Manual task for account selection generated after request for an identity with no accounts in the source

OS111 · May 8, 2024, 8:35pm

Hi,

After an access request is generated for an identity without an account in the source, a “Select Accounts” manual task is generated with an empty form that cannot be completed. This behavior causes the access request to stay in PENDING status indefinitely.

Using alternative methods for role assignment, the account is created successfully, in contrast to the access request use case.

Account and entitlement aggregation have been performed in the source before executing the request.

What could be the cause of this issue?

Here are the details of the request obtained via the API:

{
“name”: “ACCESS PROFILE NAME”,
“type”: “ACCESS_PROFILE”,
“cancelledRequestDetails”: null,
“errorMessages”: null,
“state”: “EXECUTING”,
“approvalDetails”: ,
“manualWorkItemDetails”: null,
“accessRequestPhases”: null,
“accountActivityItemId”: “549cb6f8f43a47fba557b5871d08fba9”,
“requestType”: “GRANT_ACCESS”,
“modified”: “2024-05-08T19:39:15.896Z”,
“created”: “2024-05-08T19:39:15.896Z”,
“requester”: {
“type”: “IDENTITY”,
“id”: “3f4eb0b7b8c847528ec34ec7f2c6f893”,
“name”: “REQUESTER NAME”
},
“requestedFor”: {
“type”: “IDENTITY”,
“id”: “7c71acd4970347f090f0dfda6ab1420c”,
“name”: “RECIPIENT NAME”
},
“requesterComment”: null,
“sodViolationContext”: null,
“provisioningDetails”: null,
“preApprovalTriggerDetails”: null,
“description”: “TEST”,
“removeDate”: null,
“cancelable”: true,
“accessRequestId”: “eb392c861cd84ce585b59a9c4ad79ef7”,
“clientMetadata”: {
“requestedAppIcon”: “sprite:genapp-default”,
“requestedAppName”: “APP NAME”,
“requestedAppId”: “7ce75ee122ba403c80775d3356f45aa7”
}
}

vkashat · May 8, 2024, 8:52pm

Hi @OS111 !

So that doesn’t seem to be the default behavior, at least based on the documentation:
Access Request Overview - SailPoint Identity Services

When a user does not have an account on a source where an entitlement is requested, IdentityNow will automatically create the account. If multiple entitlements are requested on that source for the user at or around the same time, only the first entitlement is turned into an account creation request. Provisioning for other entitlements is paused until the account creation request completes so they can be added to the new account through update operations.

What source is this happening on? Do you have any customizations (rules, workflows, etc) that might be changing this behavior?

OS111 · May 8, 2024, 11:44pm

Hi @vkashat !

The source is implemented using the generic LDAP connector and does not have any rules attached or any workflows currently being executed.

This only happens when the recipient does not have an existing account in the source when the access request is made. If an account is previously correlated to the identity, then the entitlements are successfully provisioned as the documentation describes.

vguleria · May 9, 2024, 4:13am

Hi @OS111

Thank you for the question.
Can you please confirm if the in alternative approach used for role request, the same access profile is mapped to the role ?
Also can you please share the information about the features which are there on source used in the access profiles. If the provisioning features are not available that could lead to the manual task creation but ofcourse then it should not work with role assignment too but may be another entitlement or access profile is also mapped to the role which is doing the provisioning.

If you can provide the information then we can further check it and see if we can suggest a solution

Thank you

sushantkulkarni · May 9, 2024, 6:04am

Hey @OS111
For the access you’re requesting, is there by chance a configuration enabled for choosing between multiple accounts on the same source?

OS111 · May 10, 2024, 12:00am

Hi @vguleria

The requested access profile is mapped to the same role used in the test.
Here is the snippet of the JSON returned by the API:

“features”: [
“UNLOCK”,
“GROUP_PROVISIONING”,
“PROVISIONING”,
“SEARCH”,
“SYNC_PROVISIONING”,
“PASSWORD”,
“ENABLE”,
“MANAGER_LOOKUP”
]

I also tried creating a new access profile with different entitlements but the same issue occurs.

Thanks!

OS111 · May 10, 2024, 12:04am

Hi @sushantkulkarni

The requested access profile does not have any criteria configured for multiple account selection.

Thanks!

system · July 9, 2024, 12:04am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
New Capability: Multi-Account Support! Product News identity-security-cloud , provisioning , access-requests , new-capability	25	1750	July 25, 2025
About release for Multi-Account Access Requests ISC Discussion and Questions identity-security-cloud , access-requests , entitlements	3	62	June 8, 2025
A access request can be submitted through IDN's API without an account or source ISC Discussion and Questions identity-security-cloud , access-requests	5	59	June 18, 2025
Multiple Account Selection for Access Requests ISC Discussion and Questions identity-security-cloud , access-requests	3	453	January 11, 2025
Provisioning Criteria for Multiple Accounts (Request Access) ISC Discussion and Questions	2	1678	June 30, 2023

Manual task for account selection generated after request for an identity with no accounts in the source

Related topics