IdentityIQ utilizes Identity Requests (also known as Access Requests) to encapsulate attribute requests and report provisioning results. The Identity Request status is updated at various times and to various values depending on the request type. This article is meant to help illuminate how the Identity Request provisioning verification works, and what the various statuses mean.
Let’s assume that we have a provisioning plan that sets a specific attribute value in Active Directory. At the end of the LCM workflow, the attribute request is left in a “Committed” state. Despite the fact that the account has been updated in AD, we notice that the Identity Request status is still “Verifying.”
This is the typical result we would expect to see at the conclusion of a successful provisioning workflow.
So what does it mean that the Identity Request is still “Verifying” and that my attribute request is “Committed”?
Let’s first approach this problem using a human analogy. You can kick / throw a ball, and your nerves can sense when the muscles are no longer interacting with the ball. But your brain might not actually believe it unless you see the ball being thrown or kicked.
Now let's look at this from an IdentityIQ perspective:
We see that the same process seen in the real world holds true for provisioning in IdentityIQ. In this case, however, governance is the brain, aggregations are the senses, and provisioning connectors are the muscles. The provisioning connectors can tell that something has been completed or not. But this could mean that a ticket has been closed, or a transaction has been completed. Aggregations can verify that the state is where we want it.
In IdentityIQ, “Committed” can mean different things depending on the implementation, but in general “Committed” means the changes have been written to the external system. Because some systems use ticketing systems to request changes and others can not immediately read back the changes, IdentityIQ shows “Committed” for provisioning operations that for all intents and purposes should be complete. This just means that the product has told the external system to make a change. That change may be instantaneous, as in the case of the direct connector, or the change may take a long time to be executed, as in the case of a message external ticketing system. Really the product has to facilitate the lowest common denominator of functionality across all connectors at this point because the LCM code is generic and connector agnostic.
Changes have been written or committed, but… they haven’t been verified. “Verifying” is what we call "closing the loop" and independently verifying the changes have been carried out through what we see during aggregation processes. And then a task runs that compares what the Identity Request expected to see in the provisioning versus what comes in the aggregation.
Two things need to happen for verification to take place and for a request to move to status of an Identity Request to “Completed”:
You can turn on tracing for the identity request maintenance task and see what is happening under the hood.
After the task has completed, the Identity Request in the above example has the following changes: the Verification Date is now set along with the Active Directory Attribute Request being set to “Finished” and the request’s Execution Status now set to “Completed”.
You may notice that certain Identity Requests never get set to "Completed." This can happen for multiple reasons, but one of the main reasons would be if you added and then removed role (or likewise set and then reset an attribute value). In cases where you have toggled an account setting, you will have two access requests - one to update the account, and other to undo the update. In this case, the first access request cannot be verified since the account is no longer in the expected state needed for verification.
Hey Jennifer/Chris,
Thanks for giving detailed explanation. It was very helpful in our project.
I just had one small question. Can we somehow auto verify account requests of particular application with 'autoVerifyIdentityRequest' option. Basically if a single Access Request was submitted for 10 applications and my requirement is that IIQ should auto verify only 1 application (ABC application) and continue to check for verification status for all other 9 applications and give us status in access request. Is our requirement feasible.
I initialized 'autoVerifyIdentityRequest' as true in Identity Request Finalize workflow and now SailPoint is auto approving all access requests and returning incorrect status. Please let me know in case you need any additional information from me.
Thanks,
Akhil Minhas qusro.syed
Your comment here doesn't quite follow the logic of what the system does. An Identity Request is an object that tracks the status of the whole request. The Verifying status is an all-or-nothing thing. If you "auto verify", it is inherently for the whole request - you can't auto-verify individual components because we don't track that status at the line-item level. However, that has nothing to do with auto-approval. That is a completely different variable/process, so it seems to me you must have set some other variable as well that is driving you to that behavior.
Hey Jennifer,
I think I wrote my question in wrong way. What I meant by auto approve was 'autoVerifyIdentityRequest' is auto verifying the complete Identity Request. I am experiencing the same IIQ behavior as you mentioned that the 'autoVerifyIdentityRequest' is tracking complete Identity Request and not individual sub items of the request.
Thanks for looking into my concern.
qusro.syed
You may want to run the same code the runs in the PIRM (Perform Identity Request Maintenance) task instead of setting the autoverify flag.
This code snippet will take a specific IdentityRequest and verify those items that are completed, leaving the uncompleted ones alone:
import sailpoint.api.IdentityRequestProvisioningScanner;
import sailpoint.object.IdentityRequest;
import sailpoint.object.Attributes;
import sailpoint.object.QueryOptions;
import sailpoint.object.Filter;
Attributes args = new Attributes();
String strIdentityRequest = new String("0000000052"); /// <---- replace this with the identity request that you want to scan for verification status
IdentityRequestProvisioningScanner scanner = new IdentityRequestProvisioningScanner(context,args);
QueryOptions ops = new QueryOptions();
ops.add(Filter.eq("name",strIdentityRequest));
int requestTotal = context.countObjects(IdentityRequest.class, ops);
List ids = new ArrayList();
IdentityRequest ir = null;
if ( requestTotal == 1 ) {
ir = context.getObjectByName(IdentityRequest.class,strIdentityRequest);
if (null != ir) {
System.out.println("IdentityRequest = " + ir.toXml());
scanner.scan(ir);
}
}
Thanks Chris. I will give it a try.
Best,
Akhil Minhas
Hi Jennifer,
I provisioning to JDBC Application ,record got inserted into targeted apps but provisioning status moved to failed from committed after running PIRM task.
May i know which task I need to run first?
Aggregation or PIRM or refresh Identity Cube?
I have the same problem/question as @ymail145 .
I have the getObjectSQL properly configured, the account is created with the right entitlement, then the access request goes to the verifying state.
After I run an aggregation and PIRM, the access request is marked as failed.
My expectation was to have it verified, since getObjectSQL is properly implemented.
"auto verify" is not an option here, since it will actually skip the verification.
Thanks in advance