Troubleshooting

SAP has introduced significant modifications in its SAP GRC version AC 12.0 SP19 and above in inactive users and sync job processes, which has affected our SAP GRC connector functionality adversely.

Details about the issues and fixes

Disable Operation

• Issue: With the upgrade of GRC from AC12 SP19 and above, you may see System attribute on account schema as INACTIVE_USER for the aggregated accounts which are disabled only on the highest priority system on SAP GRC

• Resolution: This issue is observed due to the Repository sync job changes introduced by SAP for updating their table values. For resolution, ensure the changes on GRC and the source configuration are as follows:

  1. Ensure that the Repository sync job is scheduled on your SAP GRC instance.

  2. The option for Disable only Master system has been removed from the source config UI without impacting existing customers configuration. SailPoint highly recommends, however, that you revisit your source configuration for Disable operations. The changes have been documented in the Additional Information

  3. Provide additional permissions required on the SAP tables for GRC 12 SP19 and above for aggregation and disable operations. For more information, refer to the Configuration Table for SAP GRC

Modify Operations

• Issue: SAP has introduced a new process where any modifications in the user profile reflect in GRC tables only after completing the repository sync job. This has adversely affected our connector operations.

• Resolution: The following steps must be performed sequentially for a successful modify operation:

  1. Configure the Attribute Sync request on the user in Identity Security Cloud for the GRC source. To configure the attribute sync request, refer to Synchronizing Attributes - SailPoint Identity Services.

  2. Run the Repository Object Sync job on your GRC system

  3. Execute the Identity Request Maintenance task.

For SAP GRC - AC12 SP19 and above, the connector column in the GRACUSER table shows ‘<#INACTIVE_USER#>’ for accounts that are disabled on the highest priority data source.

With GRC12 SP19 and above, SAP has introduced changes in the GRACUSER table and sync job. Users will now see <#Inactive_User> as the connector value for the disable operation in the following cases if the full sync job has not completed:

1. If an account is disabled only on a GRC-connected master system (highest priority system).

2. If an account is disabled on all the GRC-connected systems including the master system.

For more details, refer to SAP KBA 3251717. Due to the above, the SailPoint platform will show ‘INACTIVE_USER’ in the System attribute until the full sync job is completed successfully before aggregation.

Resolution: Ensure the request type is configured correctly. Follow the steps in Verify the Request Type and Configuration, and confirm the BRF + MSMP workflow is configured correctly for the request type.

If it isn't, provide the correct permissions for the service account created for authorization object GRAC_REQ, by providing a correct value for GRAC_RQTYP.

When the usertype attribute is passed in the provisioning plan for an account, the changes are reflected on all the systems connected to that account.

Resolution: The following flag needs to set to true, so that when the userType attribute is passed in the provisioning plan, only the system passed in the plan will be sent in the GRC API.

<entry key="supportSystemUpdate">
 <value>
  <Boolean>true</Boolean>
 </value>
</entry>

If there is a mismatch in the count of entitlements aggregation between your target system and IdentityIQ, use the following checkpoints for quick troubleshooting:

• Ensure the same role can be searched from the access request of the SAP GRC portal.

• Ensure the role sync job has successfully completed if the role is available in the GRACRLCONN table and GRACROLE table.

• Ensure all the roles are available and the statuses are ‘complete’ under the Role Maintenance tab in the role management under the current phase.

• Go to the Provisioning tab and ensure the role is set for production status. Role Exists should set to "Yes" and Provisioning Allowed should be “Yes”.

"sailpoint.connector.ConnectionFailedException: Server is DOWN or Connection parameters are incorrect.

OR

ERROR hostname 'sailpoint-va' unknown\nTIME

OR

JCO_ERROR_COMMUNICATION: Connect to SAP gateway failed

Resolution: There are three possible options to solve this error.

Option 1: One of the reasons for the issue to occur is the IP address of the VA is not recognized by the connector. To resolve this, you must make an entry in hosts.yaml with the IP address of the VA as well as the managed source (SAP server).

For example:

hosts:

10.200.80.60: -SAPSER4

10.22.131.14: -sailpoint-va

Where 10.200.80.60 is the IP and SAPSER4 is the hostname of the SAP server, and 10.22.131.14 is the IP of the VA and sailpoint-va is the default name of the VA. Ensure that SAP is installed with JCO enabled.

Similarly, add the IP and hostname of the VA being used in the file. Restart CCG/ Reboot VA after the update.

