I am currently using the SCIM 2.0 connector to connect with CyberArk and applying ServiceNow as the Access Request Portal for the CyberArk safe group request.
I tried to raised a ticket from ServiceNow (SNOW) and requested a safe group related entitlement for the user who doesn’t have an account in CyberArk. What I am expecting is SailPoint will provision an account and the respective entitlement to the user.
However, I completed the approval process in SNOW and returned to the identity. I realized that the no account had been created and no entitlement provisioned. Also the event log returned such errors:
After checking the event log, i enter to the CyberArk source and did the manual account aggregation for the source. Then, I can find the new account had been created successfully in CyberArk and also the assignment of the safegroup is perfect. I can actually can see the requested account show in the account page.
May I know what is the problem of the CyberArk connector or it is a common practice for SCIM2.0 connector or whether it is something wrong in SNOW?
Yes please try what Mark has told above and study .
Does the source CREATE profile has “id” that corresponds to the ID of your cyberARK? It is needed for the ISC to read back the data and corelate correctly.
Thanks for your reply Rahul. From the source’s Create Account configuration, I cant see the id is manipulated. However, ISC can read back the data and corelate correctly after the aggregation.
I think the whole process for requesting safe group and account creation are working properly. Only SailPoint will return such error message that indidcated the groups already assigned (which I confimed the user didnt have the group before I raised the ticket in ServiceNow.
Really cant understand why the whole process seems working perfect from SNOW –> ISC –> CyberArk. but return such error that mentioned the user already in the groups for Create Account Failed and Add Entitlement Failed.
