What is Identity Reconciliation?
Reconciliation is an Identity Governance audit process, which compares User access, access rights, and privileged accounts, against the agreed-upon authoritative identity source of truth.
This process is used to confirm what data is present in an application, and sync that data with an existing Identity Management System to ensure the right access to systems for the right people.
Business Applications and Identity Management systems (IAM) rely on reconciliation services IDHub's to maintain their security.
Why is reconciliation necessary?
User identities that are reported with incorrect access privileges are both a serious compliance risk, and also a violation of any standard privileged access management security policy, and for good reason.
When access levels are not in sync with your authoritative source, you lose the ability to monitor your organization's network, exposing you to unknown threats, which ceases to validate compliance requirements.
As part of Identity Lifecycle Management, tracking thousands of applications and access permissions is critical to maintaining network integrity within your business operations.
Want our team to help you improve security and drastically cut your daily work?
Just book a 10-minute call.
What Are The Different Types Of Identity Reconciliation?
Full Reconciliation
Full reconciliation is the process of fetching account and user access attributes, from target systems, and publishing
them into Identity Management Systems.
This is completed to observe changes and detect discrepancies, between the Identity Management System and applications.
Full reconciliation recalculates the existence, ownership, and state, for each account listed in the connected application.
A full reconcile is a comprehensive evaluation of User Profile Management, its respective resources, and its entitlements.
Incremental Reconciliation
Incremental reconciliation only processes the accounts and entitlements that have been added, deleted, or modified, since the last successful reconciliation.
It is faster than processing a full set of target system accounts, and typically runs on a periodic basis.
Automatic Reconciliation
Automatic reconciliation occurs with connected applications, which have been scheduled to run at regular timely intervals.
This allows for near real-time synchronization of identities and actionable insight.
How does access get out of sync?
Applications get out of sync due to human error with disconnected applications, and communication errors with connected accounts.
When there is no automatic syncing process, any access activity or change a user makes outside of the IAM system does not automatically get updated.
Without a manual reconciliation, the data will not match and individual privileges or role-based access controls can be overwritten.
For example: If an employee leaves the organization, without an administrator manually removing the account within the application itself, the account would be considered an orphaned account.
Another reason access would become out of sync, could be the result of the application itself having a communication error, which prevented the data from syncing correctly.
Reconciling user accounts will help to prevent orphaned accounts.
How Does Reconciliation Occur In IDHub?
Connected and disconnected applications have different Reconciliation, or Syncing processes.
Disconnected Applications
Reconciling disconnected applications in IDHub, is a manual process.
IDHub requires a user to upload a delimited text file. This browser-based upload feature allows for quick processing of accounts, which can then also be used during the Certification process.
The synchronization process via a file upload allows the system to recognize the application so that IDHub can verifty the access to resources update the access information accordingly.
This allows Administrators to identify access issues and make updates according to your Access management policies.
Connected Applications
The process for reconciling connected applications is called Application Syncing, which allows for two scenarios:
- If a user has access to an application, application syncing will validate the information found within IDHub, against what is present in the application.
- If there is a data discrepancy, the system will sync the data between the two, according to the configuration for each application attribute.
Automatic reconciliation, occurring on a custom timely basis, is feasible with IDHub's Reconciliation Scheduler feature.
What are you waiting for?
Try A Self-Guided Live Tour Right Now!
IDHub Unique Features
Attribute-Based Synchronization
If there are any attribute data discrepancies found between the two, this feature allows organizations to determine whether IDHub or the application will override the alternate data.
Multiple syncing options are available upon configuration; IDHub to App, App to IDHub, Bi-directional Sync, and No Synchronization.
Any attribute difference will be automatically synced, according to the configuration applied.
Every synchronization happens based on two keys; recon key and unique field key.
These two keys are required for Application On-boarding, which are then used for the Reconciliation/Syncing process.
The Recon Key is directly related to the reconciliation feature in IDHub, and is a critical part when entering data into the spreadsheet.
For example: if the user name is the Recon Key, then the user name should match exactly on the spreadsheet, compared to what is in IDHub.
IDHub provides multiple ways to allow Administrators to make access management decisions ensuring your access policies are followed.
If you would like to see how IDHub's Automated reconciliation process can improve your business's security and compliance, schedule a demo and we will show you just how much time and stress you cloud be saving.
Try IDHub for FREE for 30 Days, no payment information necessary.
Try our full version of IDHub Cloud and explore right now!
