Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Fixed

Locker entity not deprovisioned when adapter entity join field values change

When a link has incoming deprovisioning configured and there is a change to fields of an existing adapter entity which are part of the join criteria then the existing locker entity is not deprovisioned, and a new entity for the new join field values is either provisioned or joined (if there is already a locker with matching join field values).

This differs from the behaviour when an adapter entity is deleted, which correctly triggers locker deprovisioning.

This is something I've mentioned previously in https://voice.unifysolutions.net/en/communities/6/topics/4204-changing-the-value-of-a-links-join-criteria-field-causes-existing-locker-entity-to-become-unjoined because Matt asked me to note it in passing, but now it's actually causing a problem with a UNIFYConnect customer implementation so it needs to be escalated as a bug to fix more urgently.

0
Not a bug

Adapter values not mapping to Locker (reason unknown)

I updated a multivalue string field in a Adapter (adding two different values to two already present) and the change did not map to the Locker using a Link configured only for Change Polling.

When I ran a Baseline Sync on the Link, the change went through.

I will try to reproduce this.

0
Not a bug

Locker values not mapping to Adapter (reason unknown)

During his SIT recently Adam updated a multivalue string field in a Locker (removing two values, adding two different values) and the change did not map to the Adapter using a Link configured only for Change Polling.

When I ran a Baseline Sync on the Link, the change went through.

I will try to reproduce this.

0
Completed

Changing the value of a link's join criteria field causes existing locker entity to become unjoined and a new locker entity to be provisioned

When the value of a field that is used in a Link's join criteria changes, that Join is lost and a new one is created (either via provisioning a new locker entity, or - presumably as I have never attempted it - by joining to a different locker entity if one exists that matches the new field value).

While this might appear to be reasonable behaviour at first, the outcome of this is that when the Join criteria field value of an adapter entity changes it ends up leaving an old entity with the previous value behind, and creating a brand new one with all the same values other than the join criteria field, rather than simply updating the previously-joined locker entity based on the mappings.

Consider:

Image 5951

If I changed the Access Package Name in my adapter from "Admins" to "Sysadmins" I might reasonably expect that change to be mapped through to update my existing locker entity.  Instead, I end up with the old, now-unjoined "Admins" locker entity, as well as a newly provisioned "Sysadmins" entity.  This seems somewhat counter-intuitive: it feels like Joins should have more permanence than that.

Setting Incoming Deprovision to True on the link might appear to be a solution to this, but I may well want to retain locker entities normally (i.e. if the adapter entity was genuinely deleted).  And the deletion/recreation of the locker entity is unnecessary anyway.

0
Fixed

Entity not updating after Join relationship connector entity change

Adapter "DWH Employee" has a Join to connector "SPOL Suspended Employee".  When an existing entity in that connector updated (to change the value of a boolean attribute) the Join did not re-evaluate on the adapter. Running an Import All on SPOL Suspended Employee did not update the DWH Employee adapter entity, and neither did running an Import All on the DWH Employee adapter's base connector. The join field was only updated when I ran Generate Changes on the DWH Employee adapter directly.

Note: this has the same appearance as ticket #4200 but is happening for a Join transform rather than a Foreign Multivalue Group transform, so it is possible that the same problem may be present across all join-type transforms.

0
Won't fix

Updated adapter field value didn't map to locker after joined connector field value change

This morning I moved from users from one AD org unit to another, which resulted in their "dn" attribute changing.  One of those users is a manager for other subordinate users, and that user's dn value is retrieved by an adapter Join transform on the subordinate users, and mapped into their "manager" field in AD via their locker records.

After the change was made, the manager's connector and adapter record updated with the new dn field value, but the updated value did not flow through to the subordinate users' "manager" field in the locker.  The link which should be responsible for this is only configured for Change Polling.  When I ran a Baseline Sync, however, the subordinate users' manager fields did update in the locker.

I haven't tried to replicate this problem, but I do not believe it to be typical behaviour.

0
Fixed

ContextNonUnique for synchronised entity returns entity with no duplicate context

When calling CheckFieldUniqueness in a synchronisation task the ContextNonUnique function returns an entity for which no duplicate context exists other than the synchronised entity itself.  I suspect it is failing to exclude itself from the check, and that no-one has noticed this before because most of the time CheckFieldUniqueness is called in a provisioning task and so the entity doesn't yet exist in the target entity space.

0
Fixed

"Changes register item process on failed / failed with reason Value cannot be null." error after

Adrian Corston 3 years ago in UNIFYBroker/Plus updated by Matthew Davis (Technical Product Manager) 1 year ago 1

UNIFYBroker/Plus importing AD Users into a locker.  The 'member' field is locker-to-adapter mapped.  When I change the member field value in AD and run an Import All on the AD users connector, the following error is logged:

