3 Other tables relevant to reconciliation

advertisement
Relevant Reconciliation Database Tables and Queries
Table Of Contents
1.
Introduction
2.
Reconciliation table schema
3
5
2.1
RECONCILIATION table
2.2
RECONCILIATION_INFO table
Other tables relevant to reconciliation
3.1
PROCESS table
3.2
ACTIVITY table
3.3
SERVICE table
4.1
How to identify the type of service / reconciliation
Sample Queries
5.1
How to identify last reconciliation for a given service DN?
5.2
Account Reconciliation
5.2.1
Getting Summary of Reconciliation
5.2.2
Getting Count of entries from RECONCILIATION_INFO table
5.2.3
Getting entries of a particular operation from RECONCILIATION_INFO table
5.3
Person Reconciliation with workflow
5.3.1
Identifying Reconciliation with workflow
5.3.2
Getting Summary of Reconciliation
5.3.3
Getting Count of entries from RECONCILIATION_INFO table
5.3.4
Getting entries of a particular operation from RECONCILIATION_INFO table
5.4
Person Reconciliation without workflow
5.4.1
Getting Summary of Reconciliation
5.4.2 Getting Count of entries from RECONCILIATION_INFO table
5.4.3
Getting entries of a particular operation from RECONCILIATION_INFO table
6
Generating CSV Report from Query Result Set
Glossary of Important Terms
1.
Introduction
This document describes the different reconciliation tables RECONCILIATION and
RECONCILIATION_INFO. It describes how the two tables are used to query different
information about reconciliation.
This document also describes how to make use of other ITIM tables like SERVICE, PROCESS,
ACTIVITY etc for fetching data related to reconciliation(s).
Also, the meanings of various character codes used in various tables and their semantics are
documented.
Finally, the document provides various SQL queries which can be used with any reporting tool to
query reconciliation data.
The target audience of this document should have knowledge of databases, SQL, ITIM database
schema, reconciliation process and processes and activities. Knowledge of any reporting tool
and/or a programming language like Java would be helpful.
2.
Reconciliation table schema
There are two tables which store the data related to reconciliation in the system
RECONCILIATION and RECONCILIATION_INFO. The data in these two tables is populated
by remote services component as the last step of reconciliation process. Data synchronization is
not a prerequisite for populating data in these tables.
2.1
RECONCILIATION table
This table contains the summary of the information for reconciliation on various service
instances. The table contains an entry for all completed reconciliation on various service
instances.
Table 1
Column Name
RECONID (PK)
ServiceDN
ProcessedAccounts
LocalAccounts
TimUserAccounts
PolicyViolations
STARTED
COMPLETED
ACTIVITY_ID
Description
An Identifier that identifies a reconciliation
uniquely. This id is unique for every
reconciliation of every service.
The DN of the service for which this entry is
recorded
Total number of accounts processed during
reconciliation.
Total number of new local accounts created.
The number of processed accounts which
belong to users in ITIM.
The number of policy violations of accounts for
this service instance.
Start time of the reconciliation
End time of the reconciliation
Activity ID of the reconciliation activity. It stores
the status of the reconciliation activity.
Data Type
varchar
varchar
int
int
int
int
datetime
datetime
bigint
2.2
RECONCILIATION_INFO table
This table will contain the details of the reconciliation on various service instances. For example,
this table contains all the accounts or person entries reconciled during the reconciliation. This
table does not have primary key constraints.
Table 2
Column Name
RECONID
AccountID
POLICYCOMPLIANCESTATUS
UserName
Operation
Remarks
HANDLE
Description
An Identifier that identifies a reconciliation
uniquely. This column is used to take join
with RECONCILIATION table.
The ID of an entry (for example an
account)
Policy Compliance status of this
processed entry.
Name of the user associated with
AccountID
The operation performed for this entry for
this service instance. Possible values for
an account entry are NL, NO, SA, DA etc.
These are codes which stand for various
account operations like “New Local”, “New
Orphan”, “Suspended Account” ,
“Deprovisioned Account” etc.
Contains the reason for policy violations
for accounts with policy violations and list
of attributes in case of modified accounts.
