-
Titre
Troubleshooting One Identity Manager Provisioning Issues -
Description
Checklist for troubleshooting One Identity Manager (1IM) provisioning issues. -
Résolution
Synchronization Project Configuration
1. Ensure the target system connection has read and write access.
2. Does manual provisioning via the Target System browser work?
3. Are the Provisioning workflow steps enabled?
4. Do the provisioning operations include the steps (insert, update, delete)?
5. Does Direct assignment via Manager work?
6. Run a sync with Active Directory (AD) to be sure 1IM is aligned with the Target System.
7. Go to Manager | Active Directory | Target system synchronization: Active Directory and resolve the objects flagged as outstanding for ADSAccount, ADSGroup or ADSAccountInADSGroup.
DBQueue and Job Server state
1. Ensure DBQueue processing is started: Job Queue Info | Help | Emergency Stop.
2. Ensure One Identity Manager Service processing in general is started: Job Queue Info | Help | Emergency Stop.
3. Ensure One Identity Manager Service processing is enabled for each individual Job Server Queue: Job Queue Info | Job Server State Window | Processing stopped tab.
4. Is SQL Server Agent running in the SQL database (DB)?
5. In JobQueueInfo, are there any related outstanding frozen jobs? The Operations Portal can be used to monitor process details: Operations Support Web Portal User Guide.
6. Is the database flagged for recompile?
7. Ensure that the DBQueue Jobs and Service Broker are all created and enabled. If needed, recreate and enable the Jobs and Service Broker by following the steps in KB Article 189214 - Identity Manager Upgrade Error: "50000: Cannot enable broker because of other users are active.". Note that following a restore of the 1IM database the Service Broker for the database is deactivated by SQL Server and those steps should be followed to reactivate it.
State of the Employee and Active Directory user account: is the Employee active in 1IM?
1. In 1IM and Active Directory, are the accounts active?
2. Does the Employee (Person record) have a Central user account set? (Central user account is needed for initial ADSAccount creation.)
Active Directory user account and linking configuration
1. In Manager, is the linked Active Directory user account in Full Managed mode to the Employee?
2. Does the Active Directory user account have the "Groups can be inherited" flag set?
For Role based provisioning, check the Role configuration
1. Go to Manager | Business Roles | Role Class | Task: "Configure Role assignments": check if the role's class allows provisioning of AD groups through "Assignments" and "Direct assignment" mode.
2. Ensure the QER\Structures\Inherit configuration parameter is enabled.
3. Ensure inheritance is not blocked for the Roles structure. Refer to Discontinuing Inheritance.
4. "Do not inherit" settings in the Roles structure (Refer to Using Business Roles to Limit Inheritance):
- Employees do not inherit
- Devices do not inherit
- Workdesks do not inherit