Reconciliation
Overviewβ
Reconciliation is a key feature and concept in Apporetum. It will give you the ability to control access management and take action on malicious users. The reconciliation can be either run manually or scheduled.
In this article, you can find the information and how-to guide on running reconciliation, including app reconciliation or particular app role reconciliation. You can also review alerts of the suspicious users that are not in both Apporetum and the associated directory. You can either authorise membership or remove membership of those users or choose ignore alert till the next reconciliation comes up. After reconciliation, you can view activity log or download report for auditing purposes to identify cyber incidents. You also have the option to set up or update reconciliation period for each app role.
You can view and/or initiate app reconciliation or specific (app) role reconciliation tasks if you are an App Owner, SecOps Manager, System Admin or Global Admin.
What is Reconciliationβ
Reconciliation is an Identity Governance audit process, which compares user access, access rights, and privileged accounts, against Apporetum, the agreed-upon authoritative identity source of truth. This process is used to confirm what data is present in a directory, and sync that data with Apporetum to ensure the right access to systems for the right people.
Run Reconciliationβ
- Click the Apps main menu option
- Select Reconciliation Tasks from the sub-menu
- Click the vertical three dots icon next to an app or a role within an app
- If you only want to reconcile specific role(s), search the role(s) then click the icon on the role row.
- If you want to reconcile all the roles in one app, then click the icon on the app row.
- Choose Run reconciliation
- Check if the system notification status is successful
Review Alerts, Authorise/Remove Membership, Ignore Alertβ
As Apporetum is the governance over your directories, we suggest that you do not use other tools to add and remove users from groups. This ensures that Apporetum can audit and track account access.
- Click the Apps main menu option
- Select Reconciliation Tasks from the sub-menu
- View the number of alerts (total and pending) in the column Alerts
- Click the button Review Alerts
Alert Types are Mismatched and Unsanctioned. Status can tell you if those users have been actioned yet.
- Mismatched: user is in Apporetum, not in the directory
- Unsanctioned: user is in the directory, not in Apporetum
- Select one or more users
6. Choose Authorise membership, or Remove memebership, or Ignore alert for the time being
If you choose to ignore any alerts, those users will be hidden from the Alerts till the next reconciliation.
Choosing Authorise membership or Remove membership will allow you to make the user list match between Apporetum and the associated directory.
-
For a mismatched user, if you choose to Authorise membership, the user will be added into the associated directory so that the user is in both Apporetum and the directory. If you choose to Remove membership, the user will be removed from Apporetum so that the user will be in neither Apporetum nor the directory.
-
For an unsanctioned user, if you choose to Authorise membership, the user will be added into Apporetum while keeping access on the directory. If you choose to Remove membership, the user will be removed from the directory so that this user will be in neither Apporetum nor the directory.
- After actioning successfully, your actions will be recorded in Apporetum
You can view the reconciliation activity log and/or download a report of those reconciliation tasks. You can also read the All Activity from the Activity main menu page to see all actions that have been done in Apporetum.
The following section is the how-to guide on viewing the activity log and downloading the report.
View Activity Log, Download Reportβ
Recommended Pathwayβ
- Click the Apps main menu option
- Select Reconciliation Tasks from the sub-menu
- Click the vertical three dots icon next to an app or an app role
- Choose View activity log
- Under the Activity Log column, you can see the details of each reconciliation activity log
The column is in chronological order starting with the most recent log.
-
On each reconciliation activity row, you can click the icon to Review alerts from the current report or View past alerts from previous reports
-
Click the download icon to Download report
Quick Pathwayβ
- Click the Apps main menu option
- Select Reconciliation Tasks from the sub-menu
- Click the vertical three dots icon next to an app or a role within an app
- Choose Download Report or View Activity Log
You have View activity log and Run Reconciliation at the app level, while you have one more quick action Download report at the app role level.
Update Reconciliation Periodβ
Reconciliation Period is the frequency in which Apporetum will reconcile the user access of the App Role. A longer period will reduce the number of notifications that Access Providers and App Owners will receive.
You can Navigate to App Role Configuration and then Modify/Remove Current Role Settings.