Reconciliation Process for Disconnected Apps - Video

Sath Inc

IDHub Team Member

IDHub allows System Administrators to quickly reconcile IDHub, to disconnected applications, by manually uploading a delimited text file.

This process allows for modifications to user access and data, specific to the application account attributes, found within the user’s IDHub profile.

Reconciliation Process For Disconnected Applications & Users – Video Transcript

Hello, welcome to IDHub.

In this video, I’ll demonstrate how to use IDHub’s Reconciliation feature, with disconnected applications.

I’ll show how to reconcile and modify user access and data, within a user’s profile, using a manual file upload.

To begin, let’s login with our organization name, and then I’ll login as Jerome, who is an Access Manager. Only Access Managers and System Administrators have permissions to reconcile applications.

From the Dashboard, let’s navigate to the “Manage Catalog” page, where we can view and manage all existing resources.

Before I begin, I want to define Reconciliation.

It is an audit process that compares User access to resources, against the agreed upon identity source of truth. This process is used to confirm what data is present in an application, and sync that data with what is currently present in IDHub.

Let’s assume it has been identified that Jerome has access to SalesForce application, and IDHub is not aware of that access. Because SalesForce is a disconnected application, I will need to manually tell IDHub that Jerome has access to SalesForce, with entitlement permissions for both basic and administrator privileges. To do that, I’ll reconcile through a file upload, to inform IDHub of his access.

Remember, reconciling through a manual file upload is only used with disconnected applications. Connected applications have an automatic reconciliation process, which is called Application Syncing, and we have another video on that.

Moving on, let’s find our SalesForce application. We can do that by simply searching for it in the search bar, and once it pops up, we’ll go ahead and click on this “Ellipsis”, and click on “Reconciliation”. This will bring us to the file upload page.

Each application has a sample file, which you can open to view the specific attributes within that application.

When you download the sample file, you will see the attributes that are present. These are application specific. Meaning, each application will have different attributes, and slightly different files.

Let’s open this file.

So here is the sample file for SalesForce, and we can see here that the attributes are display name, login, email, phone number, and entitlements.

Entitlements are used to grant specific permissions within an application. SalesForce has 2 entitlements; User and Administrator. We are going to tell IDHub that Jerome does have access to both of these entitlements.

Let’s go look at the Entitlements within SalesForce. I’ll pull up that application again, and show the Attributes.

When onboarding new applications, one attribute must have the “Recon Key” and the “Unique Name Key” selected. The “Recon Key”, or Reconciliation Key, is the attribute which syncs data into IDHub from the application. I’ll show you what the Unique Name Key does a little later in this video.

I can see here that “Login” is the Reconciliation Key, as well as the Unique Name Key. When adding the Recon Key Attribute to the spreadsheet for the file, I must ensure the attribute field on the spreadsheet matches exactly to what is in Jerome’s IDHub profile. If it doesn’t match, IDHub will not be able to recognize this user account, in regards to the application.

I’ll now navigate to Jerome’s profile, to check his data, and add it to the spreadsheet.

So, I’ve already created a file, which is right here. And basically, I took the sample file within the application, and plugged in some data that I found on Jerome’s profile page. So, if we look here, the “Recon Key” was “Login”, and so I want to ensure I use login exactly as it reads, within Jerome’s profile.

So, right here we can see that his login is Jerome, ok.

And his email, I’m going to enter it the same, because I don’t want this to change, and so I just copied and pasted that.

I’ll leave “Display Name” blank, to show that if a field is left blank on the spreadsheet, an error will occur and prevent upload.

And then I’ll change Jerome’s phone number. So here I have, 1234567, and we can see that does not match his current phone number. And I’m changing this to show, through reconciliation, you can also modify existing data within the user profile.

And now, I’ll go ahead and give Jerome access to both of the entitlements found within the application.

To do that, I’m going to go back to the application, and I’ll double check the entitlements within it. So, let’s go ahead and open Salesforce here, and I can see that the entitlements within it are “SalesForce Admin” and “SalesForce User”.

So going back to my spreadsheet, I’ll give access to Jerome for both the Admin and the User, and I’ll do that by separating the two with a vertical bar “|”.

Ok, so now, I’m going to save my file, and I can go back into the “Manage Catalog” page, reconcile, and upload my file.

So notice, right now, there are some errors, and if we look at the drop-down here, we can see that the error is the “Display Name”, which is required. Because remember, I wanted to show you what happens when we leave Display Name blank.

So, let’s go back to the file and update it, and we’ll enter “jerome” as his “Display Name” reads within his profile. We’ll go ahead and save this file, and then we’ll upload it again.

Notice now there are no errors, and 3 updates. If we again look at that drop-down, we can see three things have changed; we are adding a new user account for Jerome to SalesForce, we’re showing access to SalesForce application, as well as the Admin and User entitlements.

So, we’re going to submit this, and “Yes”, we do want to proceed.

Now we’re going to navigate back to Jerome’s profile page, and we’re going to look at his access, and view the changes which were made. Notice how he does have access to SalesForce here.

So, earlier we discussed the Recon Key, and how important it is when manually reconciling data between IDHub and a disconnected application. Another important key is the “Unique Name Key”. This key pulls information as the Recon Key does, and matches it to the Account ID, which we see here. So that’s where the “Unique Name Key” field comes in.

So, if we open the application within his profile, we can see that Jerome now has access to the User and Admin entitlements.

Let’s assume I made a mistake and Jerome should not be an admin to SalesForce, I can go back into the file, modify it, by removing the SalesForce Admin, and that vertical bar, saving the file, going back to that application, and uploading that file, and removing that entitlement, and now we can see that we are removing the SalesForce Admin entitlement.

Let’s go ahead and “Submit” that. “Yes”, we want to proceed, and then we’ll go ahead and navigate back to Jerome’s profile page, to check the entitlements within SalesForce.

We can see here now, that he is only a SalesForce User, he is no longer an Admin.

We can also see that within the application account attributes, Jerome’s phone number now reflects the phone number that I entered into the spreadsheet; 1234567. This new phone number has successfully taken the place of the original phone number, present in the Salesforce application attribute section. We have successfully changed his phone number, with the file upload.

As you can see, with IDHub’s reconciliation feature, you can easily manage any resource access, within a user’s account, with a manual file upload, for disconnected applications. 

This concludes the video demonstrating how IDHub’s Reconciliation feature works, with disconnected applications.

I encourage you to check out our other informative IDHub videos.

Thank you so much for watching, and I hope you have a wonderful day!

Could your IT team use an extra 10, 30, or 100 hours per week?