Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

SAP has introduced significant modifications in its SAP GRC version AC 12.0 SP19 and above in inactive users and sync job processes, which has affected our SAP GRC connector functionality adversely.

Details about the issues and fixes

Disable Operation

  • Issue: With the upgrade of GRC from AC12 SP19 and above, you may see System attribute on account schema as INACTIVE_USER for the aggregated accounts which are disabled only on the highest priority system on SAP GRC

  • Resolution: This issue is observed due to the Repository sync job changes introduced by SAP for updating their table values. For resolution, ensure the changes on GRC and the source configuration are as follows:

    1. Ensure that the Repository sync job is scheduled on your SAP GRC instance.

    2. The option for Disable only Master system has been removed from the source config UI without impacting existing customers configuration. SailPoint highly recommends, however, that you revisit your source configuration for Disable operations. The changes have been documented in the Additional Information

    3. Provide additional permissions required on the SAP tables for GRC 12 SP19 and above for aggregation and disable operations. For more information, refer to the Configuration Table for SAP GRC

Modify Operations

  • Issue: SAP has introduced a new process where any modifications in the user profile reflect in GRC tables only after completing the repository sync job. This has adversely affected our connector operations.

  • Resolution: The following steps must be performed sequentially for a successful modify operation:

    1. Configure the Attribute Sync request on the user in Identity Security Cloud for the GRC source. To configure the attribute sync request, refer to Synchronizing Attributes - SailPoint Identity Services.

    2. Run the Repository Object Sync job on your GRC system

    3. Execute the User Aggregation on your GRC source to get the updated values of the user attributes.

For SAP GRC - AC12 SP19 and above, the connector column in the GRACUSER table shows ‘<#INACTIVE_USER#>’ for accounts that are disabled on the highest priority data source.

With GRC12 SP19 and above, SAP has introduced changes in the GRACUSER table and sync job. Users will now see <#Inactive_User> as the connector value for the disable operation in the following cases if the full sync job has not completed:

  1. If an account is disabled only on a GRC-connected master system (highest priority system).

  2. If an account is disabled on all the GRC-connected systems including the master system.

For more details, refer to SAP KBA 3251717. Due to the above, the SailPoint platform will show ‘INACTIVE_USER’ in the System attribute until the full sync job is completed successfully before aggregation.

Resolution: Ensure the request type is configured correctly. Follow the steps in Verify the Request Type and Configuration, and confirm the BRF + MSMP workflow is configured correctly for the request type.

If it isn't, provide the correct permissions for the service account created for authorization object GRAC_REQ, by providing a correct value for GRAC_RQTYP.

When the usertype attribute is passed in the provisioning plan for an account, the changes are reflected on all the systems connected to that account.

Resolution: Add the following attribute using Rest API for updating a source in Identity Security Cloud.

  • Key=supportSystemUpdate Value= true

  • supportSystemUpdate is a boolean attribute

The flag must be set to true, so that when the userType attribute is passed in the provisioning plan, only the system passed in the plan will be sent in the GRC API.

If there is a mismatch in the count of entitlements aggregation between your target system and Identity Security Cloud, use the following checkpoints for quick troubleshooting:

  • Ensure the same role can be searched from the access request of the SAP GRC portal.

  • Ensure the role sync job has successfully completed if the role is available in the GRACRLCONN table and GRACROLE table.

  • Ensure all the roles are available and the statuses are ‘complete’ under the Role Maintenance tab in the role management under the current phase.

  • Go to the Provisioning tab and ensure the role is set for production status. Role Exists should set to "Yes" and Provisioning Allowed should be “Yes”.

"sailpoint.connector.ConnectionFailedException: Server is DOWN or Connection parameters are incorrect.

OR

ERROR hostname 'sailpoint-va' unknown\nTIME

OR

JCO_ERROR_COMMUNICATION: Connect to SAP gateway failed

Resolution: There are three possible options to solve this error.

Option 1: One of the reasons for the issue to occur is the IP address of the VA is not recognized by the connector. To resolve this, you must make an entry in hosts.yaml with the IP address of the VA as well as the managed source (SAP server).

Note
For information on creating a hosts.yaml file, refer to Configuring a Hosts.yaml File.

For example:

hosts:

10.200.80.60: -SAPSER4

10.22.131.14: -sailpoint-va

Where 10.200.80.60 is the IP and SAPSER4 is the hostname of the SAP server, and 10.22.131.14 is the IP of the VA and sailpoint-va is the default name of the VA. Ensure that SAP is installed with JCO enabled.

Similarly, add the IP and hostname of the VA being used in the file. Restart CCG/ Reboot VA after the update.

Option 2: Add Route entry in static.network file to persist routing table entry of the VA hostname. To do so, perform the following steps:

  1. In your VA, go to ../etc/systemd/network/static.network

  2. Add the following entry:

    [Route]

    Gateway=<10.0.0.1>

    Destination=<public_ip>/<netmask>

  3. Run sudo systemctl restart systemd-networkd to apply the configuration.

  4. Run route -n to show routes.

  5. Restart CCG/ Reboot VA and check if the entry still persisted.

Option 3: Update DNS entries for VAs on your network so that FQDN resolves for each VA. To do so, perform the following steps:

  1. Run sudo hostnamectl set-hostname <hostname of your choice> to set the VA hostname.

  2. Run the hostname command to validate.

  3. Run sudo reboot to reboot the VA.

The VA should reflect the new hostname.

Could not initialize class com.sap.conn.jco.rt.JCoRuntimeFactory

Resolution: The host value must be updated on VA with the FQDN of the SAP server. Re-upload the sapjco and libsapjco jars on the UI.

