IIQ - Azure Group creation - Error message - group Access Denied... but group reads back in during aggregation

IdentityIQ (IIQ) IIQ Discussion and Questions
, , ,
1

Which IIQ version are you inquiring about?

8.3p4

Has anyone else come across this? Provisioning of the group actually does succeed in Azure, but within about 20 seconds of clicking approve, the provisioning transaction returns this message. On the next full group aggregation, the entitlement will be recreated (with the submitted IIQ meta-data missing of course).

Some things worth noting:
Veeery occasionally the entitlement succeeds correctly. In our pre-production Azure tenancy (which has a magnitude less users/groups) it succeeds more often, but not consistently.

Trial and error has revealed that it’s very likely related to our connectors group filter:
(dirSyncEnabled NE true)
We have to filter out the on-prem groups from the connector without exploding out the size of our entitlement catalogue.

As this is an advanced filter, I need to remove the ‘owners’ attribute, and I suspect the connector is having trouble reading the new group back in due to it not being in the schema. I can see the provisioning transaction submits a null value for ‘sysOwner’ even though I do supply it in the provisioning form. I have no idea why it returns the access denied error, however.

Any ideas?

2

On further testing with a new application definition (near default schema/provisioning plan) the issue occurs with just the group filtering.
I also tried this filter: (groupTypes/any(c:c eq ‘Unified’))

3

Interesting. In my testing I managed to produce a more useful error on group creation when the connector group filter is not valid.

Error - Response Code - 400 Error - 400 Invalid filter clause: ‘)’ or operator expected at position 175 in ‘securityEnabled eq true and (( displayName eq ‘AZ-TestGroup’ )) and ( (NOT(groupTypes/any(x:x eq ‘DynamicMembership’) and (onPremisesSyncEnabled NE true)) )’.

Now that I can see the connector is trying to poll the group with it’s displayname, the group type and the connectors group filter, I’ll try and reproduce my queries directly in graph and report back.