Reconciliation
Overviewβ
Reconciliation is a key feature and concept in Apporetum. It will give you the ability to control access management and take action on malicious users. The reconciliation can be either run manually or scheduled.
In this article, you can find the information and how-to guide on running reconciliation, including app reconciliation or particular app role reconciliation. You can also review alerts of the suspicious users that are not in both Apporetum and the associated directory. You can either authorise membership or remove membership of those users or choose ignore alert till the next reconciliation comes up. After reconciliation, you can view reconciliation log or download report for auditing purposes to identify cyber incidents. You also have the option to set up or update reconciliation period for each app role.
You can view and/or initiate app reconciliation or specific (app) role reconciliation tasks if you are an App Owner, SecOps Manager, System Admin or Global Admin.
What is Reconciliationβ
Reconciliation is an Identity Governance audit process, which compares user access, access rights, and privileged accounts, against Apporetum, the agreed-upon authoritative identity source of truth. This process is used to confirm what data is present in a directory, and sync that data with Apporetum to ensure the right access to systems for the right people.
Run Reconciliationβ
Reconcile Appβ
-
Click the Access main menu option
-
Click the vertical three dots icon next to the app
- Click Reconcile App
If you only want to reconcile specific role, you can read Reconcile Role.
- Choose Run now
- Check if the system notification status is successful
- Click the Alerts tab to check the reconciliation result
Reconcile Roleβ
- Click the Access main menu option
- Click the App Roles tab
- Search and click the role
- Click the vertical three dots icon next to the role
- Click Reconcile Role
-
Click Run now from the pop-up window
-
Check if the system notification status is successful
-
Click the Alerts tab to check the reconciliation result
Review Alerts, Authorise/Remove Membership, Ignore Alertβ
As Apporetum is the governance over your directories, we suggest that you do not use other tools to add and remove users from groups. This ensures that Apporetum can audit and track accounts access.
- Click the Access main menu option
- Select Alerts from the sub-menu
Alert Types are Mismatched and Unsanctioned. Status can tell you if those users have been actioned yet.
- Mismatched: user is in Apporetum, not in the directory
- Unsanctioned: user is in the directory, not in Apporetum
- Select one or more users
- Choose Authorise membership, or Remove membership, or Ignore alert for the time being
If you choose to ignore any alerts, those users will be hidden from the Alerts till the next reconciliation.
Choosing Authorise membership or Remove membership will allow you to make the user list match between Apporetum and the associated directory.
-
For a mismatched user, if you choose to Authorise membership, the user will be added into the associated directory so that the user is in both Apporetum and the directory. If you choose to Remove membership, the user will be removed from Apporetum so that the user will be in neither Apporetum nor the directory.
-
For an unsanctioned user, if you choose to Authorise membership, the user will be added into Apporetum while keeping access on the directory. If you choose to Remove membership, the user will be removed from the directory so that this user will be in neither Apporetum nor the directory.
- After actioning successfully, your actions will be recorded in Apporetum
You can view the reconciliation activity log and/or download a report of those reconciliation tasks. You can also read the Recon Log to see all actions that have been done in this app.
The following section is the how-to guide on viewing reconciliation log and download report.
View Recon Log, Download Reportβ
After running reconciliation on an app or a role under Alerts, you can download the report immediately on the page.
Quick Pathwayβ
- Click the Apps main menu option
- Click the vertical three dots icon next to an app or a role within an app
- Click Download
The report that you will download here is the recent reconciliation result.
Recommended Pathwayβ
- Click the Acess main menu option
- Click the Recon Log tab
The column is in chronological order starting with the most recent log.
- Click the download icon
to Download report
Update Reconciliation Periodβ
Reconciliation Period is the frequency in which Apporetum will reconcile the user access of the App Role. A longer period will reduce the number of notifications that Access Providers and App Owners will receive.
You can Navigate to App Role Configuration and then Modify/Remove Current Role Settings.