Option 2: Add Route entry in static.network file to persist routing table entry of the VA hostname. To do so, perform the following steps:

1. In your VA, go to ../etc/systemd/network/static.network

2. Add the following entry:

   [Route]

   Gateway=<10.0.0.1>

   Destination=<public_ip>/<netmask>

3. Run sudo systemctl restart systemd-networkd to apply the configuration.

4. Run route -n to show routes.

5. Restart CCG/ Reboot VA and check if the entry still persisted.

Option 3: Update DNS entries for VAs on your network so that FQDN resolves for each VA. To do so, perform the following steps:

1. Run sudo hostnamectl set-hostname <hostname of your choice> to set the VA hostname.

2. Run the hostname command to validate.

3. Run sudo reboot to reboot the VA.

The VA should reflect the new hostname.

Could not initialize class com.sap.conn.jco.rt.JCoRuntimeFactory

Resolution: The host value must be updated on the VA with the FQDN of the SAP server. Re-upload the sapjco and libsapjco jars on the UI.

The following error message is displayed when using Function Module /SAILPOIN/SAIL_READ_TABLE and /SAILPOIN /SAIL_READ_TABLE_LEG:

Exception during aggregation. Reason: java.lang.RuntimeException: ASSIGN_TYPE_CONFLICT while querying table *Table_Name*. One of the fields queried (field1,field2,field3… ) may have incorrect COLUMN_LENGTH set in /SAILPOIN/CONF table. Please refer ASSIGN_TYPE_CONFLICT in troubleshooting section of documentation for more details.

Resolution: Ensure COLUMN_LENGTH is correctly configured for the fields of *Table_Name* in /SAILPOIN/CONF table. This can be validated through the t-code "SE11" while viewing the table details, under "Fields" tab.

connector.sapgrc.service.SAPGRCConnectorService:302 - Exception while getting system info from CVERS and PRDVERS tables

sailpoint.connector.ConnectorException: Caused by class com.sap.conn.jco.AbapException: (126) TABLE_ACCESS_NOT_ALLOWED: Message 000 of class null type : . SAP_QUERY_TABLE_NAME:CVERS

Resolution: Provide the correct permissions to service account user on CVERS and PRDVERS tables and ensure you have both of the following:

• CVERS/PRDVERS is added S_TABU_NAME authorization object.

• CVERS/PRDVERS added in SAILPOIN/CONF table.

Resolution: Ensure that the following SAP Note is implemented in the SAP GRC Server:

2698051 - AC12 - GET_REQUEST_DETAILS is returning empty line items

The access requests fails with the following message:

Invalid Request No.

Resolution: Add the numberOfRetries and retryWaitTime parameters to configure polling requests retries.

Add the following entry keys to the SAP GRC connector:

<entry key="numberOfRetries" value="3"/>
<entry key="retryWaitTime" value="5"/>

When attempting a test connection it fails with the following error:

HttpException errorCode=307

The 307 error is for URL redirects. This error is observed when the SAP GRC managed system is configured for HTTPS URLs and the application XML is configured with HTTP URLs.

Resolution: Update the application XML with the HTTPS URLs and the correct HTTPS port number.

Resolution: Ensure that the Repository Object Synchronization task is executed in GRC.

Resolution: If GRC users that have the slash (/) character in their user ID are not getting aggregated during account aggregation, perform the following:

1. From the Application debug page, add the following entry:

   <entry key="grc_delimiter" value="~"/>

   You can replace the value with other special characters (for example, #, $, @, etc.) that are not part of any of the user data fields like FirstName, LastName, UserId, Department, Email, etc.

2. Execute an Account aggregation.

   Note
   This configuration is only application in cases where you're using the SAILPOIN/SAIL_READ_TABLE function module.

SAP profiles are aggregated as entitlements during account aggregation if the Promote managed attributes checkbox is selected in the aggregation task and some accounts have standard profiles assigned to them (like SAP_ALL or A_ALL). The following error was present in the logs when assigning or removing these profiles.

sailpoint.connector.ConnectorException: Object not found

Resolution: Import the SAP profiles into the GRC BRM module using the following procedure:

1. In the GRC Portal, go to Role Mass Maintenance > Role Import.

2. In Role Selection, select Technical Role.

3. In Import Source, select Role Attribute Source as File on Desktop and Role Authorization as Skip.

4. In Role Selection Criteria, in the Role From field, enter profile name and set Methodology Status to Complete.

5. Download the attribute file template.

6. Enter the profile details in the file template.

7. Import the file template.

8. Once you have successfully imported the file then you can provision the profiles.

Resolution: Add the following attribute in the application debug page, and then try modifying the system to date of a user.

