SAP GRC Group Aggregation Time Out

Hello,

We are developing an SAP GRC connector and are currently able to successfully test the connection and run account aggregations, but we are getting the following timeout error after a minute when attempting to run group aggregations:

Exception during aggregation of Object Type Group on Application Test_SAP_GRC. 
Reason: sailpoint.connector.InvalidConfigurationException: [ InvalidConfigurationException ] [ Possible suggestions ] Provide correct configurations, Ensure user is active with correct set of permissions and credentials. [ Error details ] java.net.SocketTimeoutException: Read timed out

And in the logs we can see:

ERROR QuartzScheduler_Worker-5 http.client.impl.ApacheHttpClientWrapper:650 - Error while request handling: Read timed out
ERROR QuartzScheduler_Worker-5 connector.sdk.webservices.ExecutionMediator:624 - Exception while executing request for URL https://<removed>/sap/bc/srt/rfc/sap/grac_search_roles_ws/500/grac_search_roles_ws/grac_search_roles_ws
connector.common.http.exception.HttpException: java.net.SocketTimeoutException: Read timed out

Given the invalid configuration error, we double checked that our service account has all the required permissions and even gave it additional access to no avail. Has anyone encountered anything similar, or have any suggestions?

Thanks,
Alex

Try adding/setting the following timeout settings in the Application XML under <Attributes><Map>:

<entry key="apiTimeout" value="240"/>
<entry key="connectionTimeout" value="240"/>
<entry key="grc_connection_timeout" value="240"/>

I was able to further pinpoint the issue with our group aggregation by adding the attribute:

<entry key="roleTypeFilter" value=""/>

image

We are able to successfully aggregate roles of type COM, DRD, and SIN. There are no active roles for the other types except for BUS. When we attempt to use BUS as the role filter we get the following nullPointer exception:

2022-02-10T22:10:39,095 ERROR QuartzScheduler_Worker-2 connector.sapgrc.service.SAPGRCConnectorService:73 - Exception in hasNext while initializing iterator
java.lang.NullPointerException: null
at sailpoint.connector.sapgrc.service.SAPGRCRFCServiceProvider.getBusinessRoleRelation(SAPGRCRFCServiceProvider.java:1497) ~[connector-bundle.jar:8.1p3 Build 6d0f1c2bdb9e]
at sailpoint.connector.sapgrc.service.SAPGRCRFCServiceProvider.getBUSHierarchy(SAPGRCRFCServiceProvider.java:1287) ~[connector-bundle.jar:8.1p3 Build 6d0f1c2bdb9e]
at sailpoint.connector.sapgrc.service.SAPGRCConnectorService.getTechnicalRolesHierarchy(SAPGRCConnectorService.java:665) ~[connector-bundle.jar:8.1p3 Build 6d0f1c2bdb9e]
at sailpoint.connector.sapgrc.service.SAPGRCConnectorService.getRoleDetails(SAPGRCConnectorService.java:624) ~[connector-bundle.jar:8.1p3 Build 6d0f1c2bdb9e]
at sailpoint.connector.sapgrc.SAPGRCConnectorRoleIterator.hasNext(SAPGRCConnectorRoleIterator.java:62) [connector-bundle.jar:8.1p3 Build 6d0f1c2bdb9e]
at sailpoint.connector.ConnectorProxy$CustomizingIterator.peek(ConnectorProxy.java:1294) [connector-bundle-identityiq.jar:8.1p3 Build 6d0f1c2bdb9e]
at sailpoint.connector.ConnectorProxy$CustomizingIterator.hasNext(ConnectorProxy.java:1321) [connector-bundle-identityiq.jar:8.1p3 Build 6d0f1c2bdb9e]
at sailpoint.api.Aggregator.aggregateGroups(Aggregator.java:5361) [identityiq.jar:8.1 Build dfd55b86e66-20210421-132208]
at sailpoint.api.Aggregator.aggregateApplication(Aggregator.java:2629) [identityiq.jar:8.1 Build dfd55b86e66-20210421-132208]
at sailpoint.api.Aggregator.phaseAggregate(Aggregator.java:2541) [identityiq.jar:8.1 Build dfd55b86e66-20210421-132208]
at sailpoint.api.Aggregator.execute(Aggregator.java:2121) [identityiq.jar:8.1 Build dfd55b86e66-20210421-132208]
at sailpoint.task.ResourceIdentityScan.doUnpartitioned(ResourceIdentityScan.java:238) [identityiq.jar:8.1 Build dfd55b86e66-20210421-132208]
at sailpoint.task.ResourceIdentityScan.execute(ResourceIdentityScan.java:218) [identityiq.jar:8.1 Build dfd55b86e66-20210421-132208]
at sailpoint.api.TaskManager.runSync(TaskManager.java:903) [identityiq.jar:8.1 Build dfd55b86e66-20210421-132208]
at sailpoint.api.TaskManager.runSync(TaskManager.java:723) [identityiq.jar:8.1 Build dfd55b86e66-20210421-132208]
at sailpoint.scheduler.JobAdapter.execute(JobAdapter.java:128) [identityiq.jar:8.1 Build dfd55b86e66-20210421-132208]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.2.3.jar:?]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.2.3.jar:?]
2022-02-10T22:10:39,211 ERROR QuartzScheduler_Worker-2 sailpoint.api.Aggregator:1835 - Exception during aggregation of Object Type Group on Application Test_SAP_GRC. Reason: java.lang.RuntimeException: java.lang.NullPointerException
java.lang.RuntimeException: java.lang.NullPointerException

