Resolution
If refresh task execution stops due to failures (such as null
pointer exception), then Access Governance Suite's "Prune Identity Cubes" task
could find/correct the issue:
16:34:48,760 DEBUG sailpoint.task.IdentityRefreshExecutor:1017
- Queueing id b8f4096252d74e16859ba0f8bb7e4e70
...
16:34:48,870 DEBUG sailpoint.task.IdentityRefreshExecutor:770
- RefreshWorker 1 dequeued id b8f4096252d74e16859ba0f8bb7e4e70
...
16:34:48,870 INFO sailpoint.task.IdentityRefreshExecutor:882
- Refreshing 2711 John.Doe
16:34:49,495 ERROR sailpoint.task.IdentityRefreshExecutor:876
- RefreshWorker 1 exception: java.lang.NullPointerException
16:34:49,495 DEBUG sailpoint.task.IdentityRefreshExecutor:770
- RefreshWorker 1 dequeued id b92747af4ed54ba3a83325a3564b9f55
The task reports/purges identities missing ALL of these conditions:
- marked protected
- is a manager (managerStatus flag true)
- has capabilities
- Bundle, Application, Workitem, or TaskResult owners
- work item requestor
- Application secondary owner
- Application remediator
- creator of a MitigationExpiration
Besides an option to filter the identities to scan,
the task offers an option to scan, yet not delete,
identities (to report what could happen) and another
"protectIfCertifying" option to protect identities
in an active (non-continuous) certification.
Alternatively, these steps could aid in resolution.
There exists an "Refresh Identity Cube" task setting
to continue processing identities even after failures.
Disabling the failure-limit lets the task process all identities.
While the default value of 1 stops processing after 1 failure,
yet the value of 0 continues processing w/no limit:
<TaskDefinition ... name="Refresh Identity Cube" ... type="Identity">
<Attributes>
<Map>
<entry key="maxExceptions" value=0 />
1) Either increase/disable the exception limit
during identity refresh execution. The Access Governance Suite "debug" page
offers a XML editor to access the "hidden" object attributes.
2) Check either task result or system logs for (failed) identities.
3) Re-cfg refresh task's filter to exclude "failed" identities.
This allows the scan to complete the (good) identities,
yet keeps the "failed" identities for study/resolution.
4) If "Prune Identity Cubes" task does not remove failures,
then delete the (failed) identities from Access Governance Suite (via "iiq console").
Before deleting, copy the identity for backup/review purposes.
Note that "iiq console" offers a SQL cmd option for
examining RDBMS tables directly.
C:> set SPHOME=<IIQ DIR>
C:> cd %SPHOME%/WEB-INF/bin
C:> iiq console
> sql "select id,name from spt_identity where id = 'b8f4096252d74e16859ba0f8bb7e4e70' "
> get Identity b8f4096252d74e16859ba0f8bb7e4e70
...
(copy and paste XML to file as backup)
...
> delete Identity b8f4096252d74e16859ba0f8bb7e4e70
> quit