Troubleshooting

The account aggregation may fail due to insufficient permissions or if required services are not turned on.

Resolution – To test a GET user (read) using an Admin SDK Directory API from a browser, use the following URL, but replace <userEmail> and <accessToken> values:

https://www.googleapis.com/admin/directory/v1/users/<userEmail>?access_token=<accessToken>

The entitlement aggregation fails due to insufficient permissions or if required services are not turned on.

Resolution – To test a GET group (read) using an Admin SDK Directory API from a browser, use the following URL, but replace the <groupEmail> and <accessToken> values:

https://www.googleapis.com/admin/directory/v1/groups/<groupEmail>?access_token=<accessToken>

To test a GET group (read) using the Google Groups Settings API (Read Group Details – Y) from a browser, use the following URL but replace the <groupEmail> and <accessToken> values:

https://www.googleapis.com/groups/v1/groups/<groupEmail>?access_token=<accessToken>

The Internal Server and Service Unavailable error messages are sent by the Google Server.

Resolution – To retry the request, use the maxReadRetryCount attribute. The retry count is set to 5 by default. Retry is performed using the standard Exponential Backoff strategy. Increase the retry count by adding the maxReadRetryCount attribute with the REST API:

• key – connector_maxReadRetryCount

• value – enter the number of retry options, for example, 10

Resolution – For the Google Workspace source, the performance of account aggregation and entitlement aggregation can be improved by deleting the following schema attributes:

• delegatedAdmins

• MANAGERS

• OWNERS

The MANAGERS and OWNERS attributes must be deleted in combination. Deleting the MANAGERS or OWNERS attribute does not improve performance.

During the initial account aggregation, any entitlement associated with the accounts are aggregated as a unique identifiers.

Resolution – Configure and perform an entitlement aggregation to bring in the friendly entitlement names.

The following errors are encountered:

error code 412 "User creation is not complete"

error code 404 "Object not found"

Resolution – Add the createAccountTimelag attribute in the connector. This attribute introduces a delay (default 0 seconds) after the Account Create operation so that the subsequent operations such as assigning groups, aliases, and GET Object will not encounter errors.

Add the createAccountTimelag attribute with a value of 20 seconds, using the REST APIs. Refer to Best Practices: REST API Authentication and REST API - Update Source (Partial).

Resolution – Ensure that the domain name of the primary email of the user being created contains the correct domain name across which a set of credentials are created. Also ensure the domain name is configured the same as the domain in the application XML configuration.

Account aggregation fails with the following error message:

ObjectNotFoundException ] [ Error details ] Service Account iteration failed. Error: 404 null : Requested entity was not found.

Resolution: By adding the serviceAccountAggWithAssetInventory attribute in the source, API calls to aggregate service accounts are executed through the Asset Inventory API instead of the service account List API (which tries to fetch the Service Accounts from the deleted projects/folders as well) , which is the default behaviour. The downside of this is that the service account description and disabled attributes are not provided by Asset Inventory API.

Add the following to the source XML using the REST APIs:

curl --location --request PATCH 'https://<orgName>.api.cloud.sailpoint.com/v3/sources/{source ID}' \
--header 'Content-Type: application/json-patch+json' \
--header 'Authorization: Bearer tokenValue' \
--data-raw '[
 {
 "op": "add",
 "path": "/connectorAttributes/serviceAccountAggWithAssetInventory",
 "value": true
 }
]'

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.