Hello everyone,
I am having an issue when an identity is given a lifecycle of terminated. identityNow removes all access, but an error occurs when identityNow tries to remove access from Service Now.
Has anyone else had this issue?
Didn’t face this issue. I would suggest you to check with your ServiceNow team, they can find the logs and check what was the actual problem.
There are chances of permission issues.
You are getting this error because the OOB Service now connector doesn’t support access removal for groups and entitlements.
Provided you give the user on the servicenow side access to delete from the sys_user_grmember and sys_user_has_role tables, it most certainly does
That’s interesting to know as the connector documentation says it doesn’t support. Did it actually work for you after giving the permissions?
We had similar issues and opened a support ticket and were told that there is an agreement between sailpoint and service now on this and access revocation won’t be supported via the official governance connector.
The connector that’s installed on the servicenow side does not perform any deletion because you cannot write an app that deletes records outside its own scope and have it in the servicenow store.
However, there’s nothing stopping you from deleting from those tables using tools that aren’t installed on your servicenow instance using APIs, which is what your sailpoint connector does from the tenant
So, group/role adds - these are facilitated via import set tables that are inserted into via the installed scripted REST api endpoints on the servicenow instance
Removals - these are done directly from the sailpoint tenant by making a delete call to the servicenow table API on the sys_user_grmember or sys_user_has_role tables