We have a webservices connector for which account and entitlement aggregation is scheduled. We have access profiles created as well for each entitlement in the application.
The issues is when ever we have entitlement aggregation failing with error like below, all entitlements in the source gets deleted and hence access profile mapping gets wiped off. Next time when the entitlement aggregation succeeds, source is populated with entitlements but we loose the accessprofile - entitlement mapping.
Success status code is defined properly in the connector as well but we are not sure why runtime error isnt ignored and deletes all entitlements. For some reason, ISC considers this as a success and deletes all entitlements in the source. Appreciate the insights on how we can resolve the issue.
Exception during aggregation of Object Type group on Application SOURCE NAME [source-XXXX]. Reason: java.lang.RuntimeException: An error occurred while aggregating Application SOURCE NAME [source-XXXX] An internal error occurred handling stream response from the server.
Side Note: We have account deletion threshold, like wise we should have entitlement deletion threshold as well. I already see an idea for the same - Hope to see it implemented soon to avoid such errors permanently. But, for now atleast looking for a workaround to avoid the entitlements getting deleted in such aggregation failure scenarios.
Thanks Arjun for the suggestion. Currently we are pulling entitlements via a separate call only. Is there any way to update any configs that will avoid deletion of all entitlements when runtime error occurs.
Is the entitlement aggregation issue occurring intermittently?
If it is, please ensure to include success codes for the “get all groups” API, even when it fails with 4xx or 5xx errors during the “get entitlement” operation. This way, your entitlements won’t be removed even if the operation fails. I have highlighted in below screenshot for add 4** or 5** in your get entitlement operation.
Please try out the option that Suraj has given below.
In the long run, check if you can pull the entitlements using account aggregation. Similar to other connectors - ex: AD connector account aggregation creates all the entitlements.
Yes, the issue is intermittent and we have defined the success codes as well for the operation to be 200. So, ideally the expectation is when the API throws 4** / 5** errors, the system will not delete the existing entitlements as we have defined 200 as success code. In this case, if you notice the error, it seems to be more of an error on the Sailpoint side rather than the API side.
Sample 1:
Exception during aggregation of Object Type group on Application SOURCE NAME [source-XXXX]. Reason: java.lang.RuntimeException: An error occurred while aggregating Application SOURCE NAME [source-XXXX] An internal error occurred handling stream response from the server.
Thanks for the suggestion, Arjun! I did validate other connectors too which are facing similar issue. They have a set up of pulling entitlements during account aggregation but have entitlement aggregation also scheduled to pull the entitlements that aren’t assigned to any users in the target system. This way entitlements without users are also pulled.
Even for such systems we are facing similar issue. We can’t stop entitlement aggregation as we want to import newly created entitlements that aren’t assigned to any users as well to Sailpoint.
Please review and let me know if you have questions.
