SAP GRC Invalid Request No Error during Provisioning

IdentityIQ (IIQ)
1

Hello,

Currently we are getting the error ‘Invalid Request No’ when attempting to provision anything using the SAP GRC connector. Below are the stripped logs from an access request:

2022-03-08T19:40:19,603 DEBUG http-nio-8080-exec-52 sailpoint.connector.SAPGRCConnector:2282 - Dumping Provisioning Plan details  : <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="AXH8IWQ" targetIntegration="Test_SAP_GRC" trackingId="447fb72f20c04ada8ffeb5d44263a49c">
  <AccountRequest application="Test_SAP_GRC" nativeIdentity="IIQ_UT_002" op="Modify">
    <Attributes>
      <Map>
        <entry key="attachmentConfigList"/>
        <entry key="attachments"/>
        <entry key="flow" value="AccessRequest"/>
        <entry key="id" value="0a2c2b147f6a1cad817f6a734c1307c0"/>
        <entry key="interface" value="LCM"/>
        <entry key="operation" value="EntitlementAdd"/>
      </Map>
    </Attributes>
    <AttributeRequest assignmentId="0b7ba0e8f92f4ba9a0614f420c48853f" displayValue="B42CLNT500/SAPI18N" name="Roles" op="Add" value="B42CLNT500/42010A2A20071EDC818B5C8049CEF168">
      <Attributes>
        <Map>
          <entry key="assignment" value="true"/>
          <entry key="comments" value="1"/>
        </Map>
      </Attributes>
    </AttributeRequest>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="requester" value="AXH8IWQ"/>
    </Map>
  </Attributes>
</ProvisioningPlan>

