- SAP Managed Tags:
Introduction: In this blog, we'll explore a few selected issues and their resolutions from a recent SAP Cloud Identity Access Governance (IAG) implementation project. This post aims to provide actionable insights to overcome similar challenges in your own IAG endeavors.
1. Provisioning of PAM ID resulting into following error:
"Privileged Access XXX_FF assignment to XYZ Failed with Invalid connector: XYY"
Resolution: Please make sure that the system which is configured in the tile “Applications” in IAG and used by PAM is created in the target system in SM59 with the same Destination name. For instance, if the application name in IAG is “S4HANA123”, then in the target system in SM59, an RFC destination of type 3 with the same name “S4HANA123” needs to be configured.
2. Error during PAM ID provisioning (java.lang.NullPointerException: cannot invoke “com.sap.conn.jco.JCoFunction.getImportParameterList()” because 'funcIAGTools” is null)
Resolution: Implement S-Note 3207285 in the backend S/4 HANA system as mentioned in the KBA ‘3238751 - IAG - PAM ID stuck in Status 'in Process'.
3. User cannot create Access Requests & PAM Requests in IAG. Error: "Sorry, a technical error occurred. Please try again later.{ "message": "HTTP request failed", "headers": { "DataServiceVersion": "1.0", "Content-Type": "application/json", "Content-Length": "180" }, "statusCode": "403", "statusText": "Forbidden", "responseText": "{\"error\": {\"code\":\"authCheckFailed\",\"message\":{\"lang\":\"en\",\"value\":\"Logged in user and created by User are different. Therefore request content is invalid and cannot be created\"}}}" }"
Resolution: The attributes configured in IAS for the IAG application should be the only attributes as mentioned in the SAP Help documentation below.
4. Approvers not receiving requests in MY inbox application
Resolution: Change the subject identifier to "User ID" in IAS for IAG application. Reference: 2929135 - IAG - Access Request is not visible in approver's Inbox
5. Email notifications are not getting triggered in IAG
Resolution: To enable the Notifications, it is required to have own SMTP server. Below 2 Destinations need to be created in the IAG Subaccount of BTP as per the instructions mentioned in KBA 3148288
a) Destination name: bpmworkflowruntime_mail
b) Destination name: parameters_destination
6. URL links to Access Request inbox in IAG email notifications do not work.
Resolution: Please update the URL maintained in SAP BTP Cockpit, for the connector Parameters_Destination. The IAG launchpad URL format should be 'https://...hana.ondemand.com'.
Note: Do not include a trailing slash ('/') at the end of the URL.
7. Access Request Submission results in 500 Internal Server Error
Resolution: This issue is with USER ID mapping in IAG. When submitting access request, we need to ensure that the user ID matches with that of the one in target application system.
8. My Information tile is not showing User details or throwing error message "No Information available"
Resolution: Please make sure that the standard user group (IAG_USER) is created in IAS tenant and it has been assigned to users. Run the SCI user group sync in IAG once the assignment has been completed for all users in IAS. You can refer to the KBA 2790280 for more details.
Stay tuned for upcoming posts.
SAP Cloud Identity Access Governance Governance, Risk, Compliance (GRC), and Cybersecurity
6 Comments
