Deployment Configurations 4-7 Figure 4–5 Identity and Account Reconciliation

4.2.1.1.3 Reconciliation Process Flow The reconciliation process flow is shown in

Figure 4–6 : Figure 4–6 Reconciliation Process Flow Reconciliation process involves the following steps: Note: When the value of the XL.UserProfileAuditDataCollection property is set to an audit data collection level, then the account reconciliation performs the matching in the database layer at a batch-level and performs the event action by using the provisioning APIs. This in turn triggers the audit event handlers for account reconciliation. By default, the value of this property is set to Resource Form. See Administering System Properties for information about system properties in Oracle Identity Manager in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Manager. Authoritative Source Target System User Accounts Target System Account Identities from Target System Identities from Authoritative Source Identity Reconciliation followed by Account Reconciliation Resource Admin Reconciliation Provisioning Bootstrapping 4-8 Oracle Fusion Middleware Users Guide for Oracle Identity Manager

1. Changes in the target system:

The various activities that can happen in the target system are creation, modification, or deletion of user, account, role, role membership, or role hierarchy.

2. Providing reconciliation data:

When the creation, modification, or deletion event occurs, data about that event is sent to the reconciliation service by using reconciliation APIs.

3. Creation of reconciliation event record:

When the data for a reconciliation event is provided to reconciliation service, a record of that event is stored in Oracle Identity Manager repository.

4. Processing of the reconciliation event data:

The data received is then evaluated to determine the actual operation to be performed in Oracle Identity Manager based on the changes in the target system. The evaluation involves application of a specific set of rules that help in: a. Identifying whether the data is for an account or for an identity that Oracle Identity Manager already has a record of b. Identifying the owner of the account or identity that the data represents c. Defining the context-sensitive action to be taken d. Setting the status of the event at the end of evaluation and the action that the reconciliation engine must take

5. Taking action on the event:

Based on the evaluation result of processing the reconciliation event data, the intended action is taken. The various actions can be: Note: If you create an entity on an external system and then modify it a short time later, reconciliation processes the create entity step, but the modify entity step fails with the Creation Failed event status. This is because reconciliation cannot process a create and a modify action for the same entity in the same batch process. However, the entity modification action can be resubmitted for reconciliation at a later time by one of the following built-in mechanisms: ■ The Automated Retry of Failed Async Task scheduled task will run to re-process the failed events without any manual intervention. See Automated Retry Error Handling Mechanism in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Manager for details. ■ The failed event will be re-processed if the Manual Retry Error Handling Mechanism is triggered. See Manual Retry Error Handling Mechanism in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Manager for details. Reconciliation failure messages that are caused by processing conflicts within the same batch process should be regarded as transitory failures only. Note: Reconciliation service refers to the collection of reconciliation engine, reconciliation APIs, and the associated metadata and schema.