Access Reconciliation

Verify and synchronize access and permissions to systems and application withing your identity management system.


IAM Reconciliation

Identity and Access Management (IAM) reconciliation is an important security process that ensures the accuracy, completeness, and validity of user access rights and privileges in a given system. It involves verifying that the access rights assigned to users are consistent with their roles, responsibilities, and the principle of least privilege.

By monitoring and comparing user accounts against authoritative sources such as directories, databases, or logs, IAM reconciliation helps to detect discrepancies which can be addressed quickly to prevent potential security threats. 

Features of IDHub Reconciliation

App Data Sync Capabilities of IDHub

Directional Sync

IDHub has Attribute Based Access Control (ABAC) process of synchronizing the attributes used for access control decisions across multiple systems or applications.

Stale Check

IDHub has an advanced feature for Data sync where stale days are configurations in each application which can be used to keep data in the system for a while upon deletion request.

Thresholds in Deletions

IDHub perform deletions of accounts and entitlements based on Thresholds set as configuration in applications to avoid accidental data wipe and data changes.

Sync Scheduler

IDHub Scheduler helps sync entire application data with IDHub on a timely manner. It pulls all the information and updates accounts and entitlement.

IDHub Reconciliation Process

How is Data Sync done?

The process of reconciliation follows the below method:

  • System identifies whether the application is Trusted or Not-Trusted.
    • A trusted application is used to pull user information into IDHub.
    • A non trusted application is used to pull only account and entitlement related information in IDHub.
  • Account matching is done by a unique identifier attribute and User matching is done by reconciliation key attribute.
  • When Accounts are matched:
    •  Each account attribute goes through Attribute Based Access Control (ABAC) and based on sync direction Account attributes are updated in IDHub.
    • Each entitlement present in the target system is replaced with what is present in IDHub user account.
  • When account is not found in target system:
    • Account goes into stale check process and waits for the account to become stale.
    • Once account is stale it is deleted from IDHub.
  • Thresholds
    • Deletions of accounts are prevented by threshold configurations in applications. Once crossed the sync process is stopped to avoid accidental deletions.
Feature Description

Attribute-Based Synchronization

Attribute-based synchronization is a unique feature, used to sync data within IDHub and connected applications.

If there are any attribute data discrepancies found between the two, this feature allows organizations to determine whether IDHub or the application will override the alternate data.

Multiple syncing options are available upon configuration:

  • IDHub to App
  • App to IDHub
  • Bi-directional Sync
  • No Synchronization.

Any attribute difference will be automatically synced, according to the configuration applied.

Every synchronization happens based on two keys; recon key and unique field key.

These two keys are required for Application On-boarding, which are then used for the Reconciliation/Syncing process.


The Recon Key is directly related to the reconciliation feature in IDHub, and is a critical part when entering data into the spreadsheet.

For example: if the user name is the Recon Key, then the user name should match exactly on the spreadsheet, compared to what is in IDHub.

IDHub provides multiple ways to allow Administrators to make access management decisions ensuring your access policies are followed. 

If you would like to see how IDHub's Automated reconciliation process can improve your business's security and compliance, Schedule a Call and we will show you just how much time and stress you cloud be saving.

Feature Description

Manual Sync & Schedulers

The process for reconciliation or synchronization of data from target system to IDHub is called App Synchronization. It can be done in two ways:

  • Manual Synchronization - This can be initiated upon request by administrators of IDHub
  • Sync Schedules - This can be setup while application onboarding using IDHub wizard.


Additional Features

Connector Sync Methods

Real time synchronizations varies from connected apps. While selecting between options, IDHub development considers the specific requirements of client's use case, including the desired level of real-time updates, scalability, efficiency, and integration capabilities with your existing systems. Our Azure Connector uses Change Feed and Atlassian Connector has Webhooks and many more. Let us look at other event trigger technologies:


Event-Driven Architectures

Events represent significant changes or actions in the system, and they can be processed and distributed asynchronously. IDHub achieves real-time updates by publishing and consuming events through message brokers or event streaming platforms like Apache Kafka, RabbitMQ, or AWS EventBridge.


Real-Time Databases

IDHub uses change data capture (CDC) method or streaming data pipelines to capture and propagate data changes in real time. IDHub uses Apache Kafka, Apache Pulsar, Firebase Realtime Database, and Amazon DynamoDB Streams.



Webhooks are a mechanism for sending HTTP requests from one application to another in response to specific events or updates. They allow systems to notify and trigger actions in real time. By configuring webhooks, you can have your application receive immediate updates from external systems or services when specific events occur

Chat App


WebSockets is a communication protocol that enables real-time bidirectional communication between a client and a server. It provides a persistent connection that allows for efficient and low-latency data updates. WebSockets are well-suited for applications that require instant and frequent updates, such as chat applications, real-time collaboration tools, or live data streaming.


Server-Sent Events

SSE is a unidirectional communication protocol that allows servers to send real-time updates to clients over HTTP. It establishes a long-lived connection between the client and the server, enabling the server to push data updates to the client as they occur. SSE is useful for scenarios where real-time updates from the server to the client are required, such as news feeds or real-time dashboards.


Push Notifications

Push notifications are a common mechanism used to deliver real-time updates to mobile devices or web browsers. They involve the server sending notifications to specific devices or browsers using platform-specific APIs. Push notifications are effective for scenarios where you need to notify users about important events or updates even when the application is not actively open.

Additional Features

File Based Synchronization


Reconciling disconnected applications in IDHub, is a manual process.

IDHub requires a user to upload a delimited text file. This browser-based upload feature allows for quick processing of accounts, which can then also be used during the Certification process.

The synchronization process via a file upload allows the system to recognize the application so that IDHub can verify the access to resources update the access  information accordingly.

This allows Administrators to identify access issues and make updates according to your Access management policies.

Learn more...

IDHub Extras

Access Control

Learn more about Access Control and utilize our free Access Control Policy Template, to help establish a healthy framework for your organizations access control.

Workflow Basics

Learn Workflow Basics, see our most common workflow scenarios, and brush up on your workflow skills for your own business workflows.

App Onboarding

Learn about Application Onboarding essentials, and grab a copy of our free Google form, 36 question, application onboarding questionnaire!

Find Out How Many Hours You'd Save With A Quick 10-Minute Call.

Could your IT team use an extra 10, 30, or 100 hours per week?