<entry key="updateValidFrom"> 
 <value>
  <Boolean>true</Boolean>
 </value>
</entry>

When this flag is true, the already existing From date (for the system in which the To date has passed) will be fetched for the account and set in the API. If there is no existing FromDate then today’s date will be used as the From date.

The IdentityIQ Rule displays the following error message when ‘&’ is used as a separator in.csv file:

java.lang.RuntimeException

Resolution: Add the separator in the sapGrcRuleParameters.xml file in the following format:

<Map>    
    <entry key='path' value='<path of .csv file>’/>
    <entry key='separator' value='&amp'/>
</Map>

The following error message is displayed when performing the provisioning operation after upgrading IdentityIQ to version 8.2, 8.1 Patch 4, or 8.0 Patch 5:

An unexpected error occurred: Execution of the Access Request Web service resulted in error. Message Type: ERROR, Message Reason: Role Type is mandatory

Resolution: Perform Account-Group Aggregation task.

While requesting an access for an identity from IdentityIQ, the following error message appears:

RABAX in SAP GRC Integration

Resolution: Roles which are requested, must have provisioning status set as Production on SAP GRC Server.

To set the status of role as Production, the Role maintenance quick link from the section Role Management can be used in NWBC user interface.

Request gets provisioned even if there is a risk in the request which may occur due to the following reasons:

1. GRAC_RISK_ANALYSIS_WOUT_NO_WS web service was not returning an error message if correct permissions were not given to the service account.

   Resolution: To resolve this issue implement the following SAP Note in the SAP GRC Server:

   2187803 - GRAC_RISK_ANALYSIS_WOUT_NO_WS does not return correct error message

2. GRAC_RISK_ANALYSIS_WOUT_NO_WS web service not returning risk as the report format value input is different as per different SP level of SAP GRC.

   Resolution:

   • For user on SAP GRC 10.1 SP level SP-Level 0010 or lower: initialize the value of REPORT_FORMAT to DETAILED in the SAP GRC DATA generator workflow under ‘Initialize Detail Map’ step as follows:

     private static final String REPORT_FORMAT = "DETAILED";

   • For user on SAP GRC 10.1 SP level SP-Level 0011 or above: initialize the value of REPORT_FORMAT to 2 in the SAP GRC DATA generator workflow under ‘Initialize Detail Map’ step as follows:

     private static final String REPORT_FORMAT = "2";

     Add requestLineDataMap.put ("ReportFormat", REPORT_FORMAT); statement for the location specified below:

     • Search for

       requestLineDataMap.put("ProvItemType", PROVISIONING_ITEM_TYPE_ROL);

       and add the following line:

       requestLineDataMap.put("ReportFormat",REPORT_FORMAT);

       Perform the above for all occurrences of requestLineDataMap.put("ProvItemType", PROVISIONING_ITEM_TYPE_ROL); line.
       The final code view would be as follows:

       requestLineDataMap.put("ProvItemType", PROVISIONING_ITEM_TYPE_ROL);
       requestLineDataMap.put("ReportFormat",REPORT_FORMAT);

     • Search for

       requestLineDataMap.put("ProvItemType", PROVISIONING_ITEM_TYPE_PRF);

       and add the following line:

       requestLineDataMap.put("ReportFormat",REPORT_FORMAT);
       

       Perform the above for all occurrences of requestLineDataMap.put("ProvItemType", PROVISIONING_ITEM_TYPE_PRF); line.
       The final code view would be as follows:

       requestLineDataMap.put("ProvItemType", PROVISIONING_ITEM_TYPE_PRF);
       requestLineDataMap.put("ReportFormat",REPORT_FORMAT);

3. GRAC_RISK_ANALYSIS_WOUT_NO_WS web service not returning risk for the Critical roles /profiles

   Resolution: Implement the following SAP Note in the SAP GRC Server:

   2409002 - Critical role/profile shows no result for GRAC_RISK_ANALYSIS_WOUT_NO_WS

When the Account name for the identity is in lower case, mitigation comments are not displayed in Access Request Status report.

Resolution: Account Name (User Name) should always be in upper-case letters.

