Share all details about your problem, including any error messages you may have received.
· We have SailPoint SAP Integration with SAP-Direct connector and SAP GRC option enabled
· In SailPoint SAP integration, SailPoint manages SAP roles as entitlement and account creation for provisioning part
· Usually request is initiated from SailPoint access request route and access is provisioned in SAP, after SailPoint side approval on access request and SAP GRC check validation. This works fine as expected.
· However, there are users created directly on SAP side initially without any entitlement (SAP Role), as part of system GoLive or migration at their end. When SAP is integrated with SailPoint, SailPoint read these user’s SAP account linked through aggregation task without any entitlement data.
o When the same user raises new SAP entitlement access request in SailPoint, access request completes with approval and GRC approval step
o SailPoint shows request status as completed and finished and there is NO error
o After this, SailPoint still shows user’s SAP account data without any entitlement assigned. This entitlement do NOT show up in entitlements tab under user’s tab or even it does not show up on Identity xml under assignment. It logically looks like SailPoint never provisions SAP entitlement even though Access request shows completed and finished successfully.
o On every identity refresh SailPoint tries to add entitlement again and provisioning transaction shows committed without any error.
- Does anyone come across same scenario and knows root cause. As part of “SAP-Direct” connector configuration – we have already added “Role Details” multi-valued attribute on user schema along with “Role” attribute (which is entitlement and multi-valued). This does not solve our problem, and root cause does not seem to be around this attribute “Role Details”
When you said, user request for entitlement from sailPoint iiq and you can see provisioning happened. do you see provisioning engine created for the request?? what is operation is it create??add/modify. When sailpoint shows it’s committed, do you confirm, with Sap team, if they can see user part of the role ??
And also, if you can see there are pre-existing users before migration without any role, and sap team is not cleaning up. Please write aggregation rule (customisation rule) and ignore those accounts.
Thanks for response, appreciate your time checking on this!
However, we cannot ignore these accounts as we are in migration phase. There will be always users existing on SAP or any other application (with or without any entitlements provisioned) before they are onboarded to SailPoint IIQ. This is part of process, where we can work on cleanup. Having said that, this is still intriguing part only for SAP-Direct type connector where this issue occurs for any existing user on SAP side.
do you see provisioning engine created for the request?? what is operation is it create??add/modify
Yes. It shows provisioning engine details with operation as “Add” on access request. On provisioning transaction retry it shows operation as “Modify”
. When sailpoint shows it’s committed, do you confirm, with Sap team, if they can see user part of the role ??
SAP team do not see any transaction/logs at their end. on SAP side, user profile is not updated with entitlement provisioning.
What I meant for clean-up is that, every users needs to be part of a role if he is there in a S4hana application or any other sap applications. What i meant was that pull all the accounts, and where you see the users without role , ignore it as part of aggregation. But that’s okay, if you can’t do it.
The second part where you mentioned is that sap is not even receiving any transactions, that seems little weird. IF your connection setting are correct and you are able to do test connections, it should be able to push/provision it.
And as you mentioned earlier, you are able to do pull request, so connectivity looks okay. Can you please share the provisioning logs, I think there only we can see what could be the issue.
We had suspected, this could be issue with SailPoint IIQ “SAP-Direct” connector integration. With open support case SailPoint support and engineering team took to look through the issue and provide obvious conclusion as they had fix addressed in higher version 8.4p2 and 8.5:
CONETN-4652:
The SAP Direct connector now supports adding roles to an account that does not have previously assigned SAP roles to it.
In Summary this is connector specific issue, and code might be handled at SAP-Direct connector related jar. For initial users aggregated from SAP side without any SAP entitlements (called as Roles on SAP side), SailPoint user/account level schema level attribute “RoleDetails” will be null always. On new access request from SailPoint, it will keep this value as null and will not update with new entitlements and it sends null data to SAP provisioning call. That is the reason, we do not see any error or different resposne from SAP side and SailPoint adds entitlement on identity.xml parameter “AttributeAssignment”. Then sailpoint tries to provision same thing on every identity refresh as snapshot of SAP aggregation always shows no entitlement/role assigned on SAP side. SailPoint SAP integration goes in loop with same process for these set of users.