Cannot consistently add new Access Profiles to Application

epicwayne · October 29, 2024, 8:29pm

What problem are you observing?

Sporadically we’re seeing that new Access Profiles cannot be immediately be added to an Application. The request fails with HTTP 404 and a message of "The server did not find a current representation for the target resource." The behavior is the same whether using the API or UI to create the Access Profile and add to an Application.

What is the correct behavior?

If an Access Profile is successfully created, has an ID and can be viewed in the UI, you should be able to add it to an Application without error.

What product feature is this related to?

Specifically this is occurring when using the Beta or V2024 PATCH Apps API and adding a newly created Access Profile.

What are the steps to reproduce the issue?

This typically happens when these steps are run in code (i.e. very quickly, sequentially), however, this sometimes can take minutes or even longer for step 3 to succeed due to this bug.

Create an Application
Create and Access Profile
Add Access Profile to Application

Do you have any other information about your environment that may help?

It appears that the Apps API is relying on Search to validate Access Profiles to be added. When experiencing this error, the problem Access Profile cannot be found via Search, even though it be found using the Access Profiles API or viewed in the UI. This dependency on search indexing is likely causing the issue.

angelo_mekenkamp · November 7, 2024, 5:42pm

We notice similar issues as well caused by SailPoint modules relying on search:

If you create a role in enabled, requestable state, you can only request it through API, you cannot request it in the request center.
If you remove an entitlement from a role and then perform certification on that entitlement for those who have the role, the certification will be empty before you can start it to revoke the entitlements

I forgot the SLA of SailPoint Search with respect to being up to date in a timely manner. It is (in my opinion in general) completely fine to use search for things like monthly reports, extracting audit data or getting a general feeling of the data, but I don’t think it should be used when referring objects you expect realtime answers on.
To my opinion, for a security system like this, the moment the API gives a 200OK message for a crud operation, you should be able to refer to it elsewhere and get the updated version.

Topic		Replies	Views
Unable to add Access Profiles to newly created applications Bugs	11	65	November 8, 2024
Unable to add apps to newly created application ISC Discussion and Questions apis , identity-security-cloud , access-profiles , applications	4	44	November 18, 2024
Access Profile Not Found ISC Discussion and Questions apis , identity-security-cloud , provisioning , access-requests	16	159	October 29, 2024
API to create the application and add Access Profile ISC Discussion and Questions	9	2178	July 19, 2023
Feedback: v2024 undocumented endpoint POST /source-apps/:id/access-profiles General Feedback apis , identity-security-cloud , applications	2	10	October 21, 2024