Reconciliation

•       Reconciliation is the process of synchronizing identities and accounts with Identity Manager.

•       Reconciliation is a pull mechanism while Provisioning is a push mechanism.

•       Oracle Identity Manager is used only as a single updated store for all users, user groups, and organization data of the target system.

•       Reconciliation involves using the user discovery and account discovery features of Oracle Identity Manager. Configuring reconciliation involves selecting a combination of options from the following reconciliation parameters:

•       Reconciliation Type: Trusted or Target Reconciliation

•       Reconciliation Mode: Full or Incremental

•       Batched or Nonbatched Reconciliation

•       Limited or Regular Reconciliation

 Trusted/Authoritative Reconciliation:

•       The Process of loading identities into IDM is known as Trusted or Authoritative Reconciliation. In this process we load user profiles into IDM. User gets created into IDM.

•       User data is stored in Active Directory. If we run trusted reconciliation against Active Directory then user will get created into IDM. If the user already exists in IDM with that user id then his profile will get updated with new values from Active Directory (If any).

 The following are the process involved in trusted recon:

•       A change(create, update, delete) is made on the target system.

•       The change on the target system is detected and communicated to Oracle Identity Manager by the reconciliation APIs.

•       A reconciliation event record is created for each target system record that is communicated to Oracle Identity Manager.

Events for which matches with existing OIM Users are found are forwarded for further processing. Events for which matches cannot be found can be further processed by an administrator.

•       The reconciliation engine checks if there are values in each event for the attributes that are designated as mandatory attributes in Oracle Identity Manager.

•       For each event, the reconciliation rules are evaluated to find the matching OIM User for the event.

•       If a match is found, then the match is added to the list of matches that have been found up to this point.

•       Depending on the state(matched , unmatched) of each event, reconciliation action rules are applied to it. If the action rule specifies assignment, then the event is assigned to an administrator or administrator group. If the action rule specifies linking, then the event is forwarded for linking.

Target/Non-Authoritative/Account Reconciliation:

•       The Process of loading account profile into IDM is known as Target or Non Authoritative Reconciliation. In this process we load user’s account profile i.e. user’s target account information. In this reconciliation only Resource profile of user is created not user profile.

•       User data is stored in Active Directory. If we run target reconciliation against Active Directory then his Resource Profile will get created into OIM. Resource profile shows that User has account into Active Directory. For creation of resource profile, it is required that user must be present in IDM before.

 The following are the process involved in target recon:

•       A change(create, update, delete) is made on the target system.

•       The change on the target system is detected and communicated to Oracle Identity Manager by the reconciliation APIs.

•       A reconciliation event record is created for each target system record that is communicated to Oracle Identity Manager.

•       Events for which matches with existing OIM Users are found are forwarded for further processing. Events for which matches cannot be found can be further processed by an administrator.

 

•       The reconciliation engine checks if there are values in each event for the attributes that are designated as mandatory attributes in Oracle Identity Manager.

•       For each event, the process matching rules (defined by the key field for reconciliation matching) are evaluated to find the provisioned resource that matches the event.

•       If a match is found, then the match is added to the list of provisioned resource matches that have been found up to this point.

•       Depending on the state(matched , unmatched) of each event, reconciliation action rules are applied to it. If the action rule specifies assignment, then the event is assigned to an administrator or administrator group. If the action rule specifies linking, then the event is forwarded for linking.

Reconciliation Mode: Full or Incremental

•       The purpose of full recon mode is to reconcile all accounts on the target system into Oracle Identity Manager.

•       Full reconciliation is performed by default during the first reconciliation run performed on a target system.

•       For the next reconciliation run, only user account records that have been added, modified, or deleted after the first reconciliation run ended are fetched for reconciliation. Hence here we go for incremental recon.

•       One can manually switch from incremental reconciliation to full reconciliation by setting the value of the timestamp parameter to 0.

 Batched or Nonbatched Reconciliation:

•       In case of recon run all the target system changes are reconciled into OIM but in certain cases breakage of connection might occur in such cases it is advisable to go for batched recon.

•       For Batched recon we need to specify the StartRecord, BatchSize and the NumberOfBatches.

•       In case we don’t want to for batched recon we can avoid giving the batched size.

•       In this case non-batched recon will occur.

Limited or Regular Reconciliation:

•       One can implement limited recon by creating customized queries for Reconciliation.

•       The sample query can be

                givenname=Roger&sn=Federer

   With this customized query, records of users whose first name is Roger and last name is Federer are reconciled.

•       For any target system, if you do not specify a custom query, then a regular reconciliation takes place.

Components of the Reconciliation Module:

•       Reconciliation APIs: APIs provide for the creation of both Regular and Delete Reconciliation events, and the mechanisms by which the appropriate data is provided for the events.

•       Reconciliation Field Definitions: When you define a target system as a resource object in Oracle Identity Manager, you create reconciliation fields to represent the actual fields of the target system.

•       Reconciliation Field Mappings: The reconciliation field mapping is used to map the process form fields with the reconciliation fields specified in the resource object.

•       Reconciliation Matching Rules: The reconciliation matching rules are used by the reconciliation engine to determine the identity to which Oracle Identity Manager must assign a newly discovered account on the target system.

•       Reconciliation Action Rules: After the match this specifies what action needs to be performed. Action can be create, update, delete an existing user.

•       Reconciliation Engine: The reconciliation engine uses all configurable components and includes the data processor and rule evaluator that use these components to convert input data into a list of action items. 

•       Reconciliation Event Manager: The Reconciliation Event Manager is a form in the Design Console. You can use this form to examine a reconciliation event and perform the required actions.

•       Reconciliation Provisioning Tasks: In target resource reconciliation, if an event is linked to an existing instance of a provisioned resource, then the process form for that resource instance is updated.

If the account did not exist in Oracle Identity Manager before the reconciliation run, then the default provisioning process is initiated, adapters are suppressed, and all nonconditional tasks are completed automatically.

The marker task can be either Reconciliation Insert Received or Reconciliation Update Received.