This column stores the ACTIVITY.ID
values with which this person entry is
associated when there is a workflow
associated with reconciliation.
Data Type
varchar
varchar
varchar
varchar
varchar
varchar
int
The OPERATION column contains values corresponding to reconciliation status of the
reconciled entry.
Following table lists distinct values for OPERATION column and their semantics for Account
reconciliation (described later).
Table 3
Value
NO
Meaning
New Orphan account
NL
New Local account
MA
Modified Account
RL
Removed Local account
FP
Failed Policy
SA
Suspended Account
Description
A new orphan account was
created for this entry.
A new local account was
created for this entry.
This account was modified
during reconciliation.
This account was removed from
ITIM during reconciliation.
This account failed policy
evaluation during reconciliation.
This account was suspended
DA
Deprovisioned Account
during reconciliation due to
policy enforcement.
This account was deprovisioned during reconciliation
due to policy enforcement.
Following table lists distinct values for OPERATION column and their semantics for Person
reconciliation (described later).
Table 4
AP
Add Person
MP
Modify Person
FAP
Failed Add Person
FMP
Failed Modify Person
UP
Unchanged Person
PAP
Pending Add Person
PMP
Pending Modify Person
This person was added during
reconciliation.
This person was modified during
reconciliation.
This person entry failed addition
during reconciliation.
This person entry failed modify
during reconciliation.
This person entry was
unchanged during reconciliation.
This person entry is pending
addition due to a workflow
activity.
This person entry is pending
modification due to a workflow
activity.
Following table lists distinct values for POLICYCOMPLIANCESTATUS column and their
semantics.
Table 5
Value
0
1
2
3
Meaning
Account Compliance Unknown
Account is Compliant
Unauthorized
Constraint Violation
3
Other tables relevant to reconciliation
To generate useful reports some other tables in ITIM database are required to be used. These
tables store information related to reconciliation entries and services. These tables are
PROCESS, ACTIVITY, and Service. In subsequent sections various ITIM tables are discussed.
Here only those columns of tables are discussed which are relevant with respect to reconciliation.
3.1
PROCESS table
The PROCESS table stores all the pending, running, and historical requests submitted to the
Tivoli Identity Manager workflow. Each request is represented as a process.
PROCESS table stores information about the reconciled entries when a workflow is attached
with the reconciliation process. For example, when doing HR Feed (person recon) type of recon
in ITIM Express 4.6, a Personal Password account is created for every reconciled person entry.
This is done through a workflow. Some of these activities may complete after reconciliation
process. This table stores this information and its status at a given point of time.
Following are important columns in PROCESS table with respect to reconciliation process.
Table 6
Column Name
ID
RESULT_SUMMARY
3.2
Description
Process ID number.
This column contains character codes to
specify the result of the process. Like SS,
SF, SW, PE,
Data Type
numeric
character
ACTIVITY table
The ACTIVITY table contains records of each workflow process's execution flow.
Table 7
Column Name
ID
PROCESS_ID
DEFINITION_ID
RESULT_SUMMARY
Description
Activity ID number.
Activity’s Process ID number.
Activity’s Definition Identifier
Activity’s result summary code. Some
important values are:
SUBMITTED(RS)
SUCCESS (SS)
FAILED (SF)
WARNING (SW)
PENDING (PE)
Data Type
numeric
numeric
character
RESULT_DETAIL
Detailed results information for the activity
long character
3.3
SERVICE table
This table is dropped, recreated and populated as part of Data Synchronization. Therefore, it is
mandatory that data synchronization is performed before using any SQL queries/report which
makes use of this table. This contains the details of all the services in the system. The columns in
this table are configurable using schema designer functionality of ITIM. Some important
columns of this table are:
Table 8
Column Name
DN
TARGETCLASS
ERSERVICENAME
SERVICETYPE
Description
DN of the service.
Targetclass of the service.
Name of the service.
Type of the service.
Data Type
character
character
character
character
This table can be used to get the service name of the service whose reconciliation data is being
queried. The RECONCILIATION.SERVICEDN column should be joined with Service.DN
column and then the service name can be obtained.
Query 1
Ex:
Select Service.erservicename
From Service, RECONCILIATION
Where Service.DN = RECONCILIATION. SERVICEDN
And RECONCILIATION. SERVICEDN = ‘?’