I’ve had similar issues with the SAP GRC integrations (Access Management mode). Make sure that the SAP GRC administrators are running sync jobs. We’ve seen a number of issues with out of sync role and user role linking tables in SAP GRC because the SAP housekeeping processes weren’t followed. And also role validity date issues once you start requesting roles, which was fixed on the SAP GRC side by the SAP team doing BRM uploads of all their roles with fixed roles configs.

Also look out for CONETN3471 for account aggregations (fixed in v8.2p2, e-fixes available for other releases on request).

To figure out which role(s) were giving issues was quite a tedious process. Put all SAP GRC connector classes into trace mode (refer to class tree in NPE stacktrace), find the NPE in the logs and backtrace in the logs to where the batch of SAP roles being processed are logged. Then writing Beanshell rules to search for the SAP Role IDs and cross links in the SAP GRC tables… Before going down that rabbit hole though, get the SAP team to clean up SAP GRC.

We noticed a data discrepancy between the IIQ logs and what was actually in SAP GRC. With logs enabled we could see it failing on the same business role every time, which actually contains a double space when looking in SAP/PostMan.
image

But in the IIQ connector logs this double space is not present. A null pointer occurs attempting to get RoleUUID.

2022-02-11T13:38:08,685 TRACE QuartzScheduler_Worker-2 connector.sapgrc.service.SAPGRCRFCServiceProvider:97 - Entering getRoleUUID: Arguments => {Role Desc=TEST - DM0 CUA -NO SOD, Role Type Desc=Business Role, Landscape=BUSINESS, Role Name=TEST - DM0 CUA -NO SOD, Role Type=BUS, Role Owner=null, System=null}, Destination Test_SAP_GRC with properties: {jco.destination.userid=<removed>, jco.client.lang=EN, jco.client.ashost=<removed>, jco.destination.auth_type=CONFIGURED_USER, jco.client.user=<removed>, jco.client.destination=Test_SAP_GRC, jco.client.snc_mode=false, propertiesProvider=sailpoint.connector.sap.SAPJCODestinationProvider, jco.client.sysnr=00, jco.client.passwd=<secret>, jco.client.trace=0, jco.client.client=500, jco.client.snc_qop=1}

Should the System attribute not have a value?
Can you find the entries for the role in the GRACROLE table?