OPEN CALL: Creating a reconciliation report



By: edir4ever

June 18, 2008 12:40 pm

Reads: 335

Comments:8

Rating:0

Is there an way to create a reconciliation (showing number of users matched, unmatched)report when reconciling existing users from a connected system (say AD) to Novell IDVault. Can we do this in iManager?

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

8 Comments

  1. By:RFBonte

    What we need is a compare function to support initial/bulk load of person data and that also can be used in supporting the audit process.

    HR Data: Let the HR system do a complete dump of the personell database and compare to person data in the Identity Vault
    Account Data: Have the connected system administrator do a complete dump of the accounts in his system and compare to Identity Vault (DirXLM-Associations)

    Report complete compare and:

    Trigger workflow for each non-match:

    For HR data:
    When a person is in HR (and active), but not in Identity Vault, trigger “new employee” workflow
    When a person is in Identity Vault (active) but not in HR. Trigger “termination employee” workflow
    When compare is also perfomed on authoratative attributes, make changes in Identity Vault, or trigger workflows where applicable

    For Account data:
    Although for audit purpose a complete report probably is most used, one could trigger workflows on a per item base. For instance to let the systemowner approve the account (great for service accounts and alike), of have the business manager associate the account to a person.

    I think this would have to be a configurable program. Where to realize it? UserApp could be the interface to it.

    The idea behind this is that we do not have a real driver to each and every system so creating a generic/rudementary interface and simple/well formatted input file we can make the process of getting these systems into our IAM system easier.
    For the auditor we only have to show/prove the compare process. He can get the account dump from a systems administrator on the fly and do the compare himeselve to have even better proof. Even for the systems were we have a provisioning connector and publisher policies.

    Next step: Add autorizationgroups in the compare.

  2. By:edir4ever

    Thanks for your comment.

    What I feel is we should have a listUsers API in the driver jar which can list all users in the connected systems (which supports list user functionality natively); then using a IDM Plugin in iManager we can create a list of users from the connected system and then take action on that list (whether to delete the rogue user entry or reconcile the user with a user in the IDM, etc);
    as you mentioned the report can also be used for auditing purpose.

    the listUser functionality can also be useful in doing the initial synch using a matching rule in the driver. in that way we may not have to generate an event in the Vault to reconcile users in bulk.

    Your comments please….

  3. By:pmckeith

    Identity Manager Analyzer is an Eclipse-based IDM project/feature that provides a set of tools aimed at ensuring general internal policies are adhered to in the area of data quality, which includes data analysis, data cleansing, data reconciliation and data monitoring/reporting. Customers can use Analyzer to analyze, enhance and control all data stores throughout their enterprise.

    IdM Analyzer will follow the same development model as IdM Designer. Watch for it to come out soon. Meanwhile, for more information and to download the current beta check out the following link: Novell Identity Manager Analyzer Project

  4. By:edir4ever

    Rene, I received your reply in email and putting the same here to keep all posts in the same place

    **Rene –
    “I was not thinking of using the idm drivers to get the information out of the systems. Most importantly because we want to build our IAM solution to include ALL de systems in the enterprise. A lot of wich will not have a direct connection (driver) into the IAM solution. But we want to be able to support the auditing process in a unified way for all systems. To be able to do this, a Manual Export from the managed system and then a automated compare is the way to go in my oppinion.

    aside from the above. The ListUser function where it gets the list from the connected system(through the IDM connection) should be implemented in the UserApplication. That is where you can build forms, do associations, trigger workflows and/or do modifications on Identity Vault most easily. I don’t know if it is possible to write directly to the connected system from UserApp, without going throug Identity Vault first. Probably not, so then we might need other APS’s as wel.”

    you are right, it should be integrated with the User App so that we can trigger workflows and approvals from there.

  5. By:jacquesf

    I’m currently working on such a generic solution.
    We ask each sys admin to export info in a 3 columns CSV:
    - one column with account ID
    - one column with account status
    - one column with account privilege
    (if an account has more than one privilege
    then there is multiple lines for that account)

    We are developing an IDM text driver that:
    - reads incoming CSV files
    - for each line check if account may exist
    - for each line check if account has a valid status
    - for each line check if privilege is justified

    The text driver generates e-mail for any anomaly detected.

    Our current prototype does not (yet) search through RBPM roles to compare privileges but that’s our aim :-)

    Any other ideas more than welcome!

    Jacques

  6. By:bkynaston

    We currently run the TriVir Data Reconciliation Toolkit which reads and stores the data from IDM-connected systems and generates user-configurable JasperSoft reports of anomalies such as objects missing in a particular system, attributes out of sync, passwords out of sync, etc.

    More information may be requested at info@trivir.com.

  7. By:anja98

    Take a look at this “How to do reconciliation in IDM 3.5″

    http://www.novell.com/communities/node/4713/how-do-reconciliation-idm-35

  8. By:coafark

    Have you tried using the 3rd party application ( http://www.wolfgangschreiber.de ) to make your files that most of you are commenting about making?

Comment