This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to properly implement the proccess to make a Identity Manager automated (system) Fulfillment through Access Request

Hi, community.

The scenario I'm facing is, when a Access Request is made and the manager and owners approved, the access requested must be granted to the Initiator without manual intervention. 

I followed the course instructions from Identity Governance and Administration (IGA) Academy and configured the Fulfillment Target of the application to Identity Manager automated (system). However, nothing occurs after the collection + publish, neither the access is granted in the IDM side and neither is show on the Current Access of the user. Also, I could not find any logs towards these changes in the IDM side, not in the driver of this application and neither in catalina.out from UserApp logs.

The requested access keep showing in Fullfillment -> Requests of the Fullfillment Administration User after the collection + publish.

Is there another configuration necessary? Where can i see the logs of these?

  • 0 in reply to   

      

    Yes, all targets are checked :( .

    I'll try to create a role in IDM and run a collection as you mentioned.

    I'll let you know once it's finished.

    Thank for the help. 

  • 0 in reply to 

       

    It did not work.

    The fullfilment did not happen and it came to the new role owner for manual fulfilment.

    Is there any log that I can see if there is a connectivity error during the soap calls?

  • 0   in reply to 

    Hmm, I'm not sure. You have a few logging options under "Configuration/Logging Levels" which are outputed to the catalina.<date>.log

    You can try to set every logging package in the "DaaS WAR" Module to 'TRACE' and maybe under the "Server WAR" the packages "com.netiq.iac", "com.novell.soa", "com.netiq.persist".

    I'm not sure if those are helping, but I usually turn those on and hope for the best

  • 0   in reply to   

    In addition: 

    If there is a connection error, then the fulfillment would also be an error - at least from what I could observe in the past.
    Under "Fulfillment configuration/application setup" you also have the option to edit the settings. If you click on edit, is this view the same as in the fulfillment configuration/setup?

  • 0 in reply to   

    There is no error on Application Setup. 

    I tried to add more logs as debug, but could not find any error as well :( 

  • 0   in reply to 

    I would suggest to open an SR. 
    In theory there isn't much to do for this setup to work and for further debugging I also would need to click through it myself.

  • 0 in reply to 

    One thing to check if there are any traces in the request history on the IDM side for the particular user? If not it might be that a request object has been created but with illegal content. We had an issue of that kind and that resolved by configuring the tomcat instance running IDApps to launch with the encoding set to UTF8. If I remember it correctly you can see in the catalina log on the IDApps server that in fact a request object is created but when searching for that particular object none is found.

  • 0   in reply to   

     If your fallback for the IDM Automated is IDM Workflow, then yes you are correct that the information in Configuration -> Identity Manager Settings is needed.  However, if the fallback is manual it is not.

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Hello,  . Can you please share the API URLs that are called?
    We have opened a ticket for this case but it's taking some time to support analyze it.
    Thanks

  • 0

    To actually see the document sent the logging level com.netiq.iac.server.dtp on the DTP.WAR should be set to DEBUG inside the app. This log level sends at lot of log posts to the catalina file but when searching for "remove-values" or "add-values" one should get to the actual document sent by the fulfillment process.