LogoLogo
3.1.7
3.1.7
  • Getting Started
    • What is Cymmetri?
    • Release Notes
      • 3.0.1-Beta
      • 3.0.2-Beta
      • 3.0.3-Beta
      • 3.0.4-Beta
      • 3.0.5-Beta
      • 3.0.6-Beta
      • 3.0.7-Beta
      • 3.0.8-Beta
      • 3.0.9-Beta
      • 3.0.10-Beta
      • 3.0.11-Beta
      • 3.0.12-Beta
      • 3.1.0 - Product Release
      • 3.1.1-Beta
      • 3.1.2 - Product Release
      • 3.1.3-Beta
      • 3.1.4-Beta
      • 3.1.5-Beta
      • 3.1.6 -Beta
      • 3.1.7 - Product Release
      • 3.1.8 -Beta
      • 3.1.9-Beta
      • 3.1.10-Beta
      • 3.1.11-Beta
      • 3.1.12-Beta
      • 3.1.13-Beta
      • 3.1.15 -Beta
      • 3.1.16
      • 3.1.17
      • 3.1.18
      • 3.1.15 - Product Release
      • 3.0.x Consolidated
      • 3.1.x Consolidated
    • Starting your Cymmetri Trial
    • Admin Dashboard
    • Accessing Cymmetri
    • Supported Web Browsers
    • Cymmetri Error Codes
    • Help
    • Personalization
      • General Config
      • Admins
      • Masters in Cymmetri
      • Personalize Notification Templates
      • Tenant Branding
      • Custom Attributes
      • API Client
      • Batch Tasks
      • API Extension
    • Global Search
  • Identity Hub
    • Managing Users and Groups
      • User Management
      • User Detail
      • Create Users
      • Edit Users
      • Create Groups
      • Importing Users
      • Assigning Users to Groups
      • Delegation
        • Setting up Delegation
        • Delegating Work to Delegatee
        • Accepting Delegation
      • Suspended Users
      • Archived Users
      • All Users Session
    • Authentication
      • Identity Provider
        • Internal IDP
          • Introduction
          • Internal Identity Provider Configuration: Cymmetri
          • Internal Identity Provider Configuration: Active Directory
          • Internal Identity Provider Configuration: LDAP
        • External IDP
          • Introduction
          • External Identity Provider Configuration - Google IDP
          • External Identity Provider Configuration - Azure IDP
          • External Identity Provider Configuration - Salesforce IDP
      • Service Provider
      • Authentication Rules
      • Password Policy
      • Global Auth Policy
      • Adaptive
    • Attribute Setting
    • Password Filter
    • Logs
      • Audit Log
      • Import History
      • Scheduler History
  • Lifecycle Management
    • Application Management
      • Support for Application Management
      • Getting Started
        • Introduction to Application Management
        • Adding Applications to be managed by Cymmetri
        • Assigning Applications to End Users
        • Application Detail
        • Dynamic Forms
        • Configuring Connector Server
        • 360 Degree Recon
      • Provisioning How to
        • Cymmetri Connector List
        • Supported Provisioning Operations
        • Azure Provisioning
        • Active Directory (AD) Provisioning
        • Google Workspace Provisioning
        • LDAP Provisioning
        • Powershell Provisioning
        • REST Connector Provisioning
        • SCIM v2.0 Provisioning with Basic Authentication
        • SCIM 2.0 with Bearer Authentication
        • SCIM 2.0 with Fixed Bearer
        • Github Provisioning
        • ServiceNow Provisioning
        • AMAYA
        • HRMS
          • Darwin Box
        • Database Provisioning
        • CSV Directory (Flat-file)
        • Managing Manual Application Assignments
        • SOAP Connector (XML)
        • Integration with Service Desk Management Systems
      • Reconciliation How to
        • Configuring Reconciliation Process
      • Rules
        • Provisioning
        • Deprovisioning
    • Workflow Management
      • Workflow Configuration
      • Workflow Rules
      • Pending Workflows
      • Workflows List
    • Teams Config
    • Configuring Webhooks
    • On Demand Access
    • Form Logic
  • Single Sign On
    • Introduction
    • SSO Configuration
      • SAML 2.0 Based SSO
      • API Based SSO
      • OpenID Connect Based SSO
    • Multifactor Authentication(MFA)
      • Introduction
      • Cymmetri Authenticator
      • Push Authenticator
      • Google Authenticator
      • SMS Authenticator
      • Secret Questions
      • FIDO Authenticator
      • Admin MFA Setting
    • Passwordless
      • Introduction
      • TOTP Based
      • OTP Based
      • Consent Based
      • FIDO Based
  • My Workspace
    • Getting Started
      • Introduction
      • First Time User Registration
      • End User Login Process
      • Forgot Password & Unlock Account
      • User Settings
    • How to use the My Workspace
      • Dashboard
      • My Access
      • Inbox
      • Team
      • On Behalf
  • Privileged Access Management
    • PAM Administration
      • Introduction to Privilege Access Management (PAM)
      • How to Access PAM in Cymmetri
      • Sub-Sections of PAM
      • Steps to configure PAM Server
      • Adding a device/ server in PAM
      • Vault User
      • Vaulting Configuration
      • Break Glass Configuration
      • PAM Reports and PAM History
      • Dormancy Disable Config
    • PAM Usage
      • Assign a server to a user
      • Access the server
  • Governance
    • Compliance Management
      • IGA Policy Violations
    • Insights
      • Reports
      • Risk
      • Management Dashboards
        • CISO Dashboard
        • CRO Dashboard
      • Industry Compliance
    • Access Certification
      • Setting up and managing Access Reviews
    • Recommendation Engine
    • Role Management
      • Role Mining
      • Entitlements
      • Managing Roles in Cymmetri
    • Segregation Of Duties (SOD)
  • Self-Service App
  • Analytics
    • Cymmetri Analytics
Powered by GitBook

