I’m looking for help understanding what is the expected behavior on account requests for delimited file sources.
We have SNOW sdim configured to open tickets for delimited file source requests, which works great. but when ISC sees the task is complete, all I see on the source is an account with no entitlements and ??? in the list. I was under the impression that the create provisioning plan determined the attributes that were being set on the request and once complete it would populate the ??? with actual data. What am I missing?
As per my knowledge you have to have a solution wherein once the SDIM ticket is fulfilled an entry is expected in the next iteration of feed file which will be consumed for the delimited source. As the create provisioning would only generate the details for the ServiceDesk Integration.
I might be wrong but again I have seen this happen and was able to resolve it by asking the app team to provide the updated feed file before closing the SDIM ticket.
the ? means that IIQ was unable to confirm if the provisioning was successful on the source. until you run another aggregation it will remain with a “?”
I see, I was under the impression that confirmation from SNOW via the SDIM connection would tell sailpoint that the account was provisioned with the create provisioning plan entitlements, delimited file sources don’t necessarily have auto refreshing user lists, and sometimes require other data transforms to make.
As Aman mentioned, ServiceNow SDIM integration only creates a ticket and assign it to the assignment group (App team) with the details as per the provisioning plan. Respective team should provide the updated feed with the new entries then the process will be completed for SailPoint.
Since you have raised the request for a create account, SailPoint assumes that account is successfully created on the source and temporarily marks it with “?” and confirms the same in next aggregation task
when you say provide the new feed you mean they provide a new user list? I’m not sure I understand how that would be feasible for every newly provisioned account. Specifically where an admin may not be a sailpoint administrator to upload a new csv.
If that’s how it works thats fine. Just want to make sure i’m getting what you’re stating.
Whenever any request raised by SailPoint via SDIM connector, SailPoint will keeps on checking the status of the ticket periodically until the request is completed on the ticketing system.
Once the requested is completed, the account for the user identity with account id will be displayed as “???” because the user record is yet to be aggregated or imported back to SailPoint for that delimited source and only then “???” will be replaced with actual account id of the user for that source. This will actually complete the whole provisioning process.
The update delimited file which will contain all the latest user records should be provided by the application team and either a SailPoint admin can manually import the file or you can develop a script/code by leveraging the File Upload Utility - CoLab / Community Tools - SailPoint Developer Community for automatically uploading the file to SailPoint on a schedule basis.
Note: If the latest file doesn’t contain the updated user record, then a ticket will be created again by SailPoint for that user with new request number on the ticket system.
We are an FI (Financial Institution) and our situation sounds similar. We have a large number of SDIM configurations, which was a choice at the time to complete our IDN implementation, however we never discussed during implementation the aggregation on these sources other than the SDIM configuration, so we too were unaware that some separate aggregation was needed. Good luck!
Thanks Abbey, yes I’m an FI as well and the majority of our apps are going to need manual processing still so moving things into the system I was expecting for sailpoint to ‘know’ without an agg for the SDIM sources what was provisioned based on the create info passed over.
Answer does make sense but it is quite lacking, some of these old apps have horrible user lists and require data transforms outside of sailpoint before loading so fresh aggs are not always nice and pretty.