NOTE: ? in the above query is a place holder for values to be provided by user before executing
the query. Similar convention is used at many places in this document.
4
Types of Reconciliation
There are two categories of reconciliation (and services with respect to reconciliation) in ITIM.
1. Person Reconciliation: These are also called as Feed types of reconciliation. And the
services are referred to as Feed type of services. These services are typically CSV feed,
DSML services, etc
2. Account Reconciliation: These types of reconciliation typically fetch data from various
resources like Winlocal machine, databases like Oracle, WinAd machines etc.
4.1
How to identify the type of service / reconciliation
Following query can be used to identify which category a particular service belongs to:
Query 2
SELECT TARGETCLASS
FROM SERVICE
WHERE SERVICE.DN =’?’
Now, if the targetclass returned by above query is one of the following, then the service is of
Person Reconciliation type else it is of Account Reconciliation type.
List of Person Reconciliation service targetclasses:
1. ercsvfeed
2. eradjndifeed
3. erjndifeed
4. erDSMLInfoService
5. erDSML2Service
5
Sample Queries
This section contains some sample queries that are used in out-of-box reconciliation report for
querying the database while generation Reconciliation Statistics report.
5.1
How to identify last reconciliation for a given service DN?
To identify last reconciliation for a given Service DN following query can be used.
Query 3
SELECT COMPLETED, RECONID, ACTIVITY_ID
FROM RECONCILIATION
WHERE SERVICEDN =?
AND COMPLETED = (SELECT MAX (COMPLETED) FROM RECONCILIATION WHERE
SERVICEDN =?)
The given service DN should be replace “?” in above query.
Following query will give status of reconciliation.
Query 4
SELECT PROCESS.RESULT_SUMMARY
FROM PROCESS
WHERE PROCESS.ID =
(SELECT ACTIVITY.PROCESS_ID
FROM ACTIVITY
WHERE ACTIVITY.ID =?)
Provide ACTIVYT_ID in place of “?” obtained from query 3.
5.2
Account Reconciliation
A number of queries are required to be run in order to fetch data related to account
reconciliation. This section describes these queries in detail.
5.2.1 Getting Summary of Reconciliation
Following query can be used to get a summary of Account reconciliation. The summary includes
data like, No of accounts processes, No of new local accounts, No of orphan accounts, No of
accounts with policy violations etc.
Query 5
SELECT PROCESSEDACCOUNTS, TIMUSERACCOUNTS, POLICYVIOLATIONS,
LOCALACCOUNTS
FROM RECONCILIATION
WHERE RECONID = ‘?’
5.2.2 Getting Count of entries from RECONCILIATION_INFO table
While generating report, it may be desirable to know the number of entries present. The number
of accounts can be grouped based on account operation performed during reconciliation.
For example, to know the number of New Local (NL) accounts created during reconciliation,
following query can be executed.
Query 6
SELECT COUNT (RECONCILIATION_INFO.ACCOUNTID)
FROM RECONCILIATION_INFO
WHERE RECONCILIATION_INFO.RECONID = ‘?’
AND RECONCILIATION_INFO.OPERATION = ‘NL’
Refer to Table 3 for more OPERATION types.
5.2.3 Getting entries of a particular operation from RECONCILIATION_INFO
table
Once the number of entries of a particular operation type is found, another query can be executed
to fetch all the entries of a particular operation type as follows:
Query 7
SELECT RECONCILIATION_INFO.ACCOUNTID
FROM RECONCILIATION_INFO
WHERE RECONCILIATION_INFO.RECONID = ‘?’
AND RECONCILIATION_INFO.OPERATION = ‘NL’
ORDERBY RECONCILIATION_INFO.ACCOUNTID
Similar queries can be executed by changing OPERATION value (refer to table 3) to get all
entries of other operation types.
5.3
Person Reconciliation with workflow
There are two types of Person reconciliation in ITIM. This section describes how to get
reconciliation related data of a Person reconciliation which has a workflow associated with it.
