Post Date: April 19, 2011
Posted By: Doug Bulkley
I have a certificate where I've revoked a few entitlements. These revocations created work items which have been completed and the entitlements removed from the appropriate application accounts.
Account aggregation and identity refresh have both been run and I can see that the entitlements are no longer present on the Identity.
I then ran the "Perform Maintenance" task, with the "Scan for completed revocations" option checked.
However, when I examine the revoked entitlement within the certification, or if I run a "Revocation Report", the Status for the revoked entitlements continues to show "Open" instead of "Finished".
There are two scenarios that come into play here:
1) You did not check the "Enable Revocation Period" checkbox when you created the certification. Currently, the scanner will only check and update the status of a revoked entitlement if a revocation period has been enabled. ETN 8291 has been opened with engineering to allow the scanner to examine revocations regardless of enabling a revocation period.
2) If you have enabled a revocation period for your certification, the following describes how this process should function:
Note: During this remediation scan, the Remediation Manager performs a targeted reaggregation on the identities link(s) affected by the certfication revocation and checks to see if the desired action has occurred on said native application. For this targeted reaggregation to properly run, applications either need to support random access (Active Directory, for example), or if they have the NO_RANDOM_ACCESS feature (JDBC applications, for example) they need the correct getObject methods implemented. This targeted reaggregation functionality can be tested via use of the following "iiq console" command:
connectorDebug [application name] get account [native application identity]
connectorDebug "Active Directory" get account cn=jdoe1,cn=Users,dc=example,dc=com
Lyndsay,
In version 5.2, did the remediationScanInterval option exist in the Perform Maintenance task? In 5.2 the Revocation period option on the certification did not yet exist, so as long as revoked entitlements were removed properly the "revoke completed" column in the certification report would be set to "YES". In 6.1 (where our implementation is now), it seems that the revoke completed column only gets flagged to "TRUE" if we are in the revocation period. the downside to this (unless there is a rule we can implement) we will not see the revoke complete = TRUE until the certification is complete and we are in the revocation period (for us that would be 5 weeks after the certification kicked off vs. near real time in version 5.2 (we aggregate nightly).
There is an option / configuration to allow the revocations to be scanned immediately as the certifcation is on-going (the behavior we saw in 5.2)?
Thanks
Hi Victor DiMare,
I would post this question in the Forums. I moved this article from the old site, but I don't have any insight into your question, so the experts in the forums should be able to assist. :smileyhappy:
-Lyndsay
will do.. Thx
Hello
We have a before provisioning plan that we are using to change the delete request for an account request to disable for an AD Read/Write Connector and when we create the "Revocation Live Report" the status is still Open. I have checked and all the criteria that you have mentioned are there in the Performance Maintenance Task and I have waited for 24 hours based on the remediationScanInterval value in the System Configuration object but the Status is still Open. I am not sure what to do as I have run the aggregation task again and Cube Refresh Task again and even the attributes in the Identity are updated. Kindly suggest something as your feedback will be helpful and if there is any additional details required do let me know.
Thanks
Sumit Gupta
Hi Sumit,
Did you get any response for your question? What did you observe after your remediation phase is completed? did the status changed to "finished" or still "open". We have another situation along with yours, Revocation report which we pulled from OOTB displays type as "send provisioning request" but the status is Finished. What does the Type mean, what it should be change when finished?
Hello kapil,
Please refer to this link
Revocation Live Report Showing Incorrect Status
Thanks
Sumit Gupta
Thanks Sumit ! Appreciate your Help !
Np! Happy learning! Have fun.