Could someone who deeply understands the buisness logic of IDN CCG CACHE design, explained or pointed me to any IDN documents about the cases when a cached identity record is missing (Warning message) in the CCG log? We observed sometimes thousands of warning records at the ccg log where we could see at least four such attempts for each identity and a warning for each [unexpected] provisioning policy account [re-]creation process.
sample: “message”:“CCG CACHE [Application] OBJECT NOT IN CACHE: nameOrId - null”,“pipeline”:“1266”,“@timestamp”:“2023-XX-YYT01:53:36.062Z”,“NativeIdentity”:“AAAABBBB”
Does the observed problem with CCG CACHE mean that the VAs may have no enough space or VA performance to read/write the identity date to and from the cache? How critical is that problem if we see it in the ccg log?
We wish to develop a general rule / iqservice rule that could be triggered by such type of errors/warnings, but do not understand the source of a ccg cache identity presence problem.
Hi Dmitri,
Thank you for the post. I don’t think we have any document related to this. I would request you to open up a Sailpoint ticket and get details from them.
Hi @RAKGDS
We opened the high level severity support ticket in the end of April 2023 for a major unexpected auto-provisioning incident where I asked three times during the ticket support period the same questions you could see here with. Nothing had been answered in regards to the questions about CCG CACHE errors. It looks disappointing with missing knowledge how IDN is working inside and what standard errors mean.
I’m leaning towards that it is not a bad idea to develop a bash shell script that will run at Linux boot initialization (for ‘init’ scripts may be) at VA and monitor the CCG log tail stopping the CCG service at VAs to prevent such or similar auto provisioning incidents in the future for the case where too many CCG_CACHE warning events in a measured time interval happen.
I’ve added that to my personal ToDo list to try in the future.