Skip to main content

IDHub Stale Check Feature

Overview

The core objective of Stale Check feature in IDHub, is to validate the existence of accounts and entitlements in target system, so that only valid and accurate accounts remain active within IDHub. As the name of the feature suggests, stale data which includes non-existent accounts and entitlements in target system are removed by this feature upon reconciliation of the application in IDHub. This ensures that the data is accurate and consistent across IDHub and your target system.

The Stale Check feature of IDHub meets the following goals:

  • It ensures that the IDHub always has up-to-date account and entitlement information across target systems.
  • It helps in identity governance requirements since it revokes accounts and entitlements that no longer exist in the target system.
  • It provides a mechanism to handle stale data across target systems according to configurable criteria.

Stale Check Functions

Stale Check has two configurable options, based on which this feature works. They are discussed as follows:

Stale Check Toggle

  • To enable the Stale Check feature, you need to toggle this switch to On.
  • If the Stale Check toggle button is Off, then in that case, non-existent accounts or entitlements in the target system will not be removed or revoked upon reconciliation of the application in IDHub.

Stale Check Days

You can set the Stale Check days as 0 Or you can set the Stale Check days to 1 or more.

  • Set the Stale Check days as 0
    • This means that upon reconciliation of the application, the non-existent accounts and entitlements of target system would be immediately revoked/removed from IDHub. In other words, stale data (non-existent) accounts / entitlements in the target system would be removed instantly when you execute the reconciliation of the application in IDHub.
  • Set the Stale Check days as 1 or more
    • This means that the stale data from the target system would not be removed immediately upon reconciliation, and IDHub would wait the “configured” stale days, before revoking or removing them in IDHub.
ConditionAccount Revocation in IDHubEntitlement Removal in IDHub
Stale Check Days = 0Instant revocation upon reconciliationInstant removal upon reconciliation
Stale Check Days ≥ 1Revocation after the defined stale day delay upon reconciliationRemoval after the defined stale day delay upon reconciliation
Stale Check Toggled OffNo revocation upon reconciliationNo removal upon reconciliation
info

Provisioning: Regular account and entitlement provisioning will continue unaffected.

How to Configure Stale Check?

To configure Stale Check function, there are two basic parameters or options that you have to take into consideration. Below, we have discussed the detailed steps for configuring Stale Check in IDHub:

Enable Stale Check function

The first step is to enable the Stale Check toggle function. Please refer to the following steps for the same:

  • Login to IDHub tenant as an admin.
  • Go to Manage Catalog (under IDHub admin app).
  • Click on the Edit icon for the application for which you want to enable the Stale Check.
  • In the Basic details section, at the bottom of the page, you will find the Stale Check toggle, which you need to click to make it On to activate the Stale Check feature for the application.

Entering the Number of Stale Days

The second step for configuring the Stale Check function is to decide the number of days, that you would like IDHub to wait, before IDHub removes or revokes stale data from your IDHub tenant. The various options are discussed below:

  1. Set the Stale Days to Zero

If you want to immediately revoke or remove accounts / entitlements not found in your target system in IDHub, upon reconciliation of the application, then you need to set the Stale Check number of days to zero. This ensures that when you run the full reconciliation of the application from IDHub, then IDHub would immediately revoke or remove stale accounts or entitlements not found in your target system.

  1. Setting the Stale Days to One or more

If you want IDHub to wait for few days, before revoking or removing stale accounts or entitlements in IDHub, upon full reconciliation of the application, then you need to set the Stale Check number of days to one or more. The process for the same is explained in details as follows:

  • IDHub would record the timestamp, when the Stale Check is enabled for the application.
    • When you run the full reconciliation of the application, IDHub would calculate the duration between Stale Check timestamp and reconciliation timestamp.
    • If the duration is less than the configured stale days, then IDHub would NOT remove the stale data (accounts and entitlements) in IDHub when the reconciliation is run.
    • If the duration is greater than the configured stale days, then IDHub would go ahead and remove the stale (accounts and entitlements) data in IDHub, upon full reconciliation of the application.
  • This feature ensures that you are allowing IDHub to wait for “configured” number of days, before IDHub removes and revokes accounts / entitlements not found in your target system upon full reconciliation of the application.
  • This is particularly useful in scenarios, where users or groups in your target system might have inadvertently removed or deleted, therefore, you would like IDHub to wait for configured number of days, before removing the stale accounts / entitlements in IDHub upon reconciliation.

