Hi,
Can someone clarify if my understanding of identity refresh is correct?
1- Change occurs in source of truth
2- Scheduled aggregation
3- Changes in identity attributes that sync to AD
4- Identity refresh occurs
5- Any rules/roles get enacted
I’m asking because that is not occurring. The change that is happening is that the user is going from disabled to enabled. What should follow is:
1- Lifecycle change to active and AD enabled
2- OU move because of a beforeProvisioning rule
3- AD group membership updated from a afterModify rule.
Aggregation occurred at 10:19:08 AM
Lifecycle change occurred at 10:19:34
AD account has not been enabled
OU move hasn’t happened because the identity hasn’t been refreshed so activeParentOU has not been updated
Group Membership has occurred for some users but failed on others
If I try to manually enable the AD account, I get this message:
“There was an error trying to enable the account”
The first thing that I think that I need to unpick is why the identity refresh is not happening when there has been a change as a result of the aggregation
Thanks
As you mentioned that the lifecycle is being changed to active but it did not trigger AD account enablement. You will need to have below setting and add your AD source.
Can you validate if you have configured your provisioning setting correctly?
You are correct in understanding what you listed, if there is a change in identity while aggregation then it should process the identity and calculate other stuffs like role, transform etc.
If there is no change in data while aggregation your identity will not get processed.
Since your Identity LCS is changing you will see that modified date and time is updated (it means it processed the identity)
Account aggregation doesn’t always trigger an identity refresh. I have experienced the same in our environment. But an lcs state change should definitely trigger identity refresh and should process enable/disable accounts as configured in the lcs states.
Have you checked if there is anything in queue in monitor page. Probably the refresh process might be in queue.
The enable account event was working last week (definitely on Friday as I was checking out PS scripts).
And this happens if I try to manually enabled an AD account:
Hi @phil_awlings ,
I faced this error once “There was an error trying to enable the account” , could you please check if your rule is working correctly ?
Deattach the cloud,connector rule and try to enable the account to confirm the issue is not coming from rule.
@phil_awlings When I see your Identity details and “IDENTITY STATE” it is still INACTIVE_LONG_TERM and that is the reason your identity is not getting processed automatically.
@gourab
I disabled the beforeProvisioning cloud rule, and the 2 afterModify connector rules, but I still can’t enable the AD account. I’ve checked the service account and it doesn’t look like its been changed.
@shekhardas1825 It looks like it was just very slow on updating that as:
Can you try a user with inactive short term? because what I am thinking is because you are using long-term inactive state user the Identity Processing is not happening on that very moment when LCS is changed to Active. (Just a thought)
I would suggest try with different users.
Also do you see any error in your Identity Events / Account Activity? If possible check the IQService logs as to why account disable is not working.
Also you may be receiving the error because of the DN, can you check if the DN you see in IDN and actual AD is correct?
Try running AD full aggregation and then try enabling / disabling the account manually.