Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What does Identity Request Execution Status "Verifying" mean?

What does Identity Request Execution Status "Verifying" mean?

IdentityIQ utilizes Identity Requests (also known as Access Requests) to encapsulate attribute requests and report provisioning results. The Identity Request status is updated at various times and to various values depending on the request type. This article is meant to help illuminate how the Identity Request provisioning verification works, and what the various statuses mean.

 

Let’s assume that we have a provisioning plan that sets a specific attribute value in Active Directory. At the end of the LCM workflow, the attribute request is left in a “Committed” state. Despite the fact that the account has been updated in AD, we notice that the Identity Request status is still “Verifying.”

 

This is the typical result we would expect to see at the conclusion of a successful provisioning workflow.

 

So what does it mean that the Identity Request is still “Verifying” and that my attribute request is “Committed”?

 

Let’s first approach this problem using a human analogy.  You can kick / throw a ball, and your nerves can sense when the muscles are no longer interacting with the ball. But your brain might not actually believe it unless you see the ball being thrown or kicked.

real_world_verification.png

Now let's look at this from an IdentityIQ perspective:

 

iiq_verification.png

We see that the same process seen in the real world holds true for provisioning in IdentityIQ.  In this case, however, governance is the brain, aggregations are the senses, and provisioning connectors are the muscles.  The provisioning connectors can tell that something has been completed or not.  But this could mean that a ticket has been closed, or a transaction has been completed. Aggregations can verify that the state is where we want it.

 

In IdentityIQ, “Committed” can mean different things depending on the implementation, but in general “Committed” means the changes have been written to the external system.  Because some systems use ticketing systems to request changes and others can not immediately read back the changes, IdentityIQ shows “Committed” for provisioning operations that for all intents and purposes should be complete.  This just means that the product has told the external system to make a change. That change may be instantaneous, as in the case of the direct connector, or the change may take a long time to be executed, as in the case of a message external ticketing system.  Really the product has to facilitate the lowest common denominator of functionality across all connectors at this point because the LCM code is generic and connector agnostic.

 

Changes have been written or committed, but… they haven’t been verified.  “Verifying” is what we call "closing the loop" and independently verifying the changes have been carried out through what we see during aggregation processes. And then a task runs that compares what the Identity Request expected to see in the provisioning versus what comes in the aggregation.

 

Two things need to happen for verification to take place and for a request to move to status of an Identity Request to “Completed”:

  1. The account aggregation needs to read in the new link record for the account that was provisioned to.  This happens through the regular account aggregation mechanisms.  Delimited files are reread, direct connectors are re-aggregated -- whatever the connector does for aggregation.  This updates the link record in IdentityIQ with the latest State of entitlements on the account.
  2. The task called the “Perform Identity Request Maintenance” runs.  This is an out-of-the-box task that ships with IdentityIQ.  By default this task is scheduled to run once a day at approximately 1 AM.   This task looks at open identity requests that are in state “Committed" or in a state attempting to retry a provisioning operation.  For the ones in a committed state the task compares the requests for entitlements to be added or removed the current state of the link.  If the desired state matches the state read in by the most recent aggregation then the request is moved to state “Finished”.

You can turn on tracing for the identity request maintenance task and see what is happening under the hood.

 

After the task has completed, the Identity Request in the above example has the following changes: the Verification Date is now set along with the Active Directory Attribute Request being set to “Finished” and the request’s Execution Status now set to “Completed”.

 

You may notice that certain Identity Requests never get set to "Completed." This can happen for multiple reasons, but one of the main reasons would be if you added and then removed role (or likewise set and then reset an attribute value). In cases where you have toggled an account setting, you will have two access requests - one to update the account, and other to undo the update. In this case, the first access request cannot be verified since the account is no longer in the expected state needed for verification.

 

Comments
aminhas
‎Aug 01, 2018 01:00 PM
‎Aug 01, 2018 01:00 PM

Hey Jennifer/Chris,

Thanks for giving detailed explanation. It was very helpful in our project.