Cymmetri.com

On this page
  • Synchronizing Scenarios and Their Corresponding Outcomes
  • Conditions Explained:

Was this helpful?

Export as PDF
  1. Lifecycle Management
  2. Application Management
  3. Reconciliation How to

Configuring Reconciliation Process

Was this helpful?

Once the applications have been configured to allow that the end-users have been provisioned into the managed application. We may now start configuring the reconciliation process for an application. The reconciliation process involves identifying the user attributes as stored in the Identity hub (Cymmetri platform) and their attributes as a user or a group account in the managed application; and the ensuring that the synchronization of the user and group accounts takes place either one-way or both ways between the managed application and the Identity hub, to ensure that there no discrepancies in the accounts stored by both the systems.

The reconciliation process may follow two strategies -

  1. Full Reconciliation Full reconciliation is typically carried out when the managed application is first introduced into an organization’s Cymmetri platform. This involves ensuring all user accounts (and group accounts, wherever applicable) from the Cymmetri platform, are synchronized with the account information on the managed application. This type of reconciliation often takes a longer time, and is often only used as a one-time activity.

  2. Filtered Reconciliation The Cymmetri platform and the managed application might lose synchronization due to a number of reasons, including backend changes to the user or group account information on the managed application or failure of communication between the identity platform and the managed application. In such cases, filtered reconciliation is employed on a regular, scheduled basis. This includes filters for a particular set of users, or to choose only the users that have been modified on either platforms, this is known as filtered reconciliation.

Cymmetri platform allows for both types of reconciliation phases, by allowing administrator to define an optional user filter during the reconciliation process.

The reconciliation process involves two major processes:

  1. Pull In this mechanism, the Cymmetri platform allows for user and group account information to be pulled from the managed application.

  2. Push In this mechanism, the Cymmetri platform pushes the user and group account information to be pushed to the managed application.

Regardless of the process employed, the configuration for the most part remains the same. Let us explore the reconciliation configurations on the Cymmetri Platform:

You may access the reconciliation menu by clicking on the application tile, and then clicking on the “Reconciliation” left-hand side menu.

