000030371 - IMG: AFX: Provisioning app-roles to users sporadically fails yet CRs show 100 percent fulfilled

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030371
Applies ToRSA Product Set: Identity Management and Governance
RSA Product/Service Type: All
RSA Version/Condition: All
IssueWhen granting app-roles to users using an AFX connector, one or more entitlements sometimes do not get propagated to the data source yet the corresponding change requests (CR) show as 100% fulfilled. 

CauseThe AFX fulfillment workflow that is being used by the change request has a "mark verified" node but no "wait for verification" node. As a result, all requests are marked as verified whether they succeed or fail. IMG may know about these failures but we ignore them because the workflow says to mark them as verified which in turn marks the CR as completed.
ResolutionAdd the "wait for verification" node to the  AFX fulfillment workflow so that we can confirm that what we asked the end point to do has actually happened. If a failure occurs, the CR will not be marked as verified and therefore not completed. As a result, failures will be revealed and may subsequently be trouble-shooted.