cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What does Identity Request Execution Status "Verifying" mean?

What does Identity Request Execution Status "Verifying" mean?

IdentityIQ utilizes Identity Requests (also known as Access Requests) to encapsulate attribute requests and report provisioning results. The Identity Request status is updated at various times and to various values depending on the request type. This article is meant to help illuminate how the Identity Request provisioning verification works, and what the various statuses mean.

 

Let’s assume that we have a provisioning plan that sets a specific attribute value in Active Directory. At the end of the LCM workflow, the attribute request is left in a “Committed” state. Despite the fact that the account has been updated in AD, we notice that the Identity Request status is still “Verifying.”

 

This is the typical result we would expect to see at the conclusion of a successful provisioning workflow.

 

So what does it mean that the Identity Request is still “Verifying” and that my attribute request is “Committed”?

 

Let’s first approach this problem using a human analogy.  You can kick / throw a ball, and your nerves can sense when the muscles are no longer interacting with the ball. But your brain might not actually believe it unless you see the ball being thrown or kicked.

real_world_verification.png

Now let's look at this from an IdentityIQ perspective:

 

iiq_verification.png

We see that the same process seen in the real world holds true for provisioning in IdentityIQ.  In this case, however, governance is the brain, aggregations are the senses, and provisioning connectors are the muscles.  The provisioning connectors can tell that something has been completed or not.  But this could mean that a ticket has been closed, or a transaction has been completed. Aggregations can verify that the state is where we want it.

 

In IdentityIQ, “Committed” can mean different things depending on the implementation, but in general “Committed” means the changes have been written to the external system.  Because some systems use ticketing systems to request changes and others can not immediately read back the changes, IdentityIQ shows “Committed” for provisioning operations that for all intents and purposes should be complete.  This just means that the product has told the external system to make a change. That change may be instantaneous, as in the case of the direct connector, or the change may take a long time to be executed, as in the case of a message external ticketing system.  Really the product has to facilitate the lowest common denominator of functionality across all connectors at this point because the LCM code is generic and connector agnostic.

 

Changes have been written or committed, but… they haven’t been verified.  “Verifying” is what we call "closing the loop" and independently verifying the changes have been carried out through what we see during aggregation processes. And then a task runs that compares what the Identity Request expected to see in the provisioning versus what comes in the aggregation.

 

Two things need to happen for verification to take place and for a request to move to status of an Identity Request to “Completed”:

  1. The account aggregation needs to read in the new link record for the account that was provisioned to.  This happens through the regular account aggregation mechanisms.  Delimited files are reread, direct connectors are re-aggregated -- whatever the connector does for aggregation.  This updates the link record in IdentityIQ with the latest State of entitlements on the account.
  2. The task called the “Perform Identity Request Maintenance” runs.  This is an out-of-the-box task that ships with IdentityIQ.  By default this task is scheduled to run once a day at approximately 1 AM.   This task looks at open identity requests that are in state “Committed" or in a state attempting to retry a provisioning operation.  For the ones in a committed state the task compares the requests for entitlements to be added or removed the current state of the link.  If the desired state matches the state read in by the most recent aggregation then the request is moved to state “Finished”.

You can turn on tracing for the identity request maintenance task and see what is happening under the hood.

 

After the task has completed, the Identity Request in the above example has the following changes: the Verification Date is now set along with the Active Directory Attribute Request being set to “Finished” and the request’s Execution Status now set to “Completed”.

 

You may notice that certain Identity Requests never get set to "Completed." This can happen for multiple reasons, but one of the main reasons would be if you added and then removed role (or likewise set and then reset an attribute value). In cases where you have toggled an account setting, you will have two access requests - one to update the account, and other to undo the update. In this case, the first access request cannot be verified since the account is no longer in the expected state needed for verification.

 

Comments

I'm new to IdentityIQ and LCM.  Can you elaborate on:


  • You can turn on tracing for the identity request maintenance task and see what is happening under the hood."