5.3.1 Identifying Reconciliation with workflow
All the reconciliation which has a workflow associated with it can be identified using following
SQL query. In essence, if RECONCILIATION_INFO.HANDLE has a value other than -1, then
that reconciliation uses workflow.
Query 8
SELECT COUNT (HANDLE)
FROM RECONCILIATION_INFO
WHERE (RECONID = ‘?’)
AND (HANDLE <> -1)
If the value returned by above query is more than 0, then the reconciliation (identified by reconid
specified at ‘?’) uses workflow. Else, there is no workflow associated with the reconciliation.
5.3.2 Getting Summary of Reconciliation
To get total number of person entries processed by a specific reconciliation following query can
be used.
Query 9
SELECT PROCESSEDACCOUNTS
FROM RECONCILIATION
WHERE RECONID = ‘?’
5.3.3 Getting Count of entries from RECONCILIATION_INFO table
Following query can be used to get count of entries which are pending addition due to workflow.
Query 10
SELECT COUNT (ACCOUNTID)
FROM RECONCILIATION_INFO, ACTIVITY
WHERE (ACTIVITY.PROCESS_ID = RECONCILIATION_INFO.HANDLE)
AND (ACTIVITY.RESULT_SUMMARY='SS')
AND (RECONID = '?')
AND ((OPERATION='PAP') AND (ACTIVITY.DEFINITION_ID = 'CREATEPERSON'))
Similarly, following query can be used to get count of entries which are pending modification
due to workflow.
Query 11
SELECT COUNT (ACCOUNTID)
FROM RECONCILIATION_INFO, ACTIVITY
WHERE (ACTIVITY.PROCESS_ID = RECONCILIATION_INFO.HANDLE)
AND (ACTIVITY.RESULT_SUMMARY='SS')
AND (RECONID = '?')
AND ((OPERATION='PMP') AND (ACTIVITY.DEFINITION_ID = ‘MODIFYPERSON’))
Following set of queries can be used to get count of entries which failed during person addition.
Addition of the counts returned by the two queries will give total number of persons failed
during addition.
Query12
SELECT COUNT (RECONCILIATION_INFO.ACCOUNTID)
FROM RECONCILIATION_INFO, ACTIVITY
WHERE (ACTIVITY.PROCESS_ID = RECONCILIATION_INFO.HANDLE)
AND (ACTIVITY.RESULT_SUMMARY<>'SS')
AND (RECONID = '?')
AND ((OPERATION='PAP') AND (ACTIVITY.DEFINITION_ID = 'CREATEPERSON'))
Query13
SELECT COUNT (RECONCILIATION_INFO.ACCOUNTID)
FROM RECONCILIATION_INFO, PROCESS
WHERE (PROCESS.ID = RECONCILIATION_INFO.HANDLE)
AND (PROCESS.RESULT_SUMMARY<>'SS')
AND (RECONCILIATION_INFO.RECONID = '?')
AND PROCESS.ID NOT IN (SELECT ACTIVITY.PROCESS_ID FROM ACTIVITY WHERE
ACTIVITY.DEFINITION_ID = 'CREATEPERSON')
Similarly, following set of queries can be used to get count of entries which failed during person
modification. Addition of the counts returned by the two queries will give total number of
persons failed during modification.
Query 14
SELECT COUNT (RECONCILIATION_INFO.ACCOUNTID)
FROM RECONCILIATION_INFO, ACTIVITY
WHERE (ACTIVITY.PROCESS_ID = RECONCILIATION_INFO.HANDLE)
AND (ACTIVITY.RESULT_SUMMARY<>'SS')
AND (RECONID = '?')
AND ((OPERATION='MAP') AND (ACTIVITY.DEFINITION_ID = 'MODIFYPERSON'))
Query 15
SELECT COUNT (RECONCILIATION_INFO.ACCOUNTID)
FROM RECONCILIATION_INFO, PROCESS
WHERE (PROCESS.ID = RECONCILIATION_INFO.HANDLE)
AND (PROCESS.RESULT_SUMMARY<>'SS')
AND (RECONCILIATION_INFO.RECONID = '?')
AND PROCESS.ID NOT IN (SELECT ACTIVITY.PROCESS_ID FROM ACTIVITY WHERE
ACTIVITY.DEFINITION_ID = 'MODIFYPERSON')
5.3.4 Getting entries of a particular operation from RECONCILIATION_INFO
table
Following query can be used to get entries which are pending addition due to workflow.