How to Remove Account via Stale Check?

  • Ensure that you have logged into IDHub as a tenant Admin.
  • Onboard a Connected Application.
  • Navigate to Manage Catalog in the IDHub Admin App and then click on the Edit icon for the Application.

  • Toggle the Slate Check to ON. Let us say, you want instant revocation of accounts, therefore, you can set the Stale Check days to zero.

  • An approval task would be created, to approve the editing of the application.
    • If you have the Access Manager role, then you need to claim and approve the task by going to the Tasks section of the IDHub Admin app and then approving the Application Edit Task.
  • Once the task is completed, you can verify the Stale Check status by clicking on the application’s card in the manage catalog.

  • Now, the Stale Check is enabled and is set to zero days, which means any accounts would be revoked from IDHub, if it is not present in the target system upon reconciliation of the application.
  • Therefore if you delete a user from your target system, then that account will be revoked from IDHub as well, upon reconciliation of the application.
  • Assuming, that you have deleted a user from your target system. Go to IDHub admin app, then do the Application Reconciliation by following the below steps:
    • Go to Manage Catalog.
    • Click on the 3-dot menu in the application card.
    • Click on the Application Sync Menu.

  • Click on the Reconcile tab and click on the submit button.

  • Go back to Manage Catalog and then click on the application card and then click on the Reconciliation Logs tab.
    • Click on View to see the details of the reconciliation log.
  • You will see that the user which has been deleted from your target system, that user’s access has been revoked from IDHub as well.

How Remove Entitlement via Stale Check?

  • Follow the steps (as described above) to activate the Stale Check function.
  • Remove one of the entitlements from the target system, which is no longer required.
  • Go to IDHub Admin app, then do the following steps:
    • Go to Manage Catalog.
    • Click on the 3 dots menu in the application card.
    • Click on the Application Sync Menu.
    • In the Entity drop-down select Entitlement.
    • Click on the Submit button.

  • Go back to Manage Catalog and then click on the application card and then click on the Reconciliation Logs tab.
    • Click on View to see the details of the reconciliation log.
  • You will see that the group that you have removed from the target system, that entitlement has been removed from IDHub as well.

Entitlement Removal Areas in IDHub

In the below section, we discuss the different areas in IDHub from where the entitlement would be removed.

  • Search catalog
    • The entitlement would be removed from the search catalog and users cannot search or request for access to that entitlement.
  • Manage Catalog
    • The entitlement would be removed from the Manage Catalog.
  • Certification
    • If there is an existing certificate which had the deleted entitlement, IDHub removes the entitlement from the certificate definition.
    • Therefore, if the certificate definition had the removed entitlement in the resources to certify, then the entitlement would be removed from that section of the certificate.
info

There would be no change in the running certification tasks which had the deleted entitlement.

  • Request
    • If there is an request associated with the deleted entitlement, then IDHub would show “Deleted Entitlement” (instead of the entitlement name) for that request in the request card and request details page.
  • Role
    • If there is a role which had the deleted entitlement, the entitlement would be removed from the role
    • If a user got the role via birthright or request (before the deletion of the entitlement), then the deleted entitlement would not be shown in the user profile page for that role.
    • If the role was disabled and after that the entitlement got removed, then IDHub would still remove the deleted entitlement from the role.
  • Cart
    • If the deleted entitlement was added to the cart, then IDHub would remove the deleted entitlement from the cart.
  • Save and Share List
    • If the list contains other items apart from the deleted entitlement, then the deleted entitlement would be removed from the list.
    • If the list contains only the deleted entitlement item, then entire list would be removed by IDHub.