2022-03-08T19:40:20,870 DEBUG http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCRFCServiceProvider:469 - Time taken to fetch basic user details is : 154ms
2022-03-08T19:40:21,195 DEBUG http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCRFCServiceProvider:513 - Time taken to fetch user other details is : 155ms
2022-03-08T19:40:21,785 DEBUG http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCRFCServiceProvider:550 - Time taken to fetch user manager details is : 163ms
2022-03-08T19:40:22,181 DEBUG http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCRFCServiceProvider:591 - Time taken to fetch user roles details is : 165ms
2022-03-08T19:40:22,498 DEBUG http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCRFCServiceProvider:629 - Time taken to fetch user profile details is : 151ms
2022-03-08T19:40:22,830 DEBUG http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCRFCServiceProvider:1184 - Time taken to fetch account reference role ids is : 151ms
2022-03-08T19:40:23,245 DEBUG http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCRFCServiceProvider:1134 - Time taken to fetch role other details is : 159ms
2022-03-08T19:40:23,897 DEBUG http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCRFCServiceProvider:292 - Time taken to fetch and return user details of 1 resource object for chunk 1 is : 3382ms
2022-03-08T19:40:24,078 DEBUG http-nio-8080-exec-52 sailpoint.connector.sapgrc.SAPGRCConnectorProvisioner:176 - Attribute map which contains attribute request details = {[email protected], Lname=Tester, Userid=IIQ_UT_002, Roles=[B42CLNT500/42010A2A20071EDC818B5C8049CEF168], Fname=John, System=BK1CLNT500}
2022-03-08T19:40:25,027 DEBUG http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCConnectorService:464 - Time taken to fetch details of role B42CLNT500/42010A2A20071EDC818B5C8049CEF168 is : 587ms
2022-03-08T19:40:25,421 DEBUG http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCRFCServiceProvider:1684 - Time taken to fetch additional role details is: 226ms
2022-03-08T19:40:26,030 DEBUG http-nio-8080-exec-52 sailpoint.connector.sapgrc.SAPGRCConnectorProvisioner:182 - Modify User Access Input XML : <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:sap-com:document:sap:soap:functions:mc-style"><soapenv:Header/><soapenv:Body><urn:GracIdmUsrAccsReqServices><RequestHeaderData>  <Reqtype>002</Reqtype>  <Priority>006</Priority>  <ReqInitSystem>BK1CLNT500</ReqInitSystem>  <Requestorid>LMC01MM</Requestorid>  <Email>[email protected]</Email>  <RequestReason>Modify user request from identityIQ</RequestReason>  <Bproc>basis</Bproc> </RequestHeaderData><RequestedLineItem><item>   <ItemName>SAPI18N</ItemName>   <Connector>B42CLNT500</Connector>   <ProvItemType>ROL</ProvItemType>   <ValidFrom>20220308</ValidFrom>   <ValidTo>99991231</ValidTo>   <ProvAction>006</ProvAction>   <RoleType>SIN</RoleType>  </item></RequestedLineItem><UserInfo>  <item><Email>[email protected]</Email><Lname>Tester</Lname><Userid>IIQ_UT_002</Userid><Fname>John</Fname></item> </UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body> </soapenv:Envelope>
2022-03-08T19:40:28,527 DEBUG http-nio-8080-exec-52 sailpoint.connector.sapgrc.SAPGRCConnectorProvisioner:288 - Time taken to execute modify user request is : 2316ms
2022-03-08T19:40:28,722  INFO http-nio-8080-exec-52 sailpoint.connector.sapgrc.SAPGRCConnectorProvisioner:325 - Request ID 1390 is created and submitted successfully.
2022-03-08T19:40:28,798 DEBUG http-nio-8080-exec-52 sailpoint.connector.SAPGRCConnector:2282 - Provisioning plan in return  : <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="AXH8IWQ" targetIntegration="Test_SAP_GRC" trackingId="447fb72f20c04ada8ffeb5d44263a49c">
  <AccountRequest application="Test_SAP_GRC" nativeIdentity="IIQ_UT_002" op="Modify">
    <Attributes>
      <Map>
        <entry key="attachmentConfigList"/>
        <entry key="attachments"/>
        <entry key="flow" value="AccessRequest"/>
        <entry key="id" value="0a2c2b147f6a1cad817f6a734c1307c0"/>
        <entry key="interface" value="LCM"/>
        <entry key="operation" value="EntitlementAdd"/>
      </Map>
    </Attributes>
    <AttributeRequest assignmentId="0b7ba0e8f92f4ba9a0614f420c48853f" displayValue="B42CLNT500/SAPI18N" name="Roles" op="Add" value="B42CLNT500/42010A2A20071EDC818B5C8049CEF168">
      <Attributes>
        <Map>
          <entry key="assignment" value="true"/>
          <entry key="comments" value="1"/>
        </Map>
      </Attributes>
      <ProvisioningResult requestID="{&quot;roleSystem&quot;:&quot;B42CLNT500&quot;,&quot;requestId&quot;:&quot;1390&quot;,&quot;roleName&quot;:&quot;SAPI18N&quot;}" status="queued"/>
    </AttributeRequest>
    <AttributeRequest assignmentId="0b7ba0e8f92f4ba9a0614f420c48853f" displayValue="B42CLNT500/SAPI18N" name="Roles" op="Add" value="B42CLNT500/42010A2A20071EDC818B5C8049CEF168">
      <Attributes>
        <Map>
          <entry key="assignment" value="true"/>
          <entry key="comments" value="1"/>
        </Map>
      </Attributes>
      <ProvisioningResult requestID="{&quot;roleSystem&quot;:&quot;B42CLNT500&quot;,&quot;requestId&quot;:&quot;1390&quot;,&quot;roleName&quot;:&quot;SAPI18N&quot;}" status="queued"/>
    </AttributeRequest>
    <ProvisioningResult requestID="1390" status="queued"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="requester" value="AXH8IWQ"/>
    </Map>
  </Attributes>
</ProvisioningPlan>

2022-03-08T19:40:28,813 DEBUG http-nio-8080-exec-52 sailpoint.connector.SAPGRCConnector:2282 - result after method exit : <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningResult PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningResult status="committed"/>

