Reconciliation
Warning
This feature requires a Governance module license. For more information see Governance
Reconciliation is a critical process aimed to ensure that the state of rights and permissions is at intended. Users might change roles, leave the organization, or require adjustments to their access rights over time. Additionally, for a target application, changes will be updated or have errors that might also impact access rights. As a result, there can be a misalignment between the entitlements granted by HelloID and the actual access rights within the target application. Reconciliation provides a safeguard by comparing the current state of the target application with the desired state by HelloID.
Reports
The reconciliation report shows which Active Directory accounts are not managed by HelloID and if these accounts are enabled or disabled.
Important
Reconciliation reports are only available for the Active Directory target system(s) with correlation enabled. In addition, accounts and account access must be imported.
To configure reconciliation:
1. Click on the Provisioning icon in the top menu bar of the HelloID admin dashboard.
2. From the Provisioning dashboard, go to: Business > Reconciliation.
3. Click on the configurationtab located at the top left corner of the page.
4. From the:Choose a system... drop down menu on the bottom left, select one (or more) Microsoft Active Directory systems.
5. Click on the + sign to add a single or multiple Microsoft Active Directory systems
Per system reconcilliation configuration:
Each configured system for reconciliation has some extra configurations that can be set
1. Automatically re-create accounts: We can enable this option to automatically re-create accounts when the account is missing in the target system and HelloID states the account is granted (desired state is an account in target system.
2. Automatically re-eable accounts: we can enable this option to automatically re-enable accounts when the account is disabled in the target system and HelloID state the account and account access are granted (desired state is an enabled account in the target system).
3. Remove: Remove target system from reconciliation report.
Note
The configuration settings will be saved automatically.
Create a reconciliation report
Important
Before you can create a reconciliation report, you will need to ensure that accounts and account access is imported.
Reconciliation is not a one-time event but, instead is an ongoing process. Continuous reporting is essential to ensure that access rights remain aligned.
Reconciliation reports can either be scheduled every month or created manually. It's worth noting that generating a report manually can only occur once a month. If you also opt for the scheduled report feature, this results in having two reports monthly: a scheduled one and one manual.
To schedule a report:
Reports can be scheduled on a monthly basis. On the scheduled day of the report, you will see the time it is set to run.
1. Click on the configurationtab located at the top left corner of the page.
2. Toggle the Schedule monthly report setting.
Important
If the scheduled report fails for any reason, it will automatically retry three times.
To manually create a report:
1. Click on the: Create report button.
Report overview
System imports
The System Imports section displays the Active Directory systems from which entitlements are imported. For each system, the indicators will show:
The total number of imported accounts
The total number of imported accounts that are enabled
The total number of imported accounts that are disabled
Report
The report section displays the latest generated report that contains any found reconciliation issues, for example, unmanaged or missing accounts and is ordered on person & account name for convenience.
The report displays the following:
System name
Imported person associated with the system
Accounts found in the system
Permission founf in the system (only if this record is an permission issue)
Resolved (is this issue resolved in the current report iteration)
Resolve multiple issues (Bulk actions)
This report section lets you address multiple issues at once by selecting a single action and applying filters to refine your results
More about this can be found here
Issue state
State | Description | Action |
|---|---|---|
The account exists in Active Directory but no corresponding state can be found in HelloID. | Disable account (only available if account is enabled) | |
An account entitlement exists but no corresponding accounts exist in Active Directory. | ||
Account incorrectly has access | The account enable entitlement has not been granted, however the account is enabled in Active Directory. | |
Account incorrectly has no access | Either the account is enabled in Active Directory but no corresponding account access entitlement exists or, a corresponding account access entitlement is found but the account is disabled in Active Directory. | |
Person relates to multiple accounts | Multiple accounts are correlated to this person. | |
Account relates to multiple person | The correlation key is found on multiple accounts and persons | |
Permission unmanaged | A permission membership exists in Active Directory, but it is not granted or entitled by HelloID through the business rules. | |
Permission missing | An permission entitlement for that account exists in HelloID but is not granted in Active Directory |
Filtering
You can filter and search within the reconciliation report. Filters are combined using an 'AND' condition, meaning that all selected filters must be met for issues to appear in the filtered results.
Condition options
Invert Condition Makes the associated condition work as a NOT condition, so who were previously in-scope become out-of-scope, and vice versa.
Multiselect value support where more than one item can be selected to be used as filter condition. The multiselect value is limited to a maximum of 10 items and could only be used with the equals operator.
The following options are available for filtering:
Resolution (The type of resolution or unresolved)
System (All the systems with an issue in the report)
Issue (The issue state)
Linked account excluded (All permission issues when the account is already excluded from report)
Account display name
Account enabled (If the account is enabled in target system)
Permission display name
Permission description
Account attributes (All account attributes which are mapped in the target system)
Note
As standard only Unresolved issues are visible. To see the resolved issues you should adjust the filters.
Note
Keep in mind that the applied filters will also filter the CSV export.
Exclusions
To manage accounts not governed by HelloID entitlement states (linked to a source person), we've implemented exclusions. This feature allows users to exclude specific accounts from review for a defined period, such as 3 months, 6 months, 1 year, or 3 years. This is particularly useful for supplier, service, and external accounts where there's no associated end date in the source system to determine when the account should be deactivated.
All current exclusions with end date are available on the 'Exclusions' tab
After the excluded until date the unmanaged account should re-appear on the reconciliation report