20210118,04:24:11,UNIFYBroker,Change detection engine,Error,"Changes register item processing on failed.
Parameter name: collection. Duration: 00:00:00.0139980
Error details:
Parameter name: collection. Duration: 00:00:00.0139980
Error details:
System.ArgumentNullException: Value cannot be null.
Parameter name: collection
at System.Collections.Generic.HashSet`1..ctor(IEnumerable`1 collection, IEqualityComparer`1 comparer)
at Unify.Product.IdentityBroker.MultiRelationalTransformationContribution.GetChangedMultiValues(IEntityPair entityPair, Boolean relevantFieldsChanged)
at System.Linq.Enumerable.d__23`3.MoveNext()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.EntityPartitionPostgreSqlContextBase`3.GetEntitiesByFieldValues(TEntityKey field, IEnumerable`1 values)
at Unify.Product.IdentityBroker.MultiRelationalTransformationContribution.d__25.MoveNext()
at System.Linq.Enumerable.d__17`2.MoveNext()
at System.Linq.Enumerable.d__17`2.MoveNext()
at System.Linq.Enumerable.d__64`1.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.ChainedTransformationChangeProcessor.PublishChange(IEntityPair[] changedEntityPairs, DateTime changeProcessTime, ICollection`1 changeRecords)
at Unify.Product.IdentityBroker.ChainedTransformationChangeProcessor.ProcessChangeReport(IDictionaryTwoPassDifferenceReport`4 changesReport, DateTime changeProcessTime)
at Unify.Framework.Visitor.Visit[T](IEnumerable`1 visitCollection, Action`2 visitor)
at Unify.Product.IdentityBroker.ChangeReportProcessor.ProcessCurrentReport(IEnumerable`1 adapterTransformationProcessors, IDictionaryTwoPassDifferenceReport`4 differenceReport, DateTime changeTime)
at Unify.Product.IdentityBroker.ChangeReportProcessor.CreateAndProcessReport[T](ITransformationChangeProcessor[] adapterTransformationProcessors, ICollection`1 sourceEnumerable, DateTime changeTime, HashSet`1 invalidEntities, Action`2 addAction, Func`3 addCheck)
at Unify.Product.IdentityBroker.ChangeReportProcessor.ProcessReport(IChangeReportProcessingRequest request)",Normal

This is not urgent, just noting it here for completeness.  I don't believe it will impact the solution I'm currently working on.

See also: https://voice.unifysolutions.net/en/communities/6/topics/57-import-all-entitiesfrom-connector-workday-employee-failed-with-reason-value-cannot-be-null for the same error message - ticket closed but it may be that the underlying issue was not identified or fixed.

Answer

The fix for this has been included in the latest UNIFYBroker 5.3 release.

0
Not a bug

"The following entities are missing field used for the join criteria" warning for non-existent entity

After a locker object was deprovisioned, the following warning started appearing when Baseline Sync was run:

20210118,02:44:56,UNIFYBroker,ProvisioningExecutor,Warning,The following entities [Count:1] for the link Entitlement Groups > Azure Cloud Groups (fa3bdd0f-5e3c-4fea-83c0-f7560800340c) are missing the field used for the join criteria: 723878ee-5950-4949-a5a0-3546820373a1: [ Cloud Group Name ],Normal

There is no entity with ID 723878ee-5950-4949-a5a0-3546820373a1 in the Broker/Plus UI.  I suspect this is a locker entity that didn't get properly deleted, and this warning is appearing because the locker no longer has a value for 'Cloud Group Name'.  But I am unsure if this is the only contributing cause.

Customer environment details are in the first comment.  I am currently seeing if I can reproduce the issue.

0
Answered

Could not complete synchronization on link due to a converging join error

Adrian Corston 3 years ago in UNIFYBroker/Plus updated by Matthew Davis (Technical Product Manager) 3 years ago 3

The follow error is appearing in my UNIFYBroker/Plus log.  Could you tell me more about what it means?

Request to sync changes on link failed.
Request to sync changes on link Employees > AD Users (6410cee2-8159-4cc3-89d6-0a3cc3d46fdb) in direction outgoing failed with message Could not complete synchronization on link '6410cee2-8159-4cc3-89d6-0a3cc3d46fdb' due to a converging join error.
First source entity id: cb04dfa0-66e9-46fd-862d-54512e11f2c3
Second source entity id: fb3ee77f-5370-44e7-b1ce-0b01c39c0f88
Offending target entity id: 4ffd33d1-ec16-464d-90cc-ab0fe7d7b93a [Count:6492]. Duration: 00:00:02.2246402
Error details:
System.Exception: Could not complete synchronization on link '6410cee2-8159-4cc3-89d6-0a3cc3d46fdb' due to a converging join error.
First source entity id: cb04dfa0-66e9-46fd-862d-54512e11f2c3
Second source entity id: fb3ee77f-5370-44e7-b1ce-0b01c39c0f88
Offending target entity id: 4ffd33d1-ec16-464d-90cc-ab0fe7d7b93a
at Unify.Product.Plus.LinkSynchronizer`2.JoinAndMap(IEnumerable`1 filterResult, IDictionary`2 changesDict)
at Unify.Product.Plus.Link.SynchronizeChanges[TSourceEntity,TTargetEntity](IEnumerable`1 changes, IEnumerable`1 syncTasks, Func`1 getTargetContextAccessor, IConnectionsContext connectionContext, ISynchronizationHelper`2 helper, IProvisioner`2 provisioner)
at Unify.Product.Plus.Link.SynchronizeAdapterChanges(IEnumerable`1 changes)
at Unify.Product.Plus.LinkNotifierDecorator.<>c__DisplayClass42_0.<SynchronizeAdapterChanges>b__0()
at Unify.Framework.Notification.NotifierDecoratorBase.Notify[TResult](ITaskNotificationFactory notificationFactory, Func`1 function)
at Unify.Product.Plus.LinkNotifierDecorator.SynchronizeAdapterChanges(IEnumerable`1 changes)
at Unify.Product.Plus.LinkAuditingDecorator.SynchronizeAdapterChanges(IEnumerable`1 changes)
at Unify.Product.Plus.AdapterToLockerSynchronizationJob.RunBase()
at Unify.Product.Plus.SynchronizationJobExecutor.<ThreadAction>d__8.MoveNext()

Answer

I found the duplicate adapter record - this is indeed a data error so this ticket can be closed.

Thank you!