Provisioning Request stuck in Endless Loop

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

IIQ 8.3p1

We have noticed recently there appears to be intermittent issues when IIQ is communicating with AD for provisioning request (e.x. request having 85 retries).

The request are stuck in Pending status and the Request State is either “Approve and Provision Split” for AccessRequest or “Provision” for PasswordsRequest.

For Access Request, even when the requested entitlements get added to the directly from the backend target, aggregations ran, identity refreshed, perform maintenance tasks ran, Perform Identity Request Maintenance ran, the access request status does not update. It appears to still retry at the next refresh.

Anyone know a rule or console cmd I can run to force these request to close?

2

Hey Tyrone,

You can close the request in a few ways. The first being via the administrator console.

Click the gear icon → “Admin Console”

Then, on the left hand side, select provisioning and “All” or “Pending”.

3

Hey Dalton. Thanks for the reply. My Provisioning Transaction Log Settings is just for Failures in Prod.

Is there another way without enabling higher log settings?

4

Hi,

can you please use the below api/rule to mark all the pending Access request to completed. Please add more filter as per your requirement.

Please mark the post as solution, as it will help others if they have the same requirement. if this resolves your issue..

 import sailpoint.object.QueryOptions;
import sailpoint.object.IdentityRequest;
import java.util.Calendar;
import java.util.Date;
import sailpoint.object.Filter;
import sailpoint.tools.Util;
import sailpoint.tools.Message;

try {
	    

	    // Create QueryOptions to filter IdentityRequests
	    QueryOptions qo = new QueryOptions();
      //qo.addFilter(Filter.eq("type", "Attribute Synchronization"));
	    qo.addFilter(Filter.or(
	      Filter.eq("completionStatus","Pending"),
	    ));

	    // Search for matching IdentityRequests
	    Iterator iterator = context.search(IdentityRequest.class, qo);
  
	    if (null != iterator) {
	      while (iterator.hasNext()) {
	        IdentityRequest identityRequest = (IdentityRequest) iterator.next();
	        if (null != identityRequest) {
	          
	          // Update the IdentityRequest
	          identityRequest.setExecutionStatus(IdentityRequest.ExecutionStatus.Completed); // Updated
	          identityRequest.setCompletionStatus(IdentityRequest.CompletionStatus.Success); // Updated
	          Date date = new Date(); 
	          identityRequest.setVerified(date);
	          identityRequest.setEndDate(date);
	          identityRequest.setState("End");
            
	          
	          context.saveObject(identityRequest);
            
	        }
	      }
	      context.commitTransaction();
	      Util.flushIterator(iterator);
	    }
	  } catch (Exception e) {
	    // Block of code to handle errors
	    e.printStackTrace(); // Optional: print stack trace for debugging
	  }
	
  return "success";
5

Hello @talbright did you try performing the task ‘Perform Identity Request Maintenance’?

6

Hi Santhi. Yes. See my post details for all the steps already performed.

7

Did you try the code, which i shared, for completing the access request??

8

Hi Naveen. I will try that today and provide feedback.

9

This rule did work to change the status of the IdentityRequest. However, it did not progress the open TaskResult. The associated TaskResult is still pending. Even after running Perform Maintenance and Perform Identity Maintenance Tasks. Any Thoughts?

10

In perform maintenance job, did the checkbox “Prune task results” is selected or not?? can you ask check in system configuration, the number of days or age.

11

It is checked. We also have Days before task result deletion is set to 90