IIQ8.4p2
Please share any inputs on this error. What I have observed is there was some failures (400 error code) in ENTRA After provisioning rule but not sure how this will effect my refresh identity task.
Thank you,
Srikanth
@srinamala0069 Seems there are multiple threads trying to update the same Identity Entitlements. Are you running multiple tasks together? Like two identity refreshes?
No. Its weekend task and there are no parallel tasks running during that window.
Are you running the refresh with portioning enabled. Even if the partition are exclusive at identity level, the error is indicating that the error is happening at identityEntitlement level. Which is possible if you have multiple aggressive/heavy processing options enabled in same refresh task. Or have some custom code execution which is updating identityEntitlement as part of refresh.
I have seen these type of errors and these are not easy to resolve since IIQ doesnt provide much details like for which Identity it failed or even the ID mentioned in the error doesnt exist (infact thats what the error is indicating).
Again it doesnt have to be another refresh running in parallel, any task that might work on identityentitlement running in parallel with refresh can cause this.
Hi @srinamala0069 ,
Quick fix to this issue would be to identify the affected identities/accounts and delete their identity entitlements objects and refresh them.
In order to understand the root cause for the same, is very difficult since it could depend on history as well as any custom code that is running as part of identity refresh(Eg: identity attribute rules etc)
Hi @srinamala0069 We faced a similar issue. One of them was the above error. We deleted the IdentityEntitlement from the debug initially, and again, we got the same error with the other object. What we did for that was to create an identity refresh task, which only refreshes the identity data. None of the provisioning and sync attribute options are not enabled in that task. It is running successfully without any issues. Check which task is failing and add the identity refresh task before that task, it will address this issue.
Thanks,
PVR.
Remove the “Refresh Identity Entitlements for all links” from your refresh task and see if the error has fixed
Check the account group aggregation task for the same application and verify the Detect Delete flag is enabled if not enable it and run the task and re-run the refresh will fix your issue
Thanks
D:)
@srinamala0069 Is this still happening? or it’s a one time failure.
is this issue resolved?
Hi @sanjaysutarc ,
Thank you for your response. I understand that there could be several possible causes for these errors, and that tracing the root cause may be difficult. Is there any safe workaround or trial-and-error approach we can use to resolve this issue?
I have seen suggestions to delete IdentityEntitlement objects, but since this is a Production environment, we need to be absolutely certain that this is the correct approach before proceeding.
Thanks,
Srikanth
Yes its still happening.
@srinamala0069 Have you figured out a pattern yet? Like is it happening for all users or specific set of users?
IMO, this is run time issue and not really related to any user/entitlement. But you can get the affected users and try to run the same refresh (same option selected) and see if it occurs again.
If you can reproduce this consistently, then you have some chance to troubleshoot and find the root cause.
Just another tip, you may not be able to get the affected users from debug. I generally would query the spt_identity_entitlement table with the ID provided in error to get the affected users/entitlement.
See if you see same user/entitlement getting repeated again in daily refresh when it fails. Or see if you are getting the same error again when you refresh these affected users. If you are then may be these rows are permanently locked (less likely though) and you can release lock using IIQ console commands.
oh, yes, i wouldnt recommend deleting any identity Entitlement records to resolve this issue.
Hi @sanjaysutarc , Please check if you are running multiple tasks associated with the same identity session simultaneously. We recently faced this exact issue and resolved it by scheduling the Identity Refresh and Active Directory (AD) tasks to run at different times. When these two tasks run concurrently, they both attempt to modify the same identity cubes at the same time, which creates a collision in the Hibernate session.
