Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.
Problem Summary
We are integrating Coupa SaaS with SailPoint Identity Security Cloud (ISC). Account aggregation is working correctly, but we are unable to aggregate roles from Coupa. Every attempt to aggregate the role object type fails with HTTP 403 (Forbidden) errors, despite having the required scopes configured.
Current Status
Working Configuration:
-
Account aggregation:
Successful -
Scopes granted:
core.data_tables.read,core.user.read,core.user_group.read
Failing Configuration:
-
Role aggregation:
Failing with HTTP 403 error -
Object Type:
role
Troubleshooting Steps Completed
-
Initial Setup - Started with scopes:
core.data_tables.read,core.user.read- Result: Account aggregation worked, role aggregation failed
-
First Attempt - Added
core.common.read(as per documentation)-
Result: Test connection failed with invalid scope error
-
Error:
"invalidscope"- “The requested scope is invalid, unknown, malformed, or exceeds the previously granted scope” -
Hypothesis:
core.common.readmay be a custom role in their Coupa instance
-
-
Second Attempt - Replaced with custom scopes provided by Coupa app owner:
core.comment.read,core.data_tables.read,core.user.read,core.user_group.read- Result: Test connection failed with same invalid scope error
-
Current Configuration - Removed problematic scopes, using only:
core.data_tables.read,core.user.read,core.user_group.read- Result: Account aggregation works, but role aggregation still fails
Error Messages
Error 1 - Role Aggregation Failure:
Exception during aggregation of Object Type role on Application Coupa [source].
Reason: java.lang.RuntimeException: An error occurred while aggregating Application Coupa [source]
[ConnectorError] {ExceptionType=openconnector.ConnectorException,
LocalizedMessage=Aggregation failed with exception :: Failed to process the request for operation ::
ENTITLEMENT_AGGREGATION :: Aggregated Errors after total retries of :: 1 Current attempt to execute
request failed for operation :ENTITLEMENT_AGGREGATION:: HTTP Failure status code :: 403 ::
HTTP failure message :: for objectType :: role}
Error 2 - Invalid Scope (when attempting to add additional permissions):
Test configuration operation failed with exception Failed to process the request for operation ::
TESTCONNECTION :: Aggregated Errors after total retries of :: 1 Current attempt to execute request
failed for operation :TESTCONNECTION :: Error details :: Exception occurred while generating access token:
Unable to generate access token. Response returned: {"error":"invalidscope",
"errordescription":"The requested scope is invalid, unknown, malformed, or exceeds the previously granted scope."}
Questions
-
Has anyone successfully aggregated roles from Coupa using the SaaS connector? If so, what scopes were required and how were they configured?
-
Could the HTTP 403 error indicate a permission issue at the Coupa API level (e.g., the technical account doesn’t actually have permission to read roles) rather than a scope configuration issue in SailPoint?
-
Are there known limitations or special configurations in Coupa that prevent role aggregation via the SaaS connector, even when the required scopes are granted?
-
Has anyone encountered issues with Coupa rejecting scopes as “invalid” or “unknown” when they are supposedly granted to the technical account?
