16.7 Troubleshooting Policy Mapping Issues

Use the information in the following sections to troubleshoot policy mapping issues.

16.7.1 No Connectors Appear on the Policy Mapping Page

If the Policy Mapping page does not display the connectors for the SaaS applications, there are two possible solutions:

  • Verify that the connectors are configured properly and enabled. For more information, see the appropriate sections for configuring connectors in the CloudAccess Connectors Guide.

  • Click the Refresh List icon in the upper-right corner of the Policy Mapping page.

16.7.2 CloudAccess Does Not Reconcile Pending Approvals with Changes to Policy Mappings

Issue: CloudAccess does not reconcile pending approvals with changes to policy mappings. Users with pending approvals are granted the pending requests even if the mappings were removed after the requests were launched.

Workaround: If a policy mapping for a resource occurs by mistake, decline all the requests for that resource. If a policy mapping for a resource occurs correctly, but then the mapping is removed, simply decline all outstanding approval requests. You can often avoid this issue by verifying that the user is a member of the group before you grant approval, and by ensuring that requests are approved or denied in a timely manner.

16.7.3 Using Multiple Browsers or Browser Windows Can Result in Duplicate Mappings

Issue: If you simultaneously use more than one browser or browser window to map authorizations, CloudAccess does not warn you if you inadvertently do the same mapping in two different browsers. Clicking Refresh displays two identical mappings on the Approvals page, but only one of them is a valid mapping. If you remove one of the mappings, CloudAccess might not actually deprovision the user until you remove the authorization that is mapped to the group.

Workaround: You can avoid this issue by using only one browser when you create policy mappings. To work around this issue, on the CloudAccess Policy page, manually remove all duplicate authorization mappings from the role, then map the desired authorizations back to the role.