- Products & services Products & services
- Resources ResourcesLearning
- Learning
- Identity University Get technical training to ensure a successful implementation
- SailPoint professional certifications & credentials Advance your career or validate your identity security knowledge
- SailPoint recertification program Get recertified by demonstrating ongoing learning
- Training onboarding guide Make of the most of training with our step-by-step guide
- Training FAQs Find answers to common training questions
- Community Community
- Compass
- :
- Discuss
- :
- Community Wiki
- :
- IdentityIQ Wiki
- :
- Fixing "Refresh Identity Cube" task failures
- Article History
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Content to Moderator
Fixing "Refresh Identity Cube" task failures
Fixing "Refresh Identity Cube" task failures
If refresh task execution stops due to failures (such as null pointer exception), then IdentityIQ's "Prune Identity Cubes" task could find/correct the issue:
16:34:48,760 DEBUG sailpoint.task.IdentityRefreshExecutor:1017
- Queueing id b8f4096252d74e16859ba0f8bb7e4e70
...
16:34:48,870 DEBUG sailpoint.task.IdentityRefreshExecutor:770
- RefreshWorker 1 dequeued id b8f4096252d74e16859ba0f8bb7e4e70
...
16:34:48,870 INFO sailpoint.task.IdentityRefreshExecutor:882
- Refreshing 2711 John.Doe
16:34:49,495 ERROR sailpoint.task.IdentityRefreshExecutor:876
- RefreshWorker 1 exception: java.lang.NullPointerException
16:34:49,495 DEBUG sailpoint.task.IdentityRefreshExecutor:770
- RefreshWorker 1 dequeued id b92747af4ed54ba3a83325a3564b9f55
The task reports/purges identities missing ALL of these conditions:
- marked protected
- is a manager (managerStatus flag true)
- has capabilities
- Bundle, Application, Workitem, or TaskResult owners
- work item requestor
- Application secondary owner
- Application remediator
- creator of a MitigationExpiration
Besides an option to filter the identities to scan, the task offers an option to scan, yet not delete, identities (to report what could happen) and another "protectIfCertifying" option to protect identities in an active (non-continuous) certification.
Alternatively, these steps could aid in resolution. There exists an "Refresh Identity Cube" task setting to continue processing identities even after failures. Disabling the failure-limit lets the task process all identities. While the default value of 1 stops processing after 1 failure, yet the value of 0 continues processing with no limit:
<TaskDefinition ... name="Refresh Identity Cube" ... type="Identity">
<Attributes>
<Map>
<entry key="maxExceptions" value=0 />- Either increase/disable the exception limit during identity refresh execution. The IIQ "debug" page offers a XML editor to access the "hidden" object attributes.
- Check either task result or system logs for (failed) identities.
- Re-configure the refresh task's filter to exclude "failed" identities. This allows the scan to complete the (good) identities, yet keeps the "failed" identities for study/resolution.
- If "Prune Identity Cubes" task does not remove failures, then delete the (failed) identities from IIQ (via "iiq console"). Before deleting, copy the identity for backup/review purposes. Note that "iiq console" offers a SQL cmd option for examining RDBMS tables directly.
C:> set SPHOME=<IIQ DIR>
C:> cd %SPHOME%/WEB-INF/bin
C:> iiq console
> sql "select id,name from spt_identity where id = 'b8f4096252d74e16859ba0f8bb7e4e70' "
> get Identity b8f4096252d74e16859ba0f8bb7e4e70
...
(copy and paste XML to file as backup)
...
> delete Identity b8f4096252d74e16859ba0f8bb7e4e70
> quit