Query 16
SELECT ACCOUNTID
FROM RECONCILIATION_INFO, ACTIVITY
WHERE (ACTIVITY.PROCESS_ID = RECONCILIATION_INFO.HANDLE)
AND (ACTIVITY.RESULT_SUMMARY='SS')
AND (RECONID = '?')
AND ((OPERATION='PAP') AND (ACTIVITY.DEFINITION_ID = 'CREATEPERSON'))
Similarly, following query can be used to entries which are pending modification due to
workflow.
Query 17
SELECT ACCOUNTID
FROM RECONCILIATION_INFO, ACTIVITY
WHERE (ACTIVITY.PROCESS_ID = RECONCILIATION_INFO.HANDLE)
AND (ACTIVITY.RESULT_SUMMARY='SS')
AND (RECONID = '?')
AND ((OPERATION='PMP') AND (ACTIVITY.DEFINITION_ID = ‘MODIFYPERSON’))
Following set of queries can be used to get entries which failed during person addition. Addition
of the results returned by the two queries will give total persons failed during addition.
Query 18
SELECT RECONCILIATION_INFO.ACCOUNTID
FROM RECONCILIATION_INFO, ACTIVITY
WHERE (ACTIVITY.PROCESS_ID = RECONCILIATION_INFO.HANDLE)
AND (ACTIVITY.RESULT_SUMMARY<>'SS')
AND (RECONID = ‘?’)
AND ((OPERATION='PAP') AND (ACTIVITY.DEFINITION_ID = 'CREATEPERSON'))
Query 19
SELECT RECONCILIATION_INFO.ACCOUNTID
FROM RECONCILIATION_INFO, PROCESS
WHERE (PROCESS.ID = RECONCILIATION_INFO.HANDLE)
AND (PROCESS.RESULT_SUMMARY<>'SS')
AND (RECONCILIATION_INFO.RECONID = '?')
AND PROCESS.ID NOT IN (SELECT ACTIVITY.PROCESS_ID FROM ACTIVITY WHERE
ACTIVITY.DEFINITION_ID = 'CREATEPERSON')
Similarly, following set of queries can be used to entries which failed during person
modification. Addition of the results returned by the two queries will persons failed during
modification.
Query 20
SELECT RECONCILIATION_INFO.ACCOUNTID
FROM RECONCILIATION_INFO, ACTIVITY
WHERE (ACTIVITY.PROCESS_ID = RECONCILIATION_INFO.HANDLE)
AND (ACTIVITY.RESULT_SUMMARY<>'SS')
AND (RECONID = '?')
AND ((OPERATION='MAP') AND (ACTIVITY.DEFINITION_ID = 'MODIFYPERSON'))
Query 21
SELECT RECONCILIATION_INFO.ACCOUNTID
FROM RECONCILIATION_INFO, PROCESS
WHERE (PROCESS.ID = RECONCILIATION_INFO.HANDLE)
AND (PROCESS.RESULT_SUMMARY<>'SS')
AND (RECONCILIATION_INFO.RECONID =’?’)
AND PROCESS.ID NOT IN (SELECT ACTIVITY.PROCESS_ID FROM ACTIVITY WHERE
ACTIVITY.DEFINITION_ID = 'MODIFYPERSON')
5.4
Person Reconciliation without workflow
There are two types of Person reconciliation in ITIM. This section describes how to get
reconciliation related data of a Person reconciliation which doesn’t have a workflow associated
with it.
5.4.1 Getting Summary of Reconciliation
To get total number of person entries processed by a specific reconciliation following query can
be used.
Query 22
SELECT PROCESSEDACCOUNTS
FROM RECONCILIATION
WHERE RECONID = ‘?’
5.4.2 Getting Count of entries from RECONCILIATION_INFO table
Following query can be used to get count of entries which added new persons, modified old
persons or failed.
Query 23
SELECT COUNT (RECONCILIATION_INFO.ACCOUNTID)
FROM RECONCILIATION_INFO
WHERE RECONCILIATION_INFO.RECONID = ‘?’