How do you turn on tracing for a task?

Hi andrew.bowman!

You also might receive some help from the IdentityIQ Forums with your questions.

I would recommend posting your question in there so other folks who might have the same question can see the answer when it arrives.

-Emily

We use log4j to perform logging for IdentityIQ. In order to turn on logging for a task, you can look at the XML task definition for the task in question and once you know the name of the class that implements the task, you can turn on the logging for that task by editing your log4j.properties file (usually found in your /WEB-INF/classes directory) like so:

From the XML snippet for the Identity Request Maintenance Task:

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<TaskDefinition created="1403119950811" executor="sailpoint.task.IdentityRequestMaintenance" id="ff80808146b077340146b0775bdb0158" modified="1403119977711" name="Identity Request Maintenance" progressMode="String" resultAction="Delete" subType="task_item_type_system" template="true" type="System">

  <Description>Prune and Verify Identity Request objects.

        </Description>

  <Signature>

    <Inputs>

Notice that the executor for the task is: sailpoint.task.IdentityRequestMaintenance.

In your log4j.properties files, turn on logging for this specific Java class.

log4j.logger.sailpoint.task.IdentityRequestMaintenance=debug

You can choose from the following list of log levels for a given class name: trace, debug, info, warn, error

Once you've changed the logging levels in the log4j.properties file, you can restart the app server or reload the logging settings vie the debug page (Debug --> Logging --> Reload Logging Configuration.)

For more on logging, see Rolling log4j Configuration Example and How to Setup Rolling Logs with Log4J  and How to Find Log4j.properties and IIQ Logs.

Thank you Chris!  I'm looking at the task named "Perform Identity Request Maintenance".  It does not have an executor attribute on the TaskDefinition element, but it does have a reference:

<Reference class="sailpoint.object.TaskDefinition" id="ff80808138962c3c0138962cc6d0012a" name="Identity Request Maintenance"/>

I'm going to assume I should look to the XML object definition for Identity Request Maintenance to find the class name I need.  And fortunately that happens to be the task you listed as your example! 

My end goal is to figure out why certain tasks stay in a Verified state even after Perform Identity Request Maintenance has been executed multiple times. 


I set it to:

     log4j.logger.sailpoint.task.IdentityRequestMaintenance=trace

Sadly the trace logs don't show me anything useful.  When set to trace t shows sailpoint.task.IdentityRequestMaintenance iterating over the 37 IDs that are stuck "Verifying" but no details on what's happening.  Are there other items we can enable to show more information?

Verifying moves to Completed when we verify that the data that has been requested is marked and set on the Identity Cube. For one of these requests, can you verify that the requested items are shown and visible on the Identity Cube?

Turns out we had a conflict between a profile role that was requestable and a profile role that used a filter for assignment.  Users matching the filter role could never be removed from the filter role.  We moved all of the users to the requestable profile role and deleted the filter profile role and now the provisioning requests have moved from verifying to complete.

Obvious in retrospect, but we had to learn it.

Hi,

I ran aggregation and Perform Identity Request Maintenance task but Execution Status is not changing to Success.

Can you please help me on this issue.

Regards,

Swati Mutgekar

This indicates that the provisioning did not actually occur as expected.  Can you manually verify that the requested access does now exist on that identity cube?  Because the Perform Identity Request Maintenance task should be comparing the requested access with the identity and if they match, it should move the item from Verifying to Completed.  If, on the other hand, some conflicting request has come in and reversed that provisioning action, the request will NEVER be able to move from Verifying to Completed.

Hi Jennifer,

If this happens often, you could build up a mass of Verifying items, which I understand can cause performance issues. Is there any way to manually force a request to be Completed, even if the system doesn't believe this to be so?

Regards,

Jason

Version history
Revision #:
3 of 3
Last update:
‎Sep 22, 2023 02:21 PM
Updated by: