By user9156809 on Aug 07, 2009
I have been fighting with this topic for a while. It always comes up in conversations with customers and fellow workers. Reconciliation, It can cause you headaches or it can be your friend. What I am going to attempt is first a basic blog about recons . Then I plan to go into detail on another blog on how an AD recon works by going through the gateway and then to AD. So here it goes.
1. What is a Recon?
It is a way of loading resource account information into IDM. This takes into account a policy if configured. It compares the contents of the account index to what the resource currently contains.
A recon can detect new and deleted accounts, changes to the account attributes, finds accounts that are not associated with IDM users.
To run a recon you need to have at least one resource adapter configured.
2. Types of Recons:
We have 2 types of recons, Full and Incremental. Now if you have a Full Recon running and you kick off a Incremental the Incremental will be ignored. If you have an Incremental running and you kick off a Full the Incremental will stop and the Full kicked off.
Full Recon - recalculates the existence, ownership and situations for every account listed by the adapter. An IDM user can claim a resource by having a role that has the resource, being assigned the resource, having a resource group or referring to an account on that resource.
Incremental Recon - is like a incremental backup of your data. It is fast and assumes that the info in the account index is accurate . It skips the step of examining the IDM users that have the resource. It also calculates a situation only for accounts that have been added or deleted since the last recon was run. It basically compares the ID's in the account index to the list of users returned from the resource. New users are recorded as existing and deleted accounts as no longer existing.
3. Process of Full Recon:
1. Each account is confirmed that any IDM owner is recorded in the Account Index still exist and still claims the account.
2. Any account that doesn't have an owner is correlated with IDM users as long as the recon policy has a correlation rule.
3. If the rule suggests one or more possible owners, then each of them will be double checked in the rule if it exists.
4. Once it has been cleared up, the recon will perform any response that is configured in the recon policy for the resource.
5. If the recon policy specifies a workflow to be preformed per-account, the full recon will perform this for each account reconciled, after the situation action is performed.
4. Status of Reconciler
We have multiple states. These are displayed on the resource tab next to the resource itself. These do become stale after a while unless you hit the Reset View button. The best way to see the status though is by clicking on the resource and from the Resource actions drop down menu choose "View Reconciler Status" some of the statuses you will see are
1. Pending - This is the first status you will see and basically means that the task was kicked off but is waiting for the Scheduler to pick it up
2. Account Indexing- IDM examines each IDM user that has the resource in question
3. Examining Resource - IDM queries the actual resource to get all the users the resource knows about
After this 3rd status you will not see it but it will go into a "reconciling" Phase. This is where all the works occurs (edit,delete,modify)
After the "Reconciling" phase is done you will see one of many different statuses, Hopefully you will see Completed, but you can see failed,Canceled or Completed with Errors. If your on the View Reconciler Status page you will see the outcome.
4. Some general terms used with Recons
1. Recon Policy: This allows you to list a set of responses, by resource, for each recon task. In here you can set the server which you want the recon to run on. You can determine how often and when you want it to occur.
You can set a response for each situation you encounter.
Say that you run a recon on a new resource. If you have nothing set in your situations all of your users will show up as unmatched. Now if you set the response to be create resource account, it will create the account. Now when you run the recon again it will move to Confirmed.
What do the Situations mean :
1. Confirmed - user says account exists, resource adapter agrees
2. Unassigned - resource account matches exactly one user but the user doesn't say anything about the account.
3. Missing - the user says the account may exist but the resource states is doesn't exist.
4. Unmatched - resource account matches no user.
5. Deleted - user states it exists but the resource states the user doen't exist.
6. Collision - 2 or more users claimed by the same resource.
7. Found - user states the user may exist and the resource states it does exist.
8. Disputed - user matches more then one user.
Responses can be Inherit the default policy, do nothing, Unlink resource account, or create the resource account
You can extend the recon processing by adding a user defined workflow.
We have 3 listed on the recon policy, pre-resource workflow, per-account workflow and post-resource workflow.
A workflow is a list of actions or tasks that get followed .It is a logical, repeatable process during which documents, information, or tasks are passed from one person/machine to another for action, according to a set of procedural rules.
1. Pre-resource is a workflow that is launched before the recon process even starts.
2. Per-account is a workflow that is launched for each account processed by the recon , after the response (if any is completed).
3. Post-resource is a workflow that is launched after all other recon processing is complete.
2. Resource Scheduling:
Recon has two seperate schedules for each resource, one for Incremental and one for the full. When you create a schedule in the recon policy, it will configure a task called a "requester". this allows the recon to be controlled by the external task Scheduler.
Note: The recon deamon that isn't doing anything consumes very few resources.
To look at what the scheduler is doing you can trace the com.waveset.task.Scheduler . This can be done from the debug page by doing either
By clicking on the Show Trace button and adding in the class above. You can also click on Trace Scheduler button in the debug page as well.
3. Reconcile Configuration - This contains several attributes that can't be done by editing the Reconcile Policy agent. This can be edited through the debug page under the List Object button and selecting configuration and then in the drop down box Reconcile Configuration.
Now I know this just scratched the surface and next time I will go over the threads and also how to debug this. I will also go through how the Gateway comes into play for those resources that require one. I hope you find these posts useful and as always please feel free to ask questions.