When I look at the Provisioning Transactions, there are many failure transactions. When reviewing the failed transactions, I find the identities have multiple native identity Change Id Events. I have to manually remove them by using a custom task. However, I am having a problem identifying why this is happening. I am currently using SailPoint 8.3p2 with the Tomcat version of 9.0.78. Any direction on this would be helpful .
HI @fcmendoza ,
Can you please let us know if these provisioning transaction for any specific application on for all applications? Also check the application Definition Native Event option is checked for which provisioning transaction is getting created and if so for what event?
Generally native Identity change is detected by sailpoint if there is any change in Link attribute may be due to aggregation.
The provisioning is from AD. Also, when the Identity Refresh Task runs, some identities fail as well. I checked the AD application, and the âNative Change Detectionâ is not enabled. How should I prep to update the AD application for the Native Event Option?
Thanks,
Do you see any error message on those failed transactions? If you click on the information icon, you can find the error message. Start with that if you havenât already done that.
1 Like
@fcmendoza
This is happening because of feature checked Under Global settings Native Identity Change Event detection
You can uncheck this is if processing of native Identity change event is not required ( Note - This is native identity change event and not native change event at application level)
Also 8.3 P1 has a known bug related to this , below thread can provide more details
Active Directory ObjectGUID, move/rename support FAQ - Compass
For now you can uncheck the setting to unblock issues and clean all existing data in that spt_native_identity_change_event table, this can be done OOTB as well by adding below are details
There is an OOTB configuration to prune the NativeIdentityChangeEvents, which should be configured to perform clean up on these objects, similar to pruning task results, or other objects. This would be a global option to delete all objects over a certain age.
In debug Configuration->SystemConfiguration
This value is the number of days to retain the objects. The default is â0â, which would not delete any objects. If you were to set it to â7â and run the prune option below, it would prune all objects older than 7 days, as an example.
In the Perform Maintenance task, there is an option: âPrune Native Identity Change Eventsâ
Delete Native Identity Change Events older than the age specified in the system configuration
In the xml, it would show as below if enabled.
It would be recommended that you add this to your regular execution of the PM task which performs pruning (if you have a separate task for pruning objects, set it in that one).
1 Like
Do we have documentation on the Native Identity change events ?
1 Like
I could see docs or articles on Native Change detection but donât see anything specific to Native Identity Change events apart from the above link I provided. We faced this issue in our environment as well, didnât get official docs or links from SailPoint apart from patch read me doc.
2 Likes
Supporting Active Directory Native Move / Rename â I could find more information on the Native Identity change event
2 Likes
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.