Troubleshooting Provisioning

Below are common Provisioning issues, their solutions, and links to other helpful resources.

Tip

A number of frequently asked questions are answered in FAQ: Provisioning.

Incidents

The following are Provisioning Incidents which are reported on the Admin dashboard.

1.	Provisioning Agent is down
	Restart the Agent services. Make sure the necessary domains are whitelisted, the agent is the latest version, and the agent is running with a service account that has enough permissions (see Agent requirements).
2.	Person(s) skipped for processing
	Resolve merge suggestions for persons who are skipped for processing.
3.	Entitlement actions blocked
	Review Blocked actions and Resolve blocked actions.
4.	Snapshot blocked
	Review Blocked persons and, if necessary, add missing data to the source system.
5.	Import failed
	Resolve a blocked import.
6.	Entitlement action failed
	To resolve and retry failed entitlement actions, follow the steps in: Troubleshoot entitlement actions.

Account and permission issues

Account and permission issues can arise from various causes. Below are common issues along with their possible causes and solutions. For a general approach to investigating and resolving these issues, refer to Troubleshoot entitlement actions.

1.	Missing account or permission
	When a person has no account in a target system or is missing a permission (account access, group membership, shared folder, access to building, etc.): The person may not be in scope of a business rule that grants the account or permission. View a person's business rules and correct the person's data in the source system, if necessary. New persons may be skipped for processing when there is a merge suggestion for them. Resolve merge suggestions. The person may be excluded from the business rules; see Exclusions. If necessary, Re-include a person. If the account was manually deleted from the target system, Re-create a manually deleted account.Re-create a manually deleted account If the permission was manually removed, Re-enforce an entitlement. Make sure the person is in scope of a business rule that grants the permission. Alternatively, Unmanage an entitlement (the permission) in HelloID; Run an evaluation and make sure that the permission will be granted to the person; then Run an enforcement. If the grant action fails, Troubleshoot entitlement actions. Tip If your organization has the Governance module you can use Reconciliation to detect and resolve missing accounts and permissions.
2.	Duplicate accounts
	When one person has two accounts in the target system, the most likely reason is that an account could not be correlated with the person, causing a new account to be created alongside the existing one. To correct this, Fix a wrongly correlated account. Another possible reason is that there are two entries for this person in the source system, and they have been imported into HelloID as separate individuals rather than being merged into a single person. To solve this: Manually merge the persons in HelloID. The person with the account that needs to be retained should become the main person first. If the non-main person's personal data must be leading, Manually replace the main person after the initial merge. During the merge, the entitlements of any non-main persons become unmanaged, i.e. they are forgotten in HelloID, but not removed from the target system. Manually remove the unmanaged target account, if necessary.
3.	Account not automatically linked
	When an existing account was not automatically linked to a person, Manually correlate an account to a person.
4.	Account linked to wrong person
	When an account was linked to the wrong person in HelloID, Fix a wrongly correlated account.
5.	Account updates fail
	When account updates fail with an error, indicating that the account was probably deleted, this usually occurs because the account has been manually deleted from the target system. To resolve this, Re-create a manually deleted account.Re-create a manually deleted account If account updates fail for another reason, Troubleshoot entitlement actions.
6.	Entitlement action waiting infinitely
	An indefinitely waiting entitlement action can have various causes. Check them using the step-by-step plan in Troubleshoot entitlement actions.
7.	Account has incorrect data:
	When a person's personal information in an account in a target system is wrong, e.g. the job title, employee number, or manager, this can have various reasons. The data in the source system may be incorrect. If necessary, correct the person's personal or contract data in the respective source system. If the data in the source system was changed recently, the account may not have been updated yet. If an account update has failed, Troubleshoot entitlement actions and Update an account to retry. The issue may also be caused by Person aggregation. Duplicates can be merged - automatically or manually, depending on how person aggregation is set up - into a single person in HelloID. One person is designated as the 'main' person, while the others become 'non-main' persons. All contracts are associated with the main person. Whenever necessary (for example, when evaluating person conditions in business rules), the main person's personal data is used. If one of the contracts changes after the merge, it may affect target account attributes like job title or manager. However, it doesn't change who the main person is, so personal data, such as an employee number, stays the same. (See Aggregation basics.) If possible, remove duplicate entries from the source system(s). Manually replace the main person with the non-main person whose personal data should be used. Tip When merging separate persons, set the person with the desired entitlements (such as target accounts) as the main person. This way, their accounts and other entitlements remain managed in HelloID. You can Manually replace a main person in a merge set later if you want the personal data, such as an employee ID, of the other person to be used. For more information, see Aggregation basics.
8.	Account is missing data
	When accounts are missing data, for example, when the signature under an email is missing a job title, there are a number of possible causes. Data is missing for the person in the source system. Add the missing data into the source system. Optionally, Make a field required in the source mapping. If data is available in the source system, but not sent to HelloID, Map an additional field, and/or Make a field required. The data is available in HelloID, but not included in the target mapping. Update the target mapping for the Active Directory, Azure AD or PowerShell v2 system. The account update action failed for this system, or for a system it depends on. Try running Update accounts for the affected system(s). To find the root cause, Troubleshoot entitlement actions.
9.	Permission not managed by HelloID
	When a permission has been added manually in a target system, it is not automatically managed by HelloID and will not automatically be removed by HelloID. If you want it to be managed by HelloID, make sure the person is in scope of a business rule that grants the permission. Import target system entitlements to immediately mark the permission as granted (without an Enforcement).
10.	Account or permission not disabled or removed
	When an account or permission was not disabled or removed, the person may still be in scope of a business rule that grants the account or permission. View a person's business rules and correct the person's data in the source system, if necessary. If the disable or remove action failed for another reason, Troubleshoot entitlement actions. Note: HelloID can only disable an account or remove an account or permission that is managed by HelloID. If the entitlement was not granted to the person by HelloID, or if correlation failed, or if the entitlement has been previously unmanaged, HelloID will not remove or disable it.

