Hi Everyone,
Is anyone experiencing continuous changes to the start date of a composite role (entitlement) in SAP HANA, even though it was provisioned via an access request?
And Also, Upon checking in the events, there are multiple repetitions of the “Add Entitlement” event.
Any advice or solutions that could help?
Thank you!
Looks like IDN is unable to read the provisioned role from HANA in account level and trying to retry the provisioning. Can you ensure the configuration/permissions for the read part ?
When HANA account is aggregated, are you able to see the role assigned to the user ?
Hi @shaileeM, based on our testing:
) Requested 1 composite role, Trigger manual aggregate in SAP HANA, then upon checking in the event, no multiple event of modify account.
Role A - Added to User Account
) Requested 2nd composite role (Role B), no manual aggregation in SAP HANA, then upon checking, there are multiple events of modify account.
Role A - Added to user Account
Role B - NOT Added to user Account
3.) Requested 3rd Role (Role C), no manual Aggregation run in SAP HANA, then upon checking, there are multiple events of modify account.
Role A - Added to user Account
Role B - Added to user Account
Role C - NOT Added to user Account
We observed that the last composite role requested is not being added to user’s account. It will be only added if there is an additional composite role requested.
And, we asked the client to checked on the SAP logs, it seems that our Service Account is deleting the role, so SailPoint is trying to add again the Role, but only the previous role was added and after an identity refresh, the Role C is now Added but Role A and Role B was removed, and after another identity refresh, Role A and Role B is now added again, but Role C is removed. This is now the current behavior.
Hi @prashanthrns, as per checking on the SAP logs, our service account is deleting the role, therefore SailPoint is trying to add the deleted role again.
Hi @jinmartin ,
Good Day!
My suggestion is to achieve this use case by using beforeProvisioning rule there add checking for each role.
Thank you!
Hi @jinmartin ,
Service account removing previously added roles is strange.
How are you requesting for composite roles ? Is it via Request Centre/Access profiles ?
Hi @shaileeM, we are using the request center.
Hi Jinky,
I think your problem is similar to the overwriting existing roles.
Can you try this one.
Check if you have “Role Details” in the Account schema? if not, kindly try to add it in the account schema.
Troubleshooting (sailpoint.com)
Hope this helps. Thanks
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
