Access Reconciliation

Identity and Access Management (IAM) reconciliation is an important security process that ensures the accuracy, completeness, and validity of user access rights and privileges in a given system. It involves verifying that the access rights assigned to users are consistent with their roles, responsibilities, and the principle of least privilege.

By monitoring and comparing user accounts against authoritative sources such as directories, databases, or logs, IAM reconciliation helps to detect discrepancies which can be addressed quickly to prevent potential security threats. 

The process of reconciliation follows the below method:

• System identifies whether the application is Trusted or Not-Trusted.
  • A trusted application is used to pull user information into IDHub.
  • A non trusted application is used to pull only account and entitlement related information in IDHub.
• Account matching is done by a unique identifier attribute and User matching is done by reconciliation key attribute.
• When Accounts are matched:
  •  Each account attribute goes through Attribute Based Access Control (ABAC) and based on sync direction Account attributes are updated in IDHub.
  • Each entitlement present in the target system is replaced with what is present in IDHub user account.
• When account is not found in target system:
  • Account goes into stale check process and waits for the account to become stale.
  • Once account is stale it is deleted from IDHub.
• Thresholds
  • Deletions of accounts are prevented by threshold configurations in applications. Once crossed the sync process is stopped to avoid accidental deletions.

Attribute-based synchronization is a unique feature, used to sync data within IDHub and connected applications.

If there are any attribute data discrepancies found between the two, this feature allows organizations to determine whether IDHub or the application will override the alternate data.

Multiple syncing options are available upon configuration:

• IDHub to App
• App to IDHub
• Bi-directional Sync
• No Synchronization.

Any attribute difference will be automatically synced, according to the configuration applied.

Every synchronization happens based on two keys; recon key and unique field key.

These two keys are required for Application On-boarding, which are then used for the Reconciliation/Syncing process.

The Recon Key is directly related to the reconciliation feature in IDHub, and is a critical part when entering data into the spreadsheet.

For example: if the user name is the Recon Key, then the user name should match exactly on the spreadsheet, compared to what is in IDHub.

IDHub provides multiple ways to allow Administrators to make access management decisions ensuring your access policies are followed. 

If you would like to see how IDHub's Automated reconciliation process can improve your business's security and compliance, Schedule a Call and we will show you just how much time and stress you cloud be saving.

The process for reconciliation or synchronization of data from target system to IDHub is called App Synchronization. It can be done in two ways:

• Manual Synchronization - This can be initiated upon request by administrators of IDHub
• Sync Schedules - This can be setup while application onboarding using IDHub wizard.

Reconciling disconnected applications in IDHub, is a manual process.

IDHub requires a user to upload a delimited text file. This browser-based upload feature allows for quick processing of accounts, which can then also be used during the Certification process.

The synchronization process via a file upload allows the system to recognize the application so that IDHub can verify the access to resources update the access  information accordingly.

This allows Administrators to identify access issues and make updates according to your Access management policies.