JDBC Entitlements not showing in the Entitlement Catalog

We have a JDBC Application that has been configured with an Entitlement aggregation. It returns 73 Entitlements, which is correct. The Name and ID are set correctly to the same attribute.

We have the account schema set for Entitlement and Multi-valued for this source, and the type is set to “group” which is what we are using.

When we aggregate in the accounts, the account is getting set for the correlated users, and the Entitlements are showing up for the account at the bottom, and also when you look at the User’s Access → Entitlements tab. However, when we go to the Access Model → Entitlements section, none of the Entitlements are present. Filtering by the Source also returns 0 results. Searching for name of an entitlement without a filter also returns 0 results.

What are we missing here?

• This was working when I tested it in another environment.
• The Merge Columns and Index Columns are set correctly.

Do we need to wait for the nightly Refresh to occur? This source was just created today, so that refresh has not occurred.

Additional Validation done:

• Configuration is the same as another lower environment that is working.
• Entitlements are visible when using the Get List of Entitlements API From Postman.
• Entitlements visible in Postman appear to be the same config as ones that are working in another source.

Additional Testing:

• Reset the entitlements on the Source - No change

• Unoptimized Aggregations for Entitlements and Accounts after reset - No Change

• Total number of entitlements is <8000 in system. ~80 were added with this system.

• Found that the Source name had a space at the end of the name

  • Updated the name
  • Reset the Entitlements
  • Re-ran Unoptimized aggregations again
    Result: No Change

• Compared Entitlement config in working Sandbox to non-working sandbox and configured the same - No change

This is quite odd because:

• The API shows the entitlements are there.
• The Account on the Identity shows the entitlements.
• The Access page of the identity shows the entitlements.

But…

• The Entitlement Catalog does NOT show the entitlements
• The Search does NOT find the entitlements.

Hi @gmilunich,

It seems like you have done most of the validations. Could you please try following network captures when you trigger those actions:

1. Go to Source → start capturing the network traffic using browser settings and then refresh entitlements page and observe the api’s calls triggered
2. Start capturing the network traffic using browser settings and then trigger the entitlement aggregation and observe the api’s calls triggered
3. Go to search → start capturing the network traffic in browser-> search using this query: source.name.exact:“Replace source name”
4. Go to Access Model → Entitlements → start capturing network traffic → try searching for those entitlements

And now validate the traffic for any unusual behavior for each step, if there is some API call that is failing we might know.

Thanks,
Vijay

Hi @gmilunich,

can you share your configurations here to check further entitlement type configuration and group configuration.

Thank You.

Did some more testing and it appears that the entitlements are not being indexed in the “entitlements” index for the search. The Entitlements are there when I use the Get Entitlements API, which does not use the Index, however, when I try to use the Search or the Entitlements page, which both use the Index, they are not there.

Additional Testing:

Created a new JDBC Source in the Sandbox tenant that worked prior (Created 6/17), and used the exact configuration, but the Entitlements are not indexed either for the new system after successful Entitlement Aggregation.

• The entitlements show up on the source with the correct information
• The Entitlements do NOT show in the Entitlement catalog
• The Entitlements do not show up in a Search
• The Entitlements do not show up in a Certification
• They Do show up attached to the accounts of aggregated users.
• They do show up in the Access → Entitlements section of the Identity Page

So it seems like the Indexing is not happening correctly. Unsure if this is a JDBC only issue, or more wide spread for us. Unsure if this is affecting others.

Search can take up to 24 hours to index new objects. Have you waited long enough?

Additional Testing:

• Entitlements CAN be added to roles. The Search here pulls the entitlements using the Beta entitlements API, not the search.
  NOTE: This is calling the API twice, with the first one failing with missing headers and as “cancelled” while the second one succeeding. (missing headers when compared to the second one.)

@colin_mckibben thanks for that information. The configuration of this source was done yesterday, so it would be close to the 24 hr mark I believe. When I configured the other sources, the entitlement data was quick to appear in the Entitlement Catalog, and be usable for searches.

Could you point me to the documentation for the 24-hour wait period for Entitlements to show up in the Entitlement Catalog? I could not find anything in the Documentation, with the exception of this in the AI Section, which we are not using here.

If there is going to be a 24 hour waiting period after configuring an application and adding entitlements before we can work with the data, that is going to slow down our progress.

The 24 hours is for search, which the entitlements catalog may not be using. This sounds like a bug that would be better served with a support case. My troubleshooting skills would have a difficult time pinpointing the root cause.

@colin_mckibben From my testing, the following areas are using the Search to get the results:

• Entitlement Catalog
• Search
• Certifications

This means that those sections are not usable for the newly aggregated data for up to 24 hours, even though the data is in the system and visible on the Source.

I was just able to see that the entitlement indexes must have updated for us within the last hour (12:30-1:30 EST), so all of the entitlements are now available. Seems like it took almost 18-20 hours for us.

Does the global Entitlements page really use the Search API? I see both /v3/search and /beta/entitlements getting called upon page load. I feel like this page should NOT be using Search if there is a delay. If I’ve aggregated some entitlements, I’d expect to be able to find them immediately the way I can in the entitlements tab of a source page. This is needed to perform validation, etc. when setting up sources. The entitlements tab on the source page uses beta/entitlements. Why does the global Entitlements page not perform the same?

I haven’t really encountered this yet but I hope I do not lol

@patrickboston that is the case from my testing in Non-PROD environments that it uses the search to retrieve the Entitlements and to apply any Source filtering.

There is additional discussion on this topic HERE where one of the Product Managers chimed in and seems to be saying that faster processing may be an additional purchase option being considered, if I understand their comment correctly. You’ll have to read it for yourself to see if you draw the same conclusion. Or hopefully they will come back and clarify what they are trying to state.

I created an Idea for this related to the 24hr delay for entitlements which can be voted on here: https://ideas.sailpoint.com/ideas/GOV-I-3932

Adding my experience, I had a similar issue with a Web Services source as well as Delimited File source. After resetting entitlements, they werent re-created again after aggregation. (even unoptimized didnt fix it immediately)

I had to wait a few days then run unoptimized aggregation for the entitlements to show again.

This isnt a fix, more like a bad/unreliable workaround.