2022-03-08T19:40:29,459 DEBUG http-nio-8080-exec-52 sailpoint.connector.SAPGRCConnector:2282 - Checking status for  : 1390
2022-03-08T19:40:29,478 TRACE http-nio-8080-exec-52 sailpoint.connector.SAPGRCConnector:97 - Entering checkStatus: Arguments => 1390
2022-03-08T19:40:29,769 TRACE http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCConnectorService:97 - Entering checkStatus: Arguments => 1390
2022-03-08T19:40:29,784 TRACE http-nio-8080-exec-52 sailpoint.connector.sapgrc.SAPGRCConnectorProvisioner:97 - Entering checkStatus: Arguments => 1390
2022-03-08T19:40:29,799 TRACE http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCSDKService:97 - Entering createEndpointForRequestDetails: Arguments => <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:sap-com:document:sap:soap:functions:mc-style"><soapenv:Header/><soapenv:Body><urn:GracIdmReqDetailsServices><RequestNumber>1390</RequestNumber></urn:GracIdmReqDetailsServices></soapenv:Body> </soapenv:Envelope>
2022-03-08T19:40:29,874 TRACE http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCSDKService:97 - Entering getAttribuetMappingForRequestDetails: Arguments => N/A
2022-03-08T19:40:29,889 TRACE http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCSDKService:108 - Exiting getAttribuetMappingForRequestDetails: Arguments => N/A, Returns => {User ID=//RequestDetails/UserInfo/item[1]/Userid, msgType=//MsgReturn/MsgType, reqStatus=//RequestDetails/RequestStatus, msgNo=//MsgReturn/MsgNo, msgStatement=//MsgReturn/MsgStatement}
2022-03-08T19:40:29,905 TRACE http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCSDKService:108 - Exiting createEndpointForRequestDetails: Arguments => <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:sap-com:document:sap:soap:functions:mc-style"><soapenv:Header/><soapenv:Body><urn:GracIdmReqDetailsServices><RequestNumber>1390</RequestNumber></urn:GracIdmReqDetailsServices></soapenv:Body> </soapenv:Envelope>, Returns => EndpointConfig [sequenceId=1, endpointIdentifier=SAPGRCCreate Account, operationType=Create Account, parent=null, requestConfig=RequestConfig [url=https://<removed>/sap/bc/srt/rfc/sap/grac_request_details_ws/500/grac_request_details_ws/grac_request_details_ws, httpMethod=POST, requestBuilder=null, headers=[Accept-language, Content-Type], body=*****, sslOptions=[http.socket.timeout, http.connection.timeout]], responseConfig=ResponseConfig [rootPath=null, attributeMapping={User ID=//RequestDetails/UserInfo/item[1]/Userid, msgType=//MsgReturn/MsgType, reqStatus=//RequestDetails/RequestStatus, msgNo=//MsgReturn/MsgNo, msgStatement=//MsgReturn/MsgStatement}, possibleHttpErrorCodes=null, possibleHttpErrorMessages=null, successCodes=null, responseParser=null], pagingProcessor=connector.sdk.webservices.paging.impl.GenericExpressionPagingProcessor@62c9cfd3, resourceResolutionStrategy=connector.sdk.webservices.resource.AppendResourceStrategy@107ad487, childEndpoints=null, authenticationProvider=BasicAuthentication [username=YSPIIQADM, password=*****], beforeRequestProcessor=connector.sdk.webservices.EndpointConfig$1@a684283, afterResponseProcessor=connector.sdk.webservices.EndpointConfig$2@699b068, endpointAttributes=null, rawResponse=null]
2022-03-08T19:40:29,920 TRACE http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCSDKService:97 - Entering executeEndPoint: Arguments => EndpointConfig [sequenceId=1, endpointIdentifier=SAPGRCCreate Account, operationType=Create Account, parent=null, requestConfig=RequestConfig [url=https://<removed>/sap/bc/srt/rfc/sap/grac_request_details_ws/500/grac_request_details_ws/grac_request_details_ws, httpMethod=POST, requestBuilder=null, headers=[Accept-language, Content-Type], body=*****, sslOptions=[http.socket.timeout, http.connection.timeout]], responseConfig=ResponseConfig [rootPath=null, attributeMapping={User ID=//RequestDetails/UserInfo/item[1]/Userid, msgType=//MsgReturn/MsgType, reqStatus=//RequestDetails/RequestStatus, msgNo=//MsgReturn/MsgNo, msgStatement=//MsgReturn/MsgStatement}, possibleHttpErrorCodes=null, possibleHttpErrorMessages=null, successCodes=null, responseParser=null], pagingProcessor=connector.sdk.webservices.paging.impl.GenericExpressionPagingProcessor@62c9cfd3, resourceResolutionStrategy=connector.sdk.webservices.resource.AppendResourceStrategy@107ad487, childEndpoints=null, authenticationProvider=BasicAuthentication [username=YSPIIQADM, password=*****], beforeRequestProcessor=connector.sdk.webservices.EndpointConfig$1@a684283, afterResponseProcessor=connector.sdk.webservices.EndpointConfig$2@699b068, endpointAttributes=null, rawResponse=null]
2022-03-08T19:40:30,637 TRACE http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCSDKService:108 - Exiting executeEndPoint: Arguments => EndpointConfig [sequenceId=1, endpointIdentifier=SAPGRCCreate Account, operationType=Create Account, parent=null, requestConfig=RequestConfig [url=https://<removed>/sap/bc/srt/rfc/sap/grac_request_details_ws/500/grac_request_details_ws/grac_request_details_ws, httpMethod=POST, requestBuilder=null, headers=[Authorization, Accept-language, Content-Type], body=*****, sslOptions=[http.socket.timeout, http.connection.timeout]], responseConfig=ResponseConfig [rootPath=null, attributeMapping={User ID=//RequestDetails/UserInfo/item[1]/Userid, msgType=//MsgReturn/MsgType, reqStatus=//RequestDetails/RequestStatus, msgNo=//MsgReturn/MsgNo, msgStatement=//MsgReturn/MsgStatement}, possibleHttpErrorCodes=null, possibleHttpErrorMessages=null, successCodes=null, responseParser=null], pagingProcessor=connector.sdk.webservices.paging.impl.GenericExpressionPagingProcessor@62c9cfd3, resourceResolutionStrategy=connector.sdk.webservices.resource.AppendResourceStrategy@107ad487, childEndpoints=null, authenticationProvider=BasicAuthentication [username=YSPIIQADM, password=*****], beforeRequestProcessor=connector.sdk.webservices.EndpointConfig$1@a684283, afterResponseProcessor=connector.sdk.webservices.EndpointConfig$2@699b068, endpointAttributes=null, rawResponse=HttpResponseWrapper [status=200, response=<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header/><soap-env:Body><n0:GracIdmReqDetailsServicesResponse xmlns:n0="urn:sap-com:document:sap:soap:functions:mc-style"><MsgReturn><MsgNo>4</MsgNo><MsgType>ERROR</MsgType><MsgStatement>Invalid Request No</MsgStatement></MsgReturn><RequestDetails><RequestId/><RequestType/><RequestTypeDesc/><RequestStatus/><RequestStatusDesc/><Priority/><PriorityDesc/><ApprovalDuedate/><RequestorId/><RequestorFirstname/><RequestorLastname/><RequestorEmail/><UserInfo/><RequestedItems/><RequestPaths/><RiskViolationData/><Parameter/><UserGroup/><RequestOrgAssgnItem/></RequestDetails></n0:GracIdmReqDetailsServicesResponse></soap-env:Body></soap-env:Envelope>, headers={set-cookie=sap-usercontext=sap-client=500; path=/, content-length=732, sap-srt_id=20220308/144030/v1.00_final_6.40/42010A2A20071EECA7E2F390E4D8A8C0, sap-server=true, sap-perf-fesrec=522215.000000, content-type=text/xml; charset=utf-8, sap-srt_server_info_ext=0, sap-srt_server_info=BQ0_500,512 ,urn:sap-com:document:sap:soap:functions:mc-style,GRAC_REQUEST_DETAILS_WS,GracIdmReqDetailsServices,471, accept=text/xml}]], Returns => [{User ID=null, msgType=ERROR, reqStatus=null, msgNo=4, msgStatement=Invalid Request No}]
2022-03-08T19:40:30,769 TRACE http-nio-8080-exec-52 connector.sapgrc.service.SAPGRCConnectorService:108 - Exiting checkStatus: Arguments => 1390, Returns => sailpoint.object.ProvisioningResult@5e5aba90
2022-03-08T19:40:30,784 TRACE http-nio-8080-exec-52 sailpoint.connector.SAPGRCConnector:108 - Exiting checkStatus: Arguments => 1390, Returns => sailpoint.object.ProvisioningResult@5e5aba90
2022-03-08T19:40:30,799 DEBUG http-nio-8080-exec-52 sailpoint.connector.SAPGRCConnector:2282 - Returning object is : <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningResult PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningResult requestID="1390" status="failed">
  <Errors>
    <Message key="Invalid Request No" type="Error"/>
  </Errors>
</ProvisioningResult>