The following error message is displayed when using Function Module /SAILPOIN/SAIL_READ_TABLE and /SAILPOIN /SAIL_READ_TABLE_LEG:

Exception during aggregation. Reason: java.lang.RuntimeException: ASSIGN_TYPE_CONFLICT while querying table *Table_Name*. One of the fields queried (field1,field2,field3… ) may have incorrect COLUMN_LENGTH set in /SAILPOIN/CONF table. Please refer ASSIGN_TYPE_CONFLICT in troubleshooting section of documentation for more details.

Resolution: Ensure COLUMN_LENGTH is correctly configured for the fields of *Table_Name* in /SAILPOIN/CONF table. This can be validated through the t-code "SE11" while viewing the table details, under "Fields" tab.

connector.sapgrc.service.SAPGRCConnectorService:302 - Exception while getting system info from CVERS and PRDVERS tables

sailpoint.connector.ConnectorException: Caused by class com.sap.conn.jco.AbapException: (126) TABLE_ACCESS_NOT_ALLOWED: Message 000 of class null type : . SAP_QUERY_TABLE_NAME:CVERS

Resolution: Provide the correct permissions to service account user on CVERS and PRDVERS tables and ensure you have both of the following:

  • CVERS/PRDVERS is added S_TABU_NAME authorization object.

  • CVERS/PRDVERS added in SAILPOIN/CONF table.

Resolution: Ensure that the following SAP Note is implemented in the SAP GRC Server:

2698051 - AC12 - GET_REQUEST_DETAILS is returning empty line items

The access requests fails with the following message:

Invalid Request No.

Resolution: Add the numberOfRetries and retryWaitTime parameters to configure polling requests retries.

Add the following entry keys to the SAP GRC connector:

Copy 
<entry key="numberOfRetries" value="3"/>
<entry key="retryWaitTime" value="5"/>

Note

The following are the default values for the parameters:

  • numberOfRetries is 3 retries.

  • retryWaitTime is 5 seconds.

You can update these values as required.

When attempting a test connection it fails with the following error:

HttpException errorCode=307

The 307 error is for URL redirects. This error is observed when the SAP GRC managed system is configured for HTTPS URLs and the application XML is configured with HTTP URLs.

Resolution: Update the application XML with the HTTPS URLs and the correct HTTPS port number.

Resolution: Ensure that the Repository Object Synchronization task is executed in GRC.

Resolution: Refer to and apply the following SAP note in the SAP GRC managed system:

https://launchpad.support.sap.com/#/notes/3043243 :WS: GRC Role owner is not getting fetched in Search roles web service.

Resolution: Refer to and apply the following SAP note in the SAP GRC managed system:

2970855 - IDM GRC Request creation date: https://launchpad.support.sap.com/#/notes/2970855

2958851:2958851 - User Valid from date is not updating correctly: https://launchpad.support.sap.com/#/notes/2958851

Resolution: Follow the steps to add the requester and email to the source config as documented in Configuring Provisioning Settings.

Resolution: If GRC users that have the slash (/) character in their user ID are not getting aggregated during account aggregation, perform the following:

  1. Modify the source XML using the following REST API:

    POST https://{orgName}.api.identitynow.com/cc/api/source/update/{source ID}

    In the body of the POST, use the form-data as follows:

    • Key: grc_delimiter

    • Value: ~

    You can replace the value with other special characters (for example, #, $, @, etc.) that are not part of any of the user data fields like FirstName, LastName, UserId, Department, Email, etc.

    Note
    For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

  2. Execute an Account aggregation.

    Note
    This configuration is only application in cases where you're using the SAILPOIN/SAIL_READ_TABLE function module.

SAP profiles are aggregated as entitlements during account aggregation if some accounts have standard profiles assigned to them (like SAP_ALL or A_ALL). The provisioning for these profiles fails.

sailpoint.connector.ConnectorException: Object not found

Resolution: Import the SAP profiles into the GRC BRM module using the following procedure:

  1. In the GRC Portal, go to Role Mass Maintenance > Role Import.

  2. In Role Selection, select Technical Role.

  3. In Import Source, select Role Attribute Source as File on Desktop and Role Authorization as Skip.

  4. In Role Selection Criteria, in the Role From field, enter profile name and set Methodology Status to Complete.

  5. Download the attribute file template.

  6. Enter the profile details in the file template.

  7. Import the file template.

  8. Once you have successfully imported the file then you can provision the profiles.

Resolution: Add the following attribute using Rest API for updating a source and then, try modifying the system to date of a user.

Key=updateValidFrom Value= true

updateValidFrom is a boolean attribute.

When this flag is true, the already existing From date (for the system in which the To date has passed) will be fetched for the account and set in the API. If there is no existing FromDate then today’s date will be used as the From date.

Resolution: Apply the following SAP Notes:

When running the group aggregation task to aggregate SAP GRC Roles the following error appears:

25 Mar 2021 17:33:50,628 196554352 [QuartzScheduler_Worker-2] ERROR ExecutionMediator [] - Exception while executing request for URL https://urldefense.com/v3/__https://dggdb.absa.co.za:8201/sap/bc/srt/rfc/sap/grac_search_roles_ws/200/grac_search_roles_ws/grac_search_roles_ws__;!!MsNKLpFGsw!b_c3uRmriMN5_S9zF7rZyUtSDGHENCJNtKK_yyuonrPxT_gU5F9qMcQ2_ubmdEQQ$ connector.common.http.exception.HttpException: java.net.SocketTimeoutException: Read timed out

Resolution: To increase the timeout values, add the apiTimeout attribute to the application debug page as follows:

<entry key="apiTimeout" value="240"/>