We are looking to setup monitoring for Provisioning activities in ISC.
Below are the 2 options we have considered:
Search query in a general policy for type:provisioning event: With this we are able to get the events report however this is not scalable as SailPoint has a limit of 2000 results per policy. In exceptional cases where there are more than 2000 failed provisioning events in a day due to a system error, the report and alert would be blank. Reducing the time interval in the search query could be an option but not fully reliable.
Workflow using “Provisioning Completed” as the trigger: This is working but it does not include all events as I believe the trigger is designed to provide information about the final state of a completed provisioning action, including any warnings or non-critical errors that occurred during the process but didn’t prevent its completion. As a result, this won’t cover events/ provisioning requests that failed and couldn’t complete at all.
Give the limitations of each option, is there an alternative or a workaround to trigger monitoring alerts for all provisioning failures?
How about breaking the report into multiple reports —for example, one for failed access requests, another for failed provisioning activities, and a third for failed account creation requests etc.?
I understand this means having multiple subscription, multiple reports to review, but it’s a manageable alternative you prefer have to write a custom script.
I am using this approach and don’t see any issue . I am able to cover the Access review failure , Access Request failure and birthright provisioning failure .
Could you give more details about the challenges you see with this approach ?