Remove Source Accounts API: Can't remove if any Source Owner has an account

I have to change the Account ID for the Account Schema of a source in development that has already had accounts aggregated into it. Based on the warning, my plan was to use the Remove Source Accounts endpoint to remove all accounts, then modify the schema to be correct, then re-aggregate the accounts.

The documentation for the endpoint is here: delete-accounts-async | SailPoint Developer Community

When I run this, adding the ID of the source, I am getting the following error:

Screenshot 2024-11-08 at 2.00.49 PM885×425 29.8 KB

I checked, and the user is not the Source Owner for the source I am attempting to remove account on, nor is the source authoritative. When digging into it further, I found that one Identity that has an account on this source is a Source Owner of a completely separate source, which is not to be modified.

So it looks like we can not use this endpoint unless all users with accounts are also NOT Source Owners of ANY source in the tenant. I feel like this might be a bug, but would like to get other’s experieces or feedback before moving forward with that.

What a coincidence, I did face this issue today. Finding ways to fix this.

Since mine was in lower environments, I changed the source owner of the 3 sources to another admin, ran it, then switched them back.

This doesn’t make any sense, how being owner (Identity object) for a different source impacts account objects in another source. I don’t think we have bug reporting feature, but we can post an Idea I guess.

This is how it’s been since the beginning, but I haven’t come across the issue for couple of years. I don’t see a reason for this feature

API couldn’t remove account for the Identity who is owner in somewhere else, so I Just removed that account manually and did run remove accounts API and it worked.

Based on your testing and mine, it looks like there are 2 work arounds for this:

1. Remove the user as a source owner from any sources

• Replace the user as the source owner with another user temporarily for all accounts owned by that user.
• Run the “Reset All Accounts on Source” API
• Reset the user as the Source Owner for all accounts that user should own.

This is better suited for when the user owns 3 or fewer accounts or where you don’t have privileges to manually remove accounts.

2. Remove the Account from the source manually

• From the source to reset, remove the account of the user manually
• Run the “Reset All Accounts on Source” API

This is better suited for users who own greater than 3 sources, or if there are multiple users who are Source Owners.

I would say 2nd is the best, because you don’t need to touch any other objects. You can remove account on the source anyway you are doing reset on it.

Giving it more thought, I would agree with you that the best work around would be to go into the user’s Identity and remove the accounts manually for the application that you are looking to reset accounts on.

So the process would look like this:

• Run the “Reset Source Accounts” for Source G and determine that there are offending Source Owner Accounts.
• Determine which Source Owners have accounts on Source G.
• For each Identity above, go into the Accounts Page for the identity and select “Remove Account” from the (…) menu for those accounts on Source G.
• Run the “Reset Source Accounts” for Source G again. Repeat until no offending accounts and process runs.

Thanks for this discussion. I faced this today:

I could delete the source accounts for each identity and get the job done.

But what if we have several of these users? Can we come up with a process to automate this? Or worst, how about in production? I mean thinking about how can we explain this behavior to a client?

Also, why is this an issue? An app owner could be on another source, which should be available to reset.

As you mentioned, @gmilunich, was any bug reported? Or was any underlying reason discovered for this behavior?

Regards