Reconciliation
Warning
This feature requires a Governance module license. For more information see Governance
Reconciliation is a critical process aimed to ensure that the state of rights and permissions in target systems is as intended. Users might change roles, leave the organization, or require adjustments to their access rights over time. Additionally, target applications will be updated, and errors may occur that also impact access rights. As a result, there can be a misalignment between the entitlements granted by HelloID and the actual access rights within the target application. Reconciliation provides a safeguard by comparing the current state of the target application with the state desired by HelloID.
Configure reconciliation
The reconciliation report shows which Active Directory accounts are not managed by HelloID and whether these accounts are enabled or disabled.
Important
Currently, reconciliation reports are only available for Active Directory target systems. Correlation must be enabled in the Active Directory target system.
Import target system data to be used as entitlement(s) prior to configuring reconciliation for a target system.
To configure reconciliation:
Click on the Provisioning icon in the top menu bar of the HelloID admin dashboard.
From the Provisioning dashboard, go to: Business > Reconciliation.
Click on the Configuration tab at the top left corner of the page.
From the Choose a system... drop-down menu on the bottom left, select one (or more) Microsoft Active Directory systems.
Click on the + sign to add one or more Microsoft Active Directory systems.
Reconciliation configuration options per system
The following settings can be made for each system for which reconciliation has been configured.
Automatically re-create accounts again: Enable to automatically recreate missing accounts in the target system when HelloID expects them to exist.
Automatically re-enable accounts again: Enable to automatically re-enable disabled accounts in the target system when HelloID expects the account to exist and account access to be granted.
Automatically add permissions again: Enable to automatically add permissions that are not granted in the target system when HelloID expects them to be granted.
Click Remove to remove the target system from the reconciliation configuration.
Note
The configuration settings will be saved automatically.
Reconciliation reports
Important
Import target system data to be used as entitlement(s) before starting to create reconciliation reports.
Reconciliation is not a one-time event but an ongoing process. Continuous reporting is essential to ensure that access rights remain aligned.
Reconciliation reports can be scheduled monthly and generated manually, but only once per month. If both options are used, two reports will be available each month: one scheduled and one manual.
Schedule a report
Reports can be scheduled on a monthly basis. On the day the report is scheduled you will be able to see the time it is set to run.
Click on the Provisioning icon in the top menu bar of the HelloID admin dashboard.
From the Provisioning dashboard, go to: Business > Reconciliation.
Click on the Configuration tab at the top left corner of the page.
Toggle the Schedule monthly report setting.
Important
If generating the scheduled report fails for any reason, it will automatically be retried three times.
Manually generate a report
Click on the Provisioning icon in the top menu bar of the HelloID admin dashboard.
From the Provisioning dashboard, go to: Business > Reconciliation.
Click the Create report button at the top right.
Report overview
System imports
The System Imports section displays the Active Directory systems from which entitlements are imported. For each system, the indicators will show:
The total number of imported accounts
The total number of imported accounts that are enabled
The total number of imported accounts that are disabled
Report
The Report section displays the latest generated report that contains any found reconciliation issues, for example, unmanaged or missing accounts. It is ordered by person & account name.
The report displays the following:
System name
Imported person associated with the system
Accounts found in the system
Permission found in the system (only if this record is a permission issue)
Resolved (i.e. whether this issue has been marked as resolved in the current report iteration)
Resolve multiple issues (Bulk actions)
This report section lets you address multiple issues at once by selecting a single action and applying filters to refine your results.
This is explained in more detail in Resolution.
Issue state
State | Description | Action |
|---|---|---|
The account exists in Active Directory but no corresponding state can be found in HelloID. | Disable account (only available if account is enabled) | |
An account entitlement exists but no corresponding accounts exist in Active Directory. | ||
Account incorrectly has access | The account enable entitlement has not been granted, however the account is enabled in Active Directory. | |
Account incorrectly has no access | Either the account is enabled in Active Directory but no corresponding account access entitlement exists, or a corresponding account access entitlement is found but the account is disabled in Active Directory. | |
Person relates to multiple accounts | Multiple accounts are correlated to this person. | |
Account relates to multiple persons | The correlation key is found on multiple accounts and persons. | |
Permission unmanaged | A permission membership exists in Active Directory, but the entitlement is not granted by HelloID through the business rules. | |
Permission missing | A permission entitlement for the account exists in HelloID but is not granted in Active Directory. |
Filtering
You can filter and search within the reconciliation report. Filters are combined using an 'AND' condition, meaning that all selected filters must be met for issues to appear in the filtered results.
Condition options
Invert Condition makes the associated condition work as a NOT condition, so those previously in-scope become out-of-scope, and vice versa.
Multiselect value support where more than one item can be selected to be used as filter condition. The multiselect value is limited to a maximum of 10 items and can only be used with the equals operator.
The following options are available for filtering:
Resolution (The type of resolution or unresolved)
System (All the systems with an issue in the report)
Issue (The issue state)
Linked account excluded (All permission issues when the account is already excluded from report)
Account display name
Account enabled (If the account is enabled in target system)
Permission display name
Permission description
Account attributes (All account attributes that are mapped in the target system)
Note
By default only unresolved issues are visible. To see the resolved issues you should adjust the filters.
Note
Keep in mind that the applied filters will also reduce the CSV export.
Exclusions
To manage accounts not governed by HelloID entitlement states (linked to a source person), we've implemented exclusions. This feature allows to exclude specific accounts from review for a defined period, such as 3 months, 6 months, 1 year, or 3 years. This is particularly useful for supplier, service, and external accounts where there is no associated end date in the source system to determine when the account should be deactivated.
All current exclusions and the date they end are visible on the Exclusions tab.
After the 'Excluded until' date the unmanaged account should re-appear in the reconciliation report.