• Lines 1-41: Original provisioning plan and SAP fetching required values
• Line 42: The body of the request to add the new access
• Line 44: We see that request No. 1390 was made in SAP as a response
• Lines 46-88: The updated plan that has been marked as provisioned
• Line 94: The body of the request to validate the request object (1390) was created in SAP
• Line 99: The response claims that 1390 is ‘An Invalid Request No.’

So we can see the actual provisioning appears to take place and then the error occurs during validation. We can see the access is actually being added in SAP and when I run the same search from line 94 through PostMan I am able to see the access request that was created:

image
image912×723 49.3 KB

But if I attempt to search for one that has not been created I get the same ‘Invalid Request No’ error. This leads me to believe the issue is that the data is not being synced in time and possibly needs a delay before validation.

Has anyone else encountered this error before, or have any suggestions?

Best,
Alex

2

Hi @aharding -

You are correct in your assumption about sync time/delays. This is a known issue with the SAP GRC integration and there is currently a fix being developed. In the meantime, you can add a ‘wait’ step to your LCM Provisioning workflow to allow the check to complete.

  <Step name='Wait for GRC' wait='ref:retryInterval' posX="159" posY="17">
    <Description>
      This is a sleep step and just waits to execute the next step.
      Typically only called when we are retrying to give us some delay
      between calls down to the PE. 
    </Description>
    <Transition to="Your Next Step"/>
  </Step>

If you would like more information on the fix that is being worked, please have your SailPoint CSM reach out to me.