I just had one small question. Can we somehow auto verify account requests of particular application with 'autoVerifyIdentityRequest' option. Basically if a single Access Request was submitted for 10 applications and my requirement is that IIQ should auto verify only 1 application (ABC application) and continue to check for verification status for all other 9 applications and give us status in access request. Is our requirement feasible.

I initialized 'autoVerifyIdentityRequest' as true in Identity Request Finalize workflow and now SailPoint is auto approving all access requests and returning incorrect status. Please let me know in case you need any additional information from me.

Thanks,

Akhil Minhas qusro.syed

jennifer_mitchell
‎Aug 01, 2018 01:18 PM
‎Aug 01, 2018 01:18 PM

Your comment here doesn't quite follow the logic of what the system does.  An Identity Request is an object that tracks the status of the whole request.  The Verifying status is an all-or-nothing thing.  If you "auto verify", it is inherently for the whole request - you can't auto-verify individual components because we don't track that status at the line-item level.  However, that has nothing to do with auto-approval.  That is a completely different variable/process, so it seems to me you must have set some other variable as well that is driving you to that behavior.

aminhas
‎Aug 01, 2018 02:13 PM
‎Aug 01, 2018 02:13 PM

Hey Jennifer,

I think I wrote my question in wrong way. What I meant by auto approve was 'autoVerifyIdentityRequest' is auto verifying the complete Identity Request. I am experiencing the same IIQ behavior as you mentioned that the 'autoVerifyIdentityRequest' is tracking complete Identity Request and not individual sub items of the request.

Thanks for looking into my concern.

qusro.syed

chris_hajdu
‎Sep 04, 2018 09:39 AM
‎Sep 04, 2018 09:39 AM

You may want to run the same code the runs in the PIRM (Perform Identity Request Maintenance) task instead of setting the autoverify flag.

This code snippet will take a specific IdentityRequest and verify those items that are completed, leaving the uncompleted ones alone:

import sailpoint.api.IdentityRequestProvisioningScanner;

import sailpoint.object.IdentityRequest;

import sailpoint.object.Attributes;

import sailpoint.object.QueryOptions;

import sailpoint.object.Filter;

 

  Attributes args = new Attributes();

  String strIdentityRequest = new String("0000000052");  /// <---- replace this with the identity request that you want to scan for verification status

  IdentityRequestProvisioningScanner scanner = new IdentityRequestProvisioningScanner(context,args);          

  QueryOptions ops = new QueryOptions();

  ops.add(Filter.eq("name",strIdentityRequest));

  int requestTotal = context.countObjects(IdentityRequest.class, ops);

  List ids = new ArrayList();

                 

  IdentityRequest ir = null;

  if ( requestTotal == 1 ) {

        ir =  context.getObjectByName(IdentityRequest.class,strIdentityRequest);

        if (null != ir) {

            System.out.println("IdentityRequest = " + ir.toXml());

            scanner.scan(ir);

        }

  }

aminhas
‎Sep 04, 2018 10:03 AM
‎Sep 04, 2018 10:03 AM

Thanks Chris. I will give it a try.

Best,

Akhil Minhas

ymail145
‎May 02, 2020 04:47 PM
‎May 02, 2020 04:47 PM

Hi Jennifer,

I provisioning to JDBC Application ,record got inserted into targeted apps but provisioning status moved to failed from committed after running PIRM task.

 

May i know which task I need to run first?

Aggregation or  PIRM or refresh Identity Cube? 

 

shikida
‎Jul 08, 2020 06:41 PM
‎Jul 08, 2020 06:41 PM

I have the same problem/question as @ymail145 .

I have the getObjectSQL properly configured, the account is created with the right entitlement, then the access request goes to the verifying state.

After I run an aggregation and PIRM, the access request is marked as failed.

My expectation was to have it verified, since getObjectSQL is properly implemented.

"auto verify" is not an option here, since it will actually skip the verification.

Thanks in advance

Version history
Revision #:
3 of 3
Last update:
‎Sep 22, 2023 02:21 PM
Updated by:
SailPoint Employee
 
View Article History