Reconciliation is the process of synchronizing the accounts and supporting data to the IBM® Security Identity Governance and Intelligence central data repository from a managed resource. Reconciliation is required when accounts and supporting data can be changed on the managed resource so that the Identity Governance and Intelligence data is consistent and up-to-date with the remote resource.
Key concepts:
Always between Person and Account in Account Store
Rules specify Publish Only, Subscribe Only, Bidirectional
Scores used to increase data quality for multi-authoritative
Inbound attribute changes come into inbox queue
Outbound changes go out through outbox queue
Handlers for transformation
...
Attribute Flow is a flexible process that is used to detect changes that occur to a managed identity by comparing the attributes of each EmpowerID Person object with the attributes of each user account that has been joined to those Person objects.
When attribute changes are detected for an attribute configured to flow, EmpowerID flags the account and processes those changes, issuing commands to update any affected attributes in either the EmpowerID Identity Warehouse (metadirectory) or the connected account store, depending on the origin of the change.
If the changes occurred through actions originating in an Account Store, EmpowerID retrieves those changes and records them in the Identity Warehouse, where they are evaluated and either used to update the Identity Warehouse or discarded as appropriate.
| View file | ||
|---|---|---|
|
Attribute Flow Configuration Processes
Attribute flow rules are defined per attribute per account store to determine what attributes should flow, in what direction, and with what priority. This is the lowest level of granularity in the configuration process.
At the account store configuration level, attribute flow can be disabled for the entire account store so that attributes will not be evaluated for any accounts in the account store.
At the system level, attribute flow processing can be either disabled or enabled to facilitate the flow of attributes from external accounts to the EmpowerID Person identity.
| View file | ||
|---|---|---|
|
Flow Rules – Type and Direction
...
No Sync - When this option is selected, no information flows between EmpowerID and the native system.
...
Bidirectional Flow - When this option is selected, changes made within EmpowerID update the native system and vice-versa.
...
Account Store Changes Only - When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.
...
EmpowerID Changes Only - When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.
| View file | ||
|---|---|---|
|
Flow Rules – Weighting and Scoring (Data Quality)
...
Create Score – In the event of conflicting updates from 2 separate accounts, this weighting determines which account attribute value will take precedence if the current person attribute is null
Update Score - In the event of conflicting updates from 2 separate accounts, this weighting determines which account attribute value will take precedence if the current person attribute has a value
Delete Score – In the event that an attribute value from one account store has a value in it and another has a null value, this weighting determines if the value should be nulled or not. If the account store with the null value has a higher weighting, then the attribute will be nulled. Otherwise, it will be left alone.
| View file | ||
|---|---|---|
|
| View file | ||
|---|---|---|
|
Attribute Flow Handlers
By default, EmpowerID retrieves attribute values for each user account in a connected account store and maps them value for value to the corresponding Person attributes stored in the EmpowerID Identity Warehouse.
In this way, if the value of "State" for an AD user account is "Massachusetts" then the value of "State" for that account's Person object in EmpowerID is "Massachusetts."
Attribute Flow Handlers allow you to customize this logic by writing your own code to handle value transformations on a per attribute basis
| View file | ||
|---|---|---|
|
| Info |
|---|
Related Docs Topics: |