Resolving Concurrency Issues with SAP Connector

jwshin · July 29, 2024, 7:30am

Hi Experts,

We are currently experiencing the following issue in our production-sandbox environment. We have attempted to resolve it through Expert Service and CSD, but have not received a satisfactory solution. If anyone has resolved similar issues, your assistance would be greatly appreciated.

Overview of the Configuration Environment:

I mapped 1 entitlement to 1 access profile. The purpose is categorize access profiles in the SailPoint Application based on SAP modules.
Users access the application through the request center and request multiple access profiles at once.

These requests work well with other connectors except for the SAP connector. With the SAP connector, when processing a request through the interface account, the account gets locked, and all subsequent requests fail after the first edit.

[ ConnectorException ]  [ Error details ] Exception occurred while modify operation, refer logs for more details. Exception executing function [BAPI_USER_CHANGE] Message [사용자 가(이) 사용자 을(를) 유지보수 중입니다]

We have not received a satisfactory solution from support tickets, expert service, or CSD. One method suggested by an expert service engineer was to set a Before Provisioning Rule to interval time out each request by 30 seconds. However, we have not found any reference on how to configure this interval within the SAP BAPI in the rule.

Has anyone experienced similar issues? Any suggestions that might help are welcome.

Regards,

tysremi · July 29, 2024, 7:53am

I have some more questions for this one…

On step 3, what account gets locked?
The user’s account or the service account with which you’re provisioning?

On step 4, how did they come to a timeout issue?

Can you share what’s being sent towards the connector after the access request? (In the event you show as picture 2, click the SAP connector part)

jwshin · July 29, 2024, 8:08am

Hi @tysremi

In Step 3:

1st request: The interface account (IF_SAILPOINT) locks the target account (권세진) while adding the entitlement.
2nd request: The interface account (IF_SAILPOINT) attempts to add the entitlement but cannot because of the interface lock.
This issue continues with subsequent requests.

In Step 4: There is no timeout issue. The problem occurs because the SAP BAPI calls are made in a very short time, leading to errors.

Anshu_Kunal · July 29, 2024, 8:08am

@jwshin

Please explore provisioning retry option on your source to capture this error and retry after sometime once object is unlocked.

jwshin · July 29, 2024, 8:11am

Hi @Anshu_Kunal

I already added that option in source configuration. but it doesn’t works.

Anshu_Kunal · July 29, 2024, 8:17am

We have added a delay in a connector rule for a web service connector as below which had similar concurrency issue

int numberOfSecondsToSleep = (int)(maxDelayInSeconds * (java.lang.Math.random()));
TimeUnit.SECONDS.sleep(numberOfSecondsToSleep);

Try above logic in before operation rule (connector rule) for SAP source.
Thanks

tysremi · July 29, 2024, 8:53am

Ok, I understand.
So the “user record” in SAP is in a locked state due to a previous operation and cannot be updated at that time.
Including a sleep period somewhere in the process might help, but is not a guarantee as the record might still be locked after your attempts run out.
Is this an out-of-the-box connector or something custom?

jwshin · July 29, 2024, 9:07am

@tysremi
I use SAP Direct Connector in this case.
Thanks,

tysremi · July 29, 2024, 9:43am

I think you can do a few things then.
1\ Raise an Idea with SailPoint to improve the connector to have record locking logic implemented out-of-the-box
2\ Try with a sleep time like mentioned above, which may work for 80% of the time… in addition with configuring the retryProvisioning methods like mentioned by @Anshu_Kunal
3\ Implement role grants via a custom connector (SaaS / VA Web Services / …) that keeps track of record locking and where you can implement more logic.

Anshu_Kunal · July 29, 2024, 10:04am

@tysremi I agree it should be combination of provisioning retry, delay script and some automated monitoring for any failure to source owner/admin

derb1 · August 21, 2024, 4:59pm

Are you connectioning to ECC. I would have your SAP security folks turn on trace and trace it… from the message it may be an authorization issue with the service account not the connector itself. We have found the SAP authorization on the service account to be quite tricky to configure… but once we got it, it was fine. The other thought is why are are you locking the account to make a change and then unlocking? we change live accounts all of the time in SAP without locking the user out. The person may even be logged in… they then get thier new access when the log out and log back into SAP. The security remains constant in the users current session.

jwshin · August 22, 2024, 2:33am

Hi @derb1,

The customer is currently using an S/4HANA database, not ECC.
I hadn’t considered whether the service account might have insufficient permissions. However, the account was granted authority equivalent to admin rights, and aside from the user lock issue, I didn’t feel that the service account was lacking for the entitlement provisioning tasks in ISC. And It’s very interesting that setting up the service account’s permissions correctly could potentially resolve the user lock issue.
Could you please provide more specific information regarding the configuration of the service account’s authorization?

Regards,

derb1 · September 6, 2024, 12:45am

Oh you are on S/4 hana so my comments are irrelevant. I will say SAP security can be very granular and that message looked like messages we had in our testing which resulted in our SAP team modifying the access on the service account. Sorry cannot help more with S/4 Hana security model.

Rpalos · September 26, 2024, 9:02am

Hi @jwshin ,

This works on my end but with additional configuration. Try to add also retryWaitTime on your source.

[
  {
    "op": "add",
    "path": "/connectorAttributes/retryWaitTime",
    "value": "10000"
}
 ]

I observed that SAP has a weird behavior where if there are consecutive transactions without a few seconds in between, the account gets locked.

Can use this reference as well How to Configure Retries for Connector Aggregations and Provisioning Actions - Identity Security Cloud (ISC) / ISC Community Knowledge Base - SailPoint Developer Community

hope this helps.

jwshin · September 27, 2024, 4:53am

Hi @Rpalos ,

The /connectorAttributes/retryWaitTime option seems to be related to setting up retries for aggregation. However, I will apply this setting in the sandbox tenant and let you know if it has any effect. Thank you for your response.

Regards,

Rpalos · October 1, 2024, 5:33am

Hi @jwshin based on my testing, this retryWaitTime also applies for access request. Sure, can try this on your sandbox tenant first.

Regards,
Rain

system · November 30, 2024, 5:33am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SAP Portal >sailpoint.connector.ConnectorException ISC Discussion and Questions aggregation , identity-security-cloud	2	656	November 29, 2023
sailpoint.connector.ConnectorException ISC Discussion and Questions identity-security-cloud , connectors	3	210	November 21, 2024
Issue with SaaS connector - ISC Cloud Governance Connector ISC Discussion and Questions saas-connector , aggregation , identity-security-cloud , provisioning	9	250	August 19, 2024
Existing entitlement access is not reflecting in SailPoint IdentityNow for Service Catalog ISC Discussion and Questions identity-security-cloud , entitlements	1	33	December 20, 2024
SAP GRC - Access Management : Error Connector is not Configured IIQ Discussion and Questions identityiq , provisioning	2	671	June 28, 2023

Resolving Concurrency Issues with SAP Connector

Related topics