AND RECONCILIAITION_INFO.OPERATION = ‘AP’
Refer to Table 4 for more OPERATION types.
More than one OPERATION types can be combined as follows:
Query 24
SELECT COUNT (RECONCILIATION_INFO.ACCOUNTID)
FROM RECONCILIATION_INFO
WHERE RECONCILIATION_INFO.RECONID = ‘?’
AND (RECONCILIATION_INFO.OPERATION = ‘FAP’
OR RECONCILIATION_INFO.OPERATION = ‘FMP’)
Above query will give count of all the failed entries during person addition and person
modification during reconciliation.
5.4.3 Getting entries of a particular operation from RECONCILIATION_INFO
table
Once the number of entries of a particular operation type is found, another query can be executed
to fetch all the entries of a particular operation type as follows:
Query 25
SELECT RECONCILIATION_INFO.ACCOUNTID
FROM RECONCILIATION_INFO
WHERE RECONCILIATION_INFO.RECONID = ‘?’
AND RECONCILIATION_INFO.OPERATION = ‘AP’
Refer to Table 4 for more OPERATION types.
More than one OPERATION types can be combined as follows:
Query 26
SELECT RECONCILIATION_INFO.ACCOUNTID
FROM RECONCILIATION_INFO
WHERE RECONCILIATION_INFO.RECONID = ‘?’
AND (RECONCILIATION_INFO.OPERATION = ‘FAP’
OR RECONCILIATION_INFO.OPERATION = ‘FMP’)
Above query will give all the failed entries during person addition and person modification
during reconciliation.
6
Generating CSV Report from Query Result Set
Following section gives pseudo-code for parsing a JDBC result set and generating a Comma
Separated Value report using some of the queries described above.
// Obtain a JDBC connection object to ITIMDB
Connection connection = DriverManager.getConnection(…);
String reconID = “actual recon id”// obtained using other queries
//This will summary of the reconciliation
String sqlQuery = “SELECT PROCESSEDACCOUNTS, TIMUSERACCOUNTS,
POLICYVIOLATIONS, LOCALACCOUNTS
FROM RECONCILIATION
WHERE RECONID = ‘reconid obtained earlier’”
String final COMMA = “,”;
String final NEWLINE = “\n”;
Statement statement = connection.createStatement();
ResultSet resultSet = statement.executeQuery(sqlQuery);
StringBuffer sb = new StringBuffer();
int processedAccounts = 0;
int timuserAccounts = 0;
int policyViolations = 0;
int localAccounts = 0;
// Add column headers to CSV report
sb.append(“PROCESSEDACCOUNTS”);
sb.append(COMMA);
sb.append(“TIMUSERACCOUNTS”);
sb.append(COMMA);
sb.append(“POLICYVIOLATIONS”);
sb.append(COMMA);
sb.append(“LOCALACCOUNTS”);
sb.append(NEWLINE);
//Parse the ResultSet and create a CSV report
while (resultSet.next()) {
processedAccounts = resultSet.getInt(1);
timuserAccounts = resultSet.getInt(2);
policyViolations = resultSet.getInt(3);
localAccounts = resultSet.getInt(4);
sb.append(processedAccounts);
sb.append(COMMA);
sb.append(timuserAccounts);
sb.append(COMMA);
sb.append(policyViolations);
sb.append(COMMA);
sb.append(localAccounts);
sb.append(NEWLINE);
}
//close the resultset
resultSet.close();
//close the statement
statement.close();
//close the connection;
connection.close();
Glossary of Important Terms

Reconciliation – The process of reconciling accounts or person information from
resources or feed files into ITIM.

Person Reconciliation – The process of reconciling person related information using
feed service into ITIM.

Account Reconciliation – The process of reconciling account related information from
resources like WinAd, WinLocal, etc. into ITIM.

Targetclass – A column in Service table which stores the objectclass information of a
particular service.

Workflow – With respect to Reconciliation process, a workflow performs additional
activities during reconciliation which are outside the scope of reconciliation process. For
eg, in ITIM 4.6 Express, during person reconciliation, a Personal Password account is
automatically created for a successfully reconciled entry.
Download