Proceed to configure by clicking on the “+ Add New” button.

  1. Name: Refers to the name of the Reconciliation process

  2. Modes: FILTERED_RECONCILIATION (Currently the only mode supported by Cymmetri)

  3. Sync Fields: The field from the user/group’s account information as available on the Cymmetri platform that must be used as a basis to identify the corresponding account on the managed application database.

  4. Source Attributes: The field from the user/group’s account information as available on the managed application database that must be used as a basis to match with the “Sync fields”.

  5. Status: Whether to run the reconciliation for Active/Inactive users.

  6. Type: Some applications allow GROUP reconciliation, but most will have USER reconciliation only.

Filled Reconciliation basic configuration looks as above.

Synchronizing Scenarios and Their Corresponding Outcomes

Let us assume we are synchronizing the Cymmetri Platform with a cloud provider using email or mail attribute as the Sync field. As such users on both platforms having the same email address will be matched/un-matched.

Following are the scenarios managed by the Cymmetri platform -

  1. User does not exist in Target system & exists in Cymmetri: This indicates a situation during a pull phase or a push phase, where the user account exists on the Cymmetri platform, but not in the managed application. This typically occurs when the users have been pulled into the Cymmetri platform, but the managed application is yet to be synchronized with these users.

  2. User exists in Cymmetri & Target system: This indicates a situation during a pull phase or a push phase, where the user account exists on the Cymmetri platform and in the managed application, but they may or may not have the same attributes or the same values of the attributes.

  3. User exists in Target system & does not exist in Cymmetri: This indicates a situation during a pull phase or a push phase, where the user account exists in the managed application database but not on the Cymmetri Identity platform. This typically occurs when the users have been pulled into the managed application through its backend and the users have not been centrally managed through the Cymmetri platform.

Conditions Explained:

  1. User does not exist in Target system & exists in Cymmetri:

    1. PROVISION: User is created in the target system with the attributes as present in their Cymmetri user profile.

    2. IGNORE: User is not modified in either system.

    3. UPDATE: Not relevant for this scenario.

    4. DEPROVISION: User is removed from the Cymmetri platform to be consistent with the managed application user database.

    5. UNASSIGN: Not relevant for this scenario.

    6. ASSIGN: User is assigned access to this system in Cymmetri, this option may be used in the case of options like JIT being available to generate user profile in the managed application.

    7. UNLINK: Not relevant for this scenario.

    8. LINK: Not relevant for this scenario.

  2. User exists in Cymmetri & Target system:

    1. PROVISION: User is created in the target system with the attributes as present in their Cymmetri user profile.

    2. IGNORE: User is not modified in either system.

    3. UPDATE: User information from the Cymmetri Identity platform is updated using the account information from the managed application and vice versa.

    4. DEPROVISION: Not relevant for this scenario.

    5. UNASSIGN: Not relevant for this scenario.

    6. ASSIGN: User is assigned the managed application on the Cymmetri platform in case they are already not assigned.

    7. UNLINK: Not relevant for this scenario.

    8. LINK: Not relevant for this scenario.

  3. User exists in Target system & does not exist in Cymmetri:

    1. PROVISION: User is created in the Cymmetri Identity platform deployment using the account information from the managed application.

    2. IGNORE: User is not modified in either system.

    3. UPDATE: Not relevant for this scenario.

    4. DEPROVISION: User is removed from the managed application user database.

    5. UNASSIGN: Not relevant for this scenario.

    6. ASSIGN: Not relevant for this scenario.

    7. UNLINK: Not relevant for this scenario.

    8. LINK: Not relevant for this scenario.

Scheduling the reconciliation process:

  1. Next Execution Date: This indicates the base date to start the execution date and time of the reconciliation process.

  2. Cron Expression: This indicates the frequency with which the further reconciliation events will be run. There are 6 fields here - * * * * * * (e.g., 5 15 0 1 8 *) ; they refer to seconds, minutes, hours, days, months, and year after the first execution date.