and more in a single search tool across platforms. Read the announcement here. |
10/17/2023 10:41 AM - edited 10/17/2023 11:15 AM
Hello,
I need some clarifications on the functions of the NEWACCOUNT Provisioning limit task type. In the documentation it mentions that NewAccount Allows you to specify the provisioning limit for New Account task. The New Account task is generated from: Access Requests, Rules, and Roles.
Does that include Add Access task generated at birthright as part of Role provisioning? We have technical rules that assigns roles (and the entitlements attached to them) when a new user is created. Also, if we set the provisioning limit to 100, is it for the total number of tasks in the pending list or the users the tasks are getting generated for?
We had set a threshold limit for new account, however, even though the new account tasks were less than the threshold, it failed to provision with this error message: Account Entitlement Task as part of Role Request ROLENAME from ZeroDay Provisioning [08-26-2023-total task count (2223) is greater than defined limit (200)].
Thanks
10/17/2023 02:11 PM - edited 10/17/2023 03:08 PM
@GOE : What is the limit set for Task Type ADD? I think in your case ADD threshold is limiting the provision. Because If I understand correctly you are assigning the roles upon user creation. Which will try to assign entitlements along with creation of account if respective user didn't have account.
In that case it creates a Add Access Task and internally it make an new account creation upon no account found. Since Task is Add Access may be respective provisioning limit is getting applied.
10/17/2023 02:25 PM
In our case there was no ADD threshold set
10/17/2023 03:07 PM - edited 10/17/2023 03:10 PM
@GOE : Then i believe it might be coming from userImport.zeroDayLimit configuration in externalconfig.properties can you validate the same? This setting will limit the birthright provisioning.
By default I think this value will be 100. But as per the logs you shared looks like it is set to 200 in your environment
10/18/2023 03:48 AM - edited 10/18/2023 04:08 AM
The value was actually set to 1000, which is why it's a bit confusing to me. The only number that 200 matches with it the value we had set in the New Account threshold. Also, my understanding is that for zero day limits, the task would not be created at all upon import.
10/17/2023 08:58 PM
It does not consider task created through rules, only considered as Access Requests