While requesting the profile, the following error message is displayed:

An unexpected error occurred: Undefined argument: startDate: at Line: 166

Resolution: Implement the following SAP Note in the SAP GRC server:

2194063 - UAM: Request status IDM service doesn't return reqstatus and reqstatus_txt and request detail service doesn't return comment, approvers and correct

If incorrect SAP GRC Connector name is provided, request gets provisioned even if there is a risk in the request.

Resolution: Implement the following SAP Note in the SAP GRC Server:

2399698 - Validation changes in GRAC_RISK_ANALYSIS_WOUT_NO_WS webservice

If Critical role/profile gets provisioned even if there is a risk in the request.

Resolution: Implement the following SAP Note in the SAP GRC Server:

2409002 - Critical role/profile shows no result for GRAC_RISK_ANALYSIS_WOUT_NO_WS

Resolution: Implement the following SAP Note in the SAP GRC Server:

2698051 - AC12 - GET_REQUEST_DETAILS is returning empty line items

Request for create account fails with the following error message:

Risk Analysis failed with error

One of the reasons for the above error message could be due to the value of the enable user ID validation in access request against search data sources parameter not being set properly for SAP GRC.

Resolution: Perform the following to set the correct value for the enable user ID validation in access request against search data sources parameter:

1. Go to SPRO > Governance, Risk and Compliance > Access Control > Maintain Configuration Settings.

2. Set the value of the parameter 2051 (enable user ID validation in access request against search data sources) to No.

While requesting business roles with common entitlement with different dates, the following error message appears:

An unexpected error occurred: Business Roles [] with Common Entitlement [] have Different Sunrise and Sunset Dates

Resolution: SailPoint recommends requesting business roles with common entitlements with same dates as part of same request.

When IdentityIQ is running on JBOSS application server, the following error message appears:

"org.apache.axis2.deployment.DeploymentException: The system is attempting to engage a module that is not available: addressing"

Resolution: Perform the following:

1. Edit the WEB-INF\lib-connectors\axis2-config\sp-axis2.xml file.

2. Find <module ref="addressing"/> and comment out the line and save the file. For example:

   <!-- module ref="addressing"/> -->

When SailPoint tries to call Access Request Web Service, the request fails with the following error message:

ERROR, Message Reason : Field Company ID is mandatory

Resolution: Attributes which are mandatory on the SAP GRC managed system must be added in populateUserDetailMap method of SAP GRC Data Generator.

For example, if Company ID is a mandatory attribute on SAP GRC managed system, then the populateUserDetailMap method must be modified to add the attribute as follows:

userDetailMap.put("Company ID", "company id in the SAP GRC system");

While requesting an access for an identity from IdentityIQ, the Create Account Provisioning Form is displayed twice.

Resolution: Perform the following:

1. Change SAP GRC Data Generator Workflow as mentioned below:

   1. Go to Process Designer and right-click Compile Project to get Partitioned Plans, and then select Edit Step.

   2. In the Argument Section add the project name and enter the value project for reference field.

   3. Go to the Details tab and change the Result Variable as: partitionedProject

   4. Save the Form.

2. Change Initialize Detail Map Workflow as mentioned below:

   1. Go to Process Designer and right-click Initialize Detail Map and select Edit Step.

   2. In Argument Section add name project and enter the value project for reference field.

   3. Save Form.

3. Go to Process Designer and right-click Compile Project to Remove Partitioned Plansand select Remove Step.

   • Save the changes.

4. Right-click Initialize Detail Map to perform the following:

   1. Start the transition and end that transition on Stop step.

   2. Save the changes.

5. Right-click Invoke SAP GRC Request Executor to perform the following:

   1. Start the transition and end that transition on Stop step.

   2. Save the changes.

6. Right-click Initialize Detail Mapto perform the following:

   1. Start the transition and end that transition on Invoke SAP GRC Request Executor step.

   2. Save the changes.

7. Right-click Edit Transition and perform the following steps:

   1. For transition to stop : Select value as Source

   2. Select Open Editor and add the following script in the editor:
      

      Copy

      import sailpoint.tools.Util;
      List lineItemList = new ArrayList();
      boolean flag =  false;
      lineItemList = completeDetailMap.get("requestLineItemMap");
      if (Util.isEmpty(lineItemList)) {
          flag = true;
          }
          else if (Util.isEmpty(accountRequestSAPGRC)) {
          flag = true;
          }
      return flag;

   3. Save the Form.

   4. Save the changes.

Test connection fails with the following error even when all the required jars are there in the required path:

_JCo initialization failed with java.lang.UnsatisfiedLinkC:\apache-tomcat-9.0.35\webapps\identityiq\WEB-INF\lib\sapjco3.dll: Can't find dependent libraries

Resolution:To resolve the issue implement the following setup:

Microsoft Visual Studio 2005 C/C++ runtime libraries (version 8.0.50727.6195)

The VC++ 2013 can be downloaded from https://support.microsoft.com/en-us/help/4032938/update-for-visual-c-2013-redistributable-package.

