This is for a web connector. I had a few requests failing. The problem has since been fixed and new requests were made for these users. However it keeps retrying old requests when we do a new request on these users, even ones that since have been successful/modified on the source.
I wonder why is that?
It is quite odd as it happens also when we do aggregation.
I also noticed that because of this issue it doesn’t reflect the actual account on the target.
I tried restarting the VA, but it didn’t fix the problem.
The operation are add entitlement of different types.
We don’t have any retry configuration in place, is there an automatic/general one?
Can you clarify a bit. I’m assuming you have an “Access Request” which is then doing provisioning to a target Source? You had an initial Access Request that tried to provision some entitlement(s) and it failed for some reason. You then created another Access Request with different entitlement(s) that succeeded. The initial provisioning, that failed, is what’s retrying and continuing to fail.
If so, I believe the “easiest” workaround would be to create a certification for the identity and revoke the entitlment(s).
Thinking about it as “Actual State” vs. “Desired State”, IDN is trying to get the identity to desired state but it continually fails. Considering the Access Request is approved it’s going to try and get this provisioned until there’s a different desired state defined (i.e. revoke / shouldn’t have this).
Yes something like that although I believe that some requests were retried until they actually succeeded (they show as approved in the request pages).
I wonder if identitynow doesn’t identify it as a real success or real failure or something.
It started to have a wrong snapshot of the accounts too, like more entitlements than they actually have etc, because these requests do succeed now.
I’m going to try to revoke the entitlement indeed.
Could it be a case of SailPoint not verifying the account? Our source API doesn’t return any info on the user actually, just a success or failure code as well as the id of the user.
Entitlement and Role requests are constantly applied. So, if you request and provision an entitlement through IDN, then you remove the entitlement manually, IdentityNow will reprovision it. Even worse, if you delete the account, IdentityNow will re-create it. The documentation says that deleting the account will stop the requests, but that has not been my experience.
You need to actually revoke the entitlement or role within IdentityNow for it to stop. I don’t know why they differ from Access Profiles in this regard, but it’s the primary reason I tell all customers to only use Access Profile requests.