While studying Reconciliation I had one doubt related to 'supporting data reconciliation'.
-> I want to know what is supporting data reconciliation and how is it different from performing normal reconciliation ?
-> Why is it advised to perform supporting data reconciliation separately ??
Also, in the manual it says "It includes group configuration information which contains key information about access privileges on the resource. Bringing back the group data ahead of time allows policies to be configured promptly before accounts are reconciled, so that the policies can be enforced."
-> what exactly does above lines mean ?
Supporting Data reconciliation does not bring back / evaluate accounts from the managed resource. It only brings back group information. Since most of the times your accesses will be basically group memberships, having this information will allow you to define accesses in ITIM. A normal reconciliation brings back both groups information and accounts from the target system and possible enforces policy evaluation for each account.
The reason that it is advised to do the group reconciliation seperately is that since it can possibly affect the access definitions you have, you would want to have this in place before you actually reconcile the accounts and evaluate the policies that apply to them.
To give you a solid example, you might have an ldap service, where an ldap server is your managed system. In this ldap server you have configured 2 groups GrpA, and GrpB and you wnat to control membership to these groups. First you will do a Supporting Data reconciliation for your ldap service and those groups will become known to ISIM. You can now go to Manage Groups in the ITIM console and enable these groups as accesses in ITIM. ( if you haven't done the reconciliation of supporting data before, then ISIM would not be aware of the groups in the target system).
Another example is when you want to have these group memberships as entitlemtns in Provisioning Policies. After you have reconciled supporting data, you can go and create a new Provisioning Policy with the group membership as entitlement. Then depending on if the entitlement is automatic or manual the users will get provisioned this access.