Resolution: Apply the following SAP Note in the GRC System:

https://launchpad.support.sap.com/#/notes/3043243: WS: GRC Role owner is not getting fetched in Search roles web service

Resolution: Apply the following SAP Notes:

• 2970855 :IDM GRC Request creation date: https://launchpad.support.sap.com/#/notes/2970855

• 2958851:2958851 - User Valid from date is not updating correctly: https://launchpad.support.sap.com/#/notes/2958851

When running the group aggregation task to aggregate SAP GRC Roles the following error appears:

25 Mar 2021 17:33:50,628 196554352 [QuartzScheduler_Worker-2] ERROR ExecutionMediator [] - Exception while executing request for URL https://urldefense.com/v3/__https://dggdb.absa.co.za:8201/sap/bc/srt/rfc/sap/grac_search_roles_ws/200/grac_search_roles_ws/grac_search_roles_ws__;!!MsNKLpFGsw!b_c3uRmriMN5_S9zF7rZyUtSDGHENCJNtKK_yyuonrPxT_gU5F9qMcQ2_ubmdEQQ$ connector.common.http.exception.HttpException: java.net.SocketTimeoutException: Read timed out

Resolution: To increase the timeout values, add the apiTimeout attribute to the application debug page as follows:

<entry key="apiTimeout" value="240"/>

Resolution: GRAC_SYS auth object is missing in the permissions assigned to the service account created.

This happens when request is generated in SAP GRC but the SAP GRC connector executes the API before the request id is recognized.

Resolution: Wait step needs to be added on Identity Request Finalize workflow before the transition to end step. This is to add a delay after the request is executed and before checking the request status. Wait time is in minutes.

Issue: Misc authentication exceptions.

Resolution: Ensure that a correct username and password is provided.

Issue: Misc configuration exceptions.

Resolution: Ensure that Risk Analysis API is provided correctly. The format of the URL must be as follows:

http://<SAP GRC Host Name>/sap/bc/srt/rfc/sap/grac_risk_analysis_wout_no_ws<WebService Binding URL>

Issue: The critical role/profile gets provisioned even if there is a risk in the request.

Resolution:

1. Ensure that the correct name and value is provided in the Identity Request Violation Review workflow.

2. Ensure that the name of the SAP GRC connector provided in the SAP Direct Application is correct.

3. If you are expecting the violation at the requester level, ensure that the option for Present Failures to Requester is selected in the LCM Provisioning workflow.

4. Implement the following SAP Notes in the SAP GRC Server:

   • 2409002 - Critical role/profile shows no result for GRAC_RISK_ANALYSIS_WOUT_NO_WS

   • 3429303 - Risk Analysis Webservice does not work for Critical Role/Profile Report Type

5. There can be a situation where risk is not detected while working with profiles. In this case a profile schema workaround is required. Perform the following steps to change the profile schema:

   1. In the SAP Direct application, go to Configuration > Schema.

   2. Under Object type: profile, change the Identity Attribute value to Name, and Save the changes.

   Screenshot

   

6. Ensure that the role/profile is marked as critical and belongs to the rule set ID that is configured in the application.

7. Ensure that the critical role/profile belongs to report type configured.

Issue: If the incorrect SAP GRC connector name is provided, the request gets provisioned even if there is a risk in the assignment.

Resolution: Ensure the correct SAP GRC connector name is provided.

1. Sign in to SAP NetWeaver, and go to Rule Setup > Critical Roles > Create.

2. Select the System drop down and you will see all the connected system names, which are the respective connector names.

3. Implement the following SAP Note in the SAP GRC Server:

   • 2399698 - Validation changes in GRAC_RISK_ANALYSIS_WOUT_NO_WS webservice

Issue: The risk analysis finished with the following error; Check logs for detail.

Resolution: Ensure that the service account used while configuring the SAP GRC application has sufficient permissions. Refer to Risk Management to create a service account with minimum permissions.