AFX: Provisioning access to users sporadically fails yet CRs show100 percent fulfilled in RSA Identity Governance & Lifecycle

3 years ago

Originally Published: 2015-06-01

Article Number

000061823

Applies To

RSA Product Set: Identity Governance & Lifecycle
RSA Product/Service Type: All
RSA Version/Condition: All

Issue

When granting app-roles to users using an AFX connector, one or more entitlements sometimes do not get propagated to the data source yet the corresponding change requests (CR) show as 100% fulfilled.

.

Cause

The AFX fulfillment workflow that is being used by the change request has a "mark verified" node but no "wait for verification" node. As a result, all requests are marked as verified whether they succeed or fail. IMG may know about these failures but we ignore them because the workflow says to mark them as verified which in turn marks the CR as completed.

Resolution

Add the "wait for verification" node to the AFX fulfillment workflow so that we can confirm that what we asked the end point to do has actually happened. If a failure occurs, the CR will not be marked as verified and therefore not completed. As a result, failures will be revealed and may subsequently be trouble-shooted.

Notes

A "Mark Verified" node is useful if nothing needs to be done for an item in the workflow but you want it to show as completed in the change request. Otherwise, that item will have a status of "PA" (pending action) instead of completed.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles