SAP GRC - Max number of status checks occurred

mcheek · February 28, 2024, 8:24pm

We have noticed there are some requests that go to SAP GRC that will stop there because there is an SOD violation detected. That requires manual intervention on the SAP side to allow the provisioning request to complete. It appears that IdentityNow stops checking the status of the request between 24-25 hours after it’s been submitted, resulting in this error message

"errors": [
        "Max number of status checks occurred."
    ]

Does anyone know if the maximum number of status checks is configurable? There are times when a request might be submitted into GRC where an admin cannot look at it for a couple of days, and we’d like for the request to not time out when that happens

colin_mckibben · March 1, 2024, 8:31pm

Hi Mark. Have you tried increasing the provisioningTimeout value in the source configuration?

mcheek · March 4, 2024, 1:53pm

It doesn’t appear that attribute is defined on this connector

 get-sources -filters 'name eq "SAP GRC AC"' | select -expandproperty connectorAttributes | select provisioningTimeout

provisioningTimeout
-------------------

I might be reading the documentation you included incorrectly, but these timeout settings seem to apply to the communication between the cloud tenant and the VA doing the provisioning, and my issue is slightly different.

The provisioning request is successfully sent to the SAP system, but it’s not being completed for some time because it requires manual intervention on the GRC side by an admin, typically because it triggered a SOD violation (according to GRC’s rule set).

Eventually, an admin in GRC will approve the request, but often before this happens, the provisioning workflow on the IdN side has “given up” and throws this status check error.

NehaClare · March 27, 2024, 3:05pm

I believe, the issue stems from a combination of settings in the GRC Source application. Specifically, there is a provisioningStatusCheckIntervals and the maximum number of status checks…
You can update the source config using: PATCH https://sailpoint.api.identitynow.com/beta/sources/:id and update the connectorAttributes.
Below are examples of what you can set the attributes to:

5 days every 30 mins

provisioningMaxStatusChecks = 240 and provisioningStatusCheckInterval = 30

6 days every 30 mins

provisioningMaxStatusChecks = 288 and provisioningStatusCheckInterval = 30

7 days every 30 mins

provisioningMaxStatusChecks = 336 and provisioningStatusCheckInterval = 30

API Reference: update-source | SailPoint Developer Community

mcheek · March 27, 2024, 3:35pm

Thanks, I wasn’t aware that was an attribute that existed, because provisioningStatusCheckInterval is a property in connectorAttributes but provisioningMaxStatusChecks was not. I will try that

Topic		Replies	Views
OOTB - SAP Concur Connector - "Unspecified Connector Failure" ISC Discussion and Questions identity-security-cloud , provisioning , access-requests , ootb-connector	2	410	July 23, 2023
Request Center: Pending Approval? ISC Discussion and Questions identity-security-cloud , access-requests	3	258	July 24, 2023
Expiration date to target ISC Discussion and Questions	1	461	July 19, 2023
Is there a bug in the provisioning completed trigger? ISC Discussion and Questions workflows , identity-security-cloud , provisioning	12	424	August 10, 2023
Provision in Active Directory - Workflow Terminated Early for Request Based Provision ISC Discussion and Questions identity-security-cloud , provisioning , roles , access-requests	4	170	March 10, 2024

SAP GRC - Max number of status checks occurred

Related Topics