The following known limitations and workarounds can help you troubleshoot issues that you might encounter while using the Permission Collection and Reconciliation service:
The driver ignores permission assignments
Explanation:
If you use the same user (User Application Administrator account) that the driver uses to communicate with the User Application, the driver ignores these changes and treats them as loopback events.
Action:
1. Use a different User Application administrator account for the driver.
2. Check the JBoss server.log file in the User Application to determine if User Application encountered any error when PermissionOnboarding job made SOAP calls to the server.log file.
3. Set the PermissionOnboarding job trace level to 5 to verify if the job ran successfully and was able to perform a codemap refresh, create a resource, and update the PermissionEntMapping table with the resource DN.
4. Set the driver trace level to 5 if you want to view policy processing sequence.
The Subscriber Channel ignores permission reconciliation
Explanation:
For any Subscriber changes, permissions are reconciled only after an event is successfully processed. The driver might not reconcile permissions if it contains policies that ignore operation-data containing permissions when these policies create or transform the status document.
Action:
Restore operation-data.
For example:
<xsl:template match="operation-data">
<operation-data>
<xsl:message>operation-data</xsl:message>
<!-- ignore this element but process all children -->
<xsl:apply-templates select="node()|@*"/>
</operation-data>
</xsl:template>
Deleting an entitlement value in a connected application is not reflected in the mapped resource
Explanation:
This occurs when the Optimize-Modify value is set to yes.
Action:
Set the filter attribute value to Notify.
Resources are not created in RBPM
Explanation:
This occurs when the resource DN value is already populated in the PermissionEntMapping table.
Action:
Delete the resource DN value and restart the driver. Otherwise, run the PermissionOnboarding job.
Changes to mapped attributes in the Identity Vault are not reflected as assignments in RBPM
Explanation:
The NOVLCOMPCRS-itp-DoPermissionAssignment policy takes care of reconciling permissions when an attribute is successfully updated in connected application. When the status document passes through this policy, the policy acts upon operation-data. If you added a new transformation policy in the policy set, ensure that operation-data remains unchanged in the status document.
Action:
Verify if the NOVLCOMPCRS-itp-DoPermissionAssignment policy is placed correctly in the policy hierarchy, so that changes made to the attributes in the Identity Vault are reconciled to assignment attributes in RBPM.