cancel
Showing results for 
Search instead for 
Did you mean: 

CreateADSUser Fails But Still Considered a Success in Job Log

brandonbollin
Active Participant
0 Kudos
154

Hello SAP IDM Experts! After spending 1⅔ years working in the SailPoint IdentityIQ space, I'm back in the wonderful world of SAP IDM. Did you all miss me? 🙂

Anyway, I'm running into an issue that I don't think I've ever seen before. I have a process that's setup to create secondary AD accounts for users, admin level accounts specifically. Right now, the process is faulty and it's erring every time. We have the fix for this in the works but in the meantime, we'd like to setup a notification to go out whenever CreateADSUser fails. However, my issue is... CreateADSUser is showing an error in the job log that the account isn't being created due to an LDAP 19 error and the account doesn't exist in AD *BUT* at the bottom in the Provisioned Entries section, it's still calling the operation a success, see below screenshot.

Huh? Why is this still considered a success when the account wasn't created and clearly ended in error when putNextEntry failed? Trying to kick off a notification task on failure won't work if the system doesn't think it failed. Am I missing something?

Accepted Solutions (0)

Answers (2)

Answers (2)

Chenyang
Contributor
0 Kudos

Hi Brandon,

Hope you are well. It is great to see you back. I am also joining a SailPoint IdentityIQ team to deliver some thing. I wonder if you can write some thing comparing IIQ to SAP IdM. which features you like in IIQ, which ones you like in SAP IdM etc?

Thanks,

Chenyang

brandonbollin
Active Participant
0 Kudos

I would love to do something like that. I wonder if a blog entry would be an appropriate place to do something like that. I also wonder how SAP would feel about having something like that on the SCN that compares their offering to a competitor. There are things SAP does better and there's things SailPoint does better.

normann
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Brandon,

can you check in the properties of the task -> tab Logging whether you have a script linked as "Call Script in Case of Error"? This is sometimes useful, especially for LDAP connector, e.g. if you want to assign user to group and user is already assigned in AD, you get error back and you could catch this error message and consider it to be OK with uSkip(1,1); inside that script - maybe that is what happens here.

Regards

Norman

brandonbollin
Active Participant
0 Kudos

So even though there's an error in the log, but the task itself considers this a success as shown in the red boxed section in my screenshot, the Call Script in Case of Error will execute? Good to know. I'll give that a try. Many thanks!

normann
Product and Topic Expert
Product and Topic Expert
0 Kudos

If the script called in case of error ends with uSkip(1,1) the task will end in OK state. If the script ends with uSkip(1,2) its ending in failed state.

brandonbollin
Active Participant
0 Kudos

Thanks. Going to try this out today and see what I get. Much appreciated.