A customer was receiving a 302 error when aggregating using a Web Services connector. I believe the root cause might be due to the lack of a sticky session, or not using a client credential grant type.
The result is that it returned zero results on the get opperation due to the 302 error and started deleting accounts. This was a few months ago, they turned off deletions and haven’t seen the problem.
Because a get request may fail and SailPoint ISC interprets this as the source deleting the account, is it safe to consider that your authoritative source should never allow deletion events?
As a possible solution have a second authoritative source that would aggregate all users based on criteria of those that would be for a delete event and process them?
How are you handling these use cases?
Anybody know if SailPoint has considered a parameter that prevents any deletions when 0 accounts are returned? Is there a way to intercept delete events or send them to an approval flow first?
No, it is only allowed to delete 10% worth of accounts or less. If it is told to delete more, it does not delete any and throws a warning for the aggregation.
So really, before going to production someone should know what an expected deletion ratio may look like for the given source. But they should also make sure that the error handling is right for the source. But in this case it was a 302 error, which is not a standard expected error as it is based on the authentication which didn’t arise during testing and has only happened one or two times.
The Web Services source returns the HTTP status code: 200, but the response payload contains an error. Without the manually entered HTTP error, the source won’t know that it must fail the request and retry the operation.
If it is required to understand all perceived issues that might cause a source to presume a delete operation, we should have a way to intercept those delete operations on the Identity side for further checks. If I was the customer, I wouldn’t ever want to have to go to an executive and have to explain why a given percentage of accounts couldn’t work because we missed an error condition. It seems way too aggressive for such a destructive operation.
My assumption at this point is to investigate a before provisioning rule to discard delete events on an Identity if the Identity is not in a given lifecycle state. Example: if the HR data changes have not moved someone from a separated LCM state to a separated plus 30 LCS state, the Identity is not ready for a deletion. If the LCS needs to be “separated plus 30” to be deleted and it isn’t, then we ignore all Identity Deletions…
