Frequently Asked Questions

Does this connector support IAG in bridge mode?

Answer: No, this connector is designed specifically for the standard IAG edition. For bridge scenarios, the SAP GRC connector should be used.

Can account validity dates be set for SAP cloud applications connected via IAG?

Answer: No, according to SAP KBA 3357215, SAP cloud applications connected through IAG do not support validity dates.

How can I view the associated child roles of an IAG business role?

Answer: Currently, due to limitations in the SAP IAG API, the connector cannot display child roles within a given business role.

Is it possible to show the risk score when raising an access request?

Answer: No, the connector cannot fetch the risk score before raising an access request due to limitations in the SAP IAG APIs.

Can this connector be used in both auto-approval and non-auto-approval business workflow configurations?

Answer: Yes, the connector supports both auto-approval and non-auto-approval workflow setups. In the case of non-auto-approval workflows, the connector only supports CIS as its user source system. Maintain the SAP CIS URL in the Provisioning Settings section so that the manager ID from CIS can be fetched, and access requests can be raised on a user by including the fetched manager ID in the payload. If the workflow is tied to a request reason, then at a time, the application can only support one mode because only one request reason can be configured in an application.

How does the connector support operations on application users?

Answer: The connector is primarily designed to support operations on business users brought into IAG via repository sync jobs. For application users who are also business users, the same applies. However, for application users who are not business users and are synced via the SCI user group sync job, the connector does not support operations on them.

How are custom fields supported?

Answer: IAG systems can be configured with additional custom fields, and systems like SAP Concur have mandatory custom fields out of the box. To provision these fields, use a BeforeProvisioning Rule. For more information, refer to Managing Custom Fields for Provisioning.

Why does the request status remain in the Pending state even though the IAG workflow is configured for auto-approval?

Answer: Ensure that the ‘Provisioning job’ has run and picked up the concerned request.

How do I get implementation details regarding sample attribute requests for custom attributes?

Use the following reference code as an example for your before provisioning rule:

Copy

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Add_Cust_Attrs" type="BeforeProvisioning">
  <Description>BP rule for IAG</Description>
  <Source><![CDATA[
  try {
       import sailpoint.object.ProvisioningPlan;
       import sailpoint.object.Identity;
       import sailpoint.object.Link;
       import sailpoint.api.IdentityService;
    import sailpoint.object.ProvisioningPlan.Operation;
    import sailpoint.object.ProvisioningPlan.AccountRequest;
    import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
    import sailpoint.object.ProvisioningPlan.AttributeRequest;
    
    

    if (plan != null){
      
      AccountRequest accountRequest = plan.getAccountRequests().get(0);

      List attributeRequests = accountRequest.getAttributeRequests();
      if (attributeRequests == null) {
              attributeRequests = new ArrayList();    
      }

      // Create new attribute request for custom attributes
      AttributeRequest attrRequest = new ProvisioningPlan.AttributeRequest();
      attrRequest.setName("CustomAttributes");
      attrRequest.setOperation(ProvisioningPlan.Operation.Set);

      Map customAttributeValues = new HashMap();
      customAttributeValues.put("COUNTRY", "US");
      customAttributeValues.put("REIMBURSEMENT_CURRENCY", "USD");
      customAttributeValues.put("LOCALE", "en-US");
      customAttributeValues.put("REIMBURSEMENT_TYPE", "CONCUR_PAY");
      attrRequest.setValue(customAttributeValues);
      attributeRequests.add(attrRequest);

      // add attribute request to account request
      accountRequest.setAttributeRequests(attributeRequests);

    }} catch (Exception e) {}
    
      
  ]]></Source>
</Rule>

How do I get implementation details regarding sample attribute requests for Access Priority, Request Reason Code, and Validity dates for user access?

Use the following reference code for the before provisioning rule as an example:

Copy

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Set_req_priority_roleValidity" type="BeforeProvisioning">
  <Description>BP rule for IAG</Description>
  <Source><![CDATA[
  try {
       import sailpoint.object.ProvisioningPlan;
       import sailpoint.object.Identity;
       import sailpoint.object.Link;
       import sailpoint.api.IdentityService;
    import sailpoint.object.ProvisioningPlan.Operation;
    import sailpoint.object.ProvisioningPlan.AccountRequest;
    import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
    import sailpoint.object.ProvisioningPlan.AttributeRequest;
    import sailpoint.object.Attributes;
    
    

    if (plan != null){
      log.warn("In IAG BP rule to set req priority, reasonCode & validity dates for roles");
      AccountRequest accountRequest = plan.getAccountRequests().get(0);

      List attributeRequests = accountRequest.getAttributeRequests();
      if (attributeRequests == null) {
              attributeRequests = new ArrayList();    
      }
      
      // Set validity dates for all attribute requests
      Attributes attributes = new Attributes();
      attributes.put("startDate","2025-04-10");
      attributes.put("endDate","2027-03-10");
      
      for (AttributeRequest attributeRequest : attributeRequests) {
          attributeRequest.setArguments(attributes);
      }
      

      // Create attr req for access Req priority
      AttributeRequest attrRequestAccPriority = new ProvisioningPlan.AttributeRequest();
      attrRequestAccPriority.setName("accessRequestPriority");
      attrRequestAccPriority.setOperation(ProvisioningPlan.Operation.Set);
      attrRequestAccPriority.setValue("5");
      attributeRequests.add(attrRequestAccPriority);

      // Create attr req for Req reason code
      AttributeRequest attrReqReasonCode = new ProvisioningPlan.AttributeRequest();
      attrReqReasonCode.setName("accessRequestReasonCode");
      attrReqReasonCode.setOperation(ProvisioningPlan.Operation.Set);
      attrReqReasonCode.setValue("CustomRequestReason");
      attributeRequests.add(attrReqReasonCode);
      

      // add attribute request to account request
      accountRequest.setAttributeRequests(attributeRequests);

    }} catch (Exception e) {}
    
      
  ]]></Source>
</Rule>

What should be considered while removing an entitlement from a user with a Start Date and End Date?

When removing an entitlement from a user with a defined Start Date and End Date, ensure that the same dates are passed. If the dates do not match, the IAG provisioning job may or may not fail.


	You are here:

Frequently Asked Questions

Documentation Feedback