Reconciliation
Warning
This feature requires a Governance module license. For more information see Governance
Reconciliation is a critical process aimed to ensure that the state of rights and permissions is at intended. Users might change roles, leave the organization, or require adjustments to their access rights over time. Additionally, for a target application, changes will be updated or have errors that might also impact access rights. As a result, there can be a misalignment between the entitlements granted by HelloID and the actual access rights within the target application. Reconciliation provides a safeguard by comparing the current state of the target application with the desired state by HelloID.
Reports
The reconciliation report shows which Active Directory accounts are not managed by HelloID and if these accounts are enabled or disabled.
Important
Reconciliation reports are only available for the Active Directory target system(s) with correlation enabled. In addition, accounts and account access must be imported.
To configure reconciliation:
1. Click on the Provisioning icon in the top menu bar of the HelloID admin dashboard.
2. From the Provisioning dashboard, go to: Business > Reconciliation.
3. Click on the configurationtab located at the top left corner of the page.
4. From the:Choose a system... drop down menu on the bottom left, select one (or more) Microsoft Active Directory systems.
5. Click on the + sign to add a single or multiple Microsoft Active Directory systems
Per system reconcilliation configuration:
Each configured system for reconciliation has some extra configurations that can be set
1. Automatically re-create accounts: We can enable this option to automatically re-create accounts when the account is missing in the target system and HelloID states the account is granted (desired state is an account in target system.
2. Automatically re-eable accounts: we can enable this option to automatically re-enable accounts when the account is disabled in the target system and HelloID state the account and account access are granted (desired state is an enabled account in the target system).
3. Remove: Remove target system from reconciliation report.
Note
The configuration settings will be saved automatically.
Create a reconciliation report
Important
Before you can create a reconciliation report, you will need to ensure that accounts and account access is imported.
Reconciliation is not a one-time event but, instead is an ongoing process. Continuous reporting is essential to ensure that access rights remain aligned.
Reconciliation reports can either be scheduled every month or created manually. It's worth noting that generating a report manually can only occur once a month. If you also opt for the scheduled report feature, this results in having two reports monthly: a scheduled one and one manual.
To schedule a report:
Reports can be scheduled on a monthly basis. On the scheduled day of the report, you will see the time it is set to run.
1. Click on the configurationtab located at the top left corner of the page.
2. Toggle the Schedule monthly report setting.
Important
If the scheduled report fails for any reason, it will automatically retry three times.
To manually create a report:
1. Click on the: Create report button.
Report overview
System imports
The System Imports section displays the Active Directory systems from which entitlements are imported. For each system, the indicators will show:
The total number of imported accounts
The total number of imported accounts that are enabled
The total number of imported accounts that are disabled
Report
The report section displays the latest generated report that contains any found reconciliation issues, for example, unmanaged or missing accounts.
The report displays the following:
System name
Imported person associated with the system
Accounts found in the system
Resolved (is this issue resolved in the current report iteration)
Issue state
State | Description | Action |
---|---|---|
The account exists in Active Directory but no corresponding state can be found in HelloID. | Disable account (only available if account is enabled) | |
An account entitlement exists but no corresponding accounts exist in Active Directory. | ||
Account incorrectly has access | The account enable entitlement has not been granted, however the account is enabled in Active Directory. | |
Account incorrectly has no access | Either the account is enabled in Active Directory but no corresponding account access entitlement exists or, a corresponding account access entitlement is found but the account is disabled in Active Directory. | |
Person relates to multiple accounts | Multiple accounts are correlated to this person. | |
Account relates to multiple person | The correlation key is found on multiple accounts and persons |
Filtering
The reconciliation report can be filtered based on the System or Issue state.
Note
As standard only Unresolved issues are visible. To see the resolved issues you should adjust the filters.
Note
Keep in mind that the applied filters will also filter the CSV export.
Exclusions
To manage accounts not governed by HelloID entitlement states (linked to a source person), we've implemented exclusions. This feature allows users to exclude specific accounts from review for a defined period, such as 3 months, 6 months, 1 year, or 3 years. This is particularly useful for supplier, service, and external accounts where there's no associated end date in the source system to determine when the account should be deactivated.
All current exclusions with end date are available on the 'Exclusions' tab
After the excluded until date the unmanaged account should re-appear on the reconciliation report