Hi! I’ve seen a couple of posts on the topic but usually specific to AD.
I’m running into this issue with a JDBC connector source, specifically when we’re removing all entitlements from an account, causing the account to no longer show up during the single account aggregation.
The steps are as follows:
ISC calls a stored procedure on the source to remove entitlements
This is executed normally
ISC calls another stored procedure to aggregate the single user account
Nothing is returned and ObjectNotFoundException is thrown. Procedure does not error on the DB side.
Nothing is returned because the stored procedure queries only accounts that have managed permissions so nothing returned is expected here.
Overall the “Remove entitlement” op is marked as failed
Later on, a native change is detected for entitlement removal + account deletion
What’s the expected way to treat these? We expect the account to no longer be returned if it has no more entitlements and we’d like the operation to be marked as successful if the account is no longer present.
Only functioning workaround I’ve found is removing the single account query completely and increasing the cadence on overall account aggregations.
Do you intend to delete the account also when the last role is removed. To me it looks like once you remove the last role from the user, ISC can not find the user in the back-end so here you may need to call the delete account operation when last role is removed so ISC knows that the user has been deleted and thus this call will not be made.
I have not tried this in jdbc source but similar thing i have seen in web service based connections.
This should be called after the modifications are called (Remove Entitlements in your case) and should include the request information and the Provisioning Result. You can then check the plan for the error you are looking for (ObjectNotFound), and if present and this is a remove entitlements, change the Provisioning Result from Error to Success and clean the error messages.
Just be aware that you need to handle the validation that this is a request of the type you are looking for, as that might be a valid error for other results.
Given that this is a Connector Rule, you should be able to write, upload and test it yourself.
To start, I recommend creating a blank rule and just add logging code to print out the input arguments so you can get an example of what you’ll receive to work from. This will also verify that you can get the information you are looking for.
Thanks both. I suspected this would need a rule but was hoping there’s a less involved established process. @vguleria you’re correct in that we expect the account to be deleted.
I’ll try a few things with the stored procedure first