Person aggregation issues

Duplicate persons in one or more source systems can be merged into a single person in HelloID, either automatically or manually, depending on how Person aggregation is set up. One person is designated as the 'main' person, while the others become 'non-main' persons. All contracts are associated with the main person. Whenever necessary, the main person's personal data is used.

Duplicate accounts, a missing account, and incorrect employee data in an account could all potentially be traced back to a person aggregation issue. Note that it may not be immediately apparent whether a problem is caused by a person aggregation issue. To find the root cause, Troubleshoot entitlement actions.

1.	Person labeled 'Skip Processing'
	HelloID skips a new person for processing when there is a merge suggestion for them. Resolve merge suggestions for the person.
2.	Person in HelloID has incorrect personal data
	If one of the contracts of a non-main person becomes the primary contract after the initial merge, this may affect target account attributes like job title or manager. However, it doesn't change who the main person is in the merged set, so personal data, such as an employee number, stays the same. (For more information, see Aggregation basics.) This will lead to issues if person conditions are used in the business rules. To resolve them, Manually replace a main person in a merge set (Source > Aggregation > Manual > Select person > Transfer main person).
3.	Persons have not been merged
	Manually merge persons (go to Source > Aggregation > Manual > Select person > Add person). For guidance on whom to select as main person, see Aggregation basics.
4.	Persons have been merged incorrectly
	Manually unmerge persons (go to Source > Aggregation > Manual > Select merged person > Remove person).

Other issues

1.	Target system error
	When an error in a target system has led to failed entitlement actions, Run an enforcement or retry failed entitlement actions one by one: go to Business > Entitlements > History > Retry action.
2.	Source system error
	When an error has occurred in a source system, any related provisioning issues should be resolved automatically during the next scheduled import and enforcement after the source system error is fixed and (in on-premise systems) the Agent is running. If necessary, Run a manual import to make sure the error has been resolved (Source > Systems > Start import) and Run an enforcement (Business > Evaluation > Enforce button).
3.	Action failed
	When an action that is not an entitlement action has failed, for example, an onboarding email was not sent, this can have various causes. An error in the connected system (for example: the email system). A broken connection with another system, either physically, or programmatically. In the latter case, the script needs to be updated; it is recommended to engage a HelloID consultant. Data is missing from the source. For example, when a contract has not started yet, an onboarding email cannot be sent if a private email address is not included in the source data. The solution may be to Map an additional field or Make a field required.

In this section: