit default policy option to inherit the schedule from a higher-level policy.

      • Clear the Inherit default policy option to specify a schedule. Use the fields provided to establish a recurring schedule, or, to create a custom adjustment to the reconciliation schedule, use a Task Schedule Repetition rule. For information on creating a Task Schedule Repetition rule, see Using Task Schedule Repetition Rules.

      Note –

      Not all resources support incremental reconciliation.

    • Attribute-level Reconciliation. Reconciliation can be configured to detect changes made natively (that is, not made through Identity Manager) to account attributes. Specify whether reconciliation should detect native changes to the attributes specified in Reconciled Account Attributes.

    • Account Correlation Rule. An account correlation rule selects Identity Manager users that might own each unowned resource account. Given the attributes of an unowned resource account, a correlation rule returns a list of names or a list of attribute conditions that will be used to select potential owners. Select a rule to look for Identity Manager users that may own each unowned resource account.

    • Account Confirmation Rule. An account confirmation rule eliminates any non-owner from the list of potential owners that the correlation rule selects. Given the full View of an Identity Manager user and the attributes of an unowned resource account, a confirmation rule returns true if the user owns the account and false otherwise. Select a rule to test each potential owner of a resource account. If you select No Confirmation Rule, Identity Manager accepts all potential owners without confirmation.

      Note –

      In your environment, if the correlation rule will select at most one owner for each account, then you do not need a confirmation rule.

    • Proxy Administrator. Specify the administrator to use when reconciliation responses are performed. The reconciliation can perform only those actions that the designated proxy administrator is permitted to do. The response will use the user form (if needed) that is associated with this administrator.

      You can also select the No Proxy Administrator option. When selected, reconciliation results are available to view, but no response actions or workflows are run.

    • Situation Options (and Response). Reconciliation recognizes several types of situations. Situations are described below. Specify in the Response column any action reconciliation should take.

      • CONFIRMED. The expected account exists.

        To be marked as CONFIRMED, the following must be true:

        • Identity Manager expects the account to exist.

        • The account exists on the resource.

      • COLLISION. Two or more Identity Manager users are assigned the same account on a resource.

      • DELETED. The expected account does not exist.

        To be marked as DELETED, the following must be true:

        • Identity Manager expects the account to exist.

        • The account does not exist on the resource.

      • FOUND. The reconciliation process found a matching account on an assigned resource.

        To be marked as FOUND, the following must be true:

        • Identity Manager expects that the account may or may not exist. (An account may or may not exist on a resource if the resource has been assigned to the user, but has not yet been provisioned.)

        • The account exists on the resource.

      • MISSING. No matching account exists on a resource assigned to the user.

        To be marked as MISSING, the following must be true:

        • Identity Manager expects that the account may or may not exist. (An account may or may not exist on a resource if the resource has been assigned to the user, but has not yet been provisioned.)

        • The account does not exist on the resource.

      • UNASSIGNED. The reconciliation process found a matching account on a resource not assigned to the user.

        To be marked as UNASSIGNED, the following must be true:

        • Identity Manager does not expect the account to exist. (Identity Manager does not expect an account to exist if that resource is not assigned to the user.)

        • The account exists on the resource.

      • UNMATCHED. The resource account does not match any users.

      • DISPUTED. The resource account matches more than one user.

        Select from one of these response options (available options vary by situation):

        • Create new Identity Manager user based on resource account. Runs the user form on the resource account attributes to create a new user. The resource account is not updated as a result of any changes.

        • Create resource account for Identity Manager user. Recreates the missing resource account, using the user form to regenerate the resource account attributes.

        • Delete resource account and Disable resource account. Deletes/disables the account on the resource.

        • Link resource account to Identity Manager user and Unlink resource account from Identity Manager user. Adds or removes the resource account assignment to or from the user. No form processing is performed.

        • Do nothing. Select this option if you do not want reconciliation to perform repairs.

          You can manually repair any account situation discovered by reconciliation. In the menu click Resources -> Examine Account Index. From there you can browse the recorded situation for all accounts which have been reconciled. Right-click on an account and you will see a list of valid repair options. See Examining the Account Index for more information.

    • Pre-reconciliation Workflow. Reconciliation can be configured to run a user-specified workflow prior to reconciling a resource. Specify the workflow that reconciliation should run. Select Do not run workflow if no workflow should be run.

    • Per-account Workflow. Reconciliation can be configured to run a user-specified workflow after responding to the situation of a resource account. Specify the workflow that reconciliation should run. Select Do not run workflow if no workflow should be run.

    • Post-reconciliation Workflow. Reconciliation can be configured to run a user-specified workflow after completing reconciliation for a resource. Specify the workflow that reconciliation should run. Select Do not run workflow if no workflow should be run.

    • Explain Situation. If enabled, reconciliation will record additional information explaining how it classified account situations. By default, this option is disabled. Recording explanations will cause the reconciliation process to run longer.

    • Error Limit. If enabled, reconciliation will automatically terminate once the specified number of errors have occurred during processing. A value of 0 indicates that there is no limit on errors. Deselect the Inherit default policy option to display the Maximum errors allowed field and enter a value.

    • Maximum Natively Removed Accounts. This option is a safeguard that evaluates the number of missing accounts on the resource and, if a threshold is exceeded, prevents the reconciler from unlinking them.

      To enable this feature, clear the Inherit default policy checkbox and specify a percentage in the Maximum natively removed accounts allowed field. The threshold must be set to a whole percentage from 0 to 100. (0 turns this feature off.)

      If the percentage of removed accounts exceeds the threshold, reconciliation continues all processing not related to the missing accounts and completes with an error.

    Click Save to save policy changes.