Once HelloID Provisioning has run an enforcement of the business rules, you can see which entitlements have been granted, and their current state, on the Entitlements page. You can also see which, if any, entitlements were blocked due to thresholds set on the target system.
Navigate to Business Rules > Entitlements to get started.
The first tab on the Entitlements page is the Overview. This displays all currently enforced entitlements.
Export a report
Select the Export button to download a CSV report.
For various reasons, an entitlement may not be granted successfully. Perhaps there was a drop in communication, or the generated account's username was too long, or some other reason. When an entitlement process encounters an error, this will be reflected in the Status column of the list.
In the event of a failed entitlement, select the blue retry button to the right of the status, to retry the enforcement process.
To view a log, select the white details button to the right of the status. Note that it may take a few minutes for logs to populate after entitlements are enforced.
A dialog box appears, which contains error messages from the target system:
For PowerShell target systems, this dialog box displays all log messages. For Active Directory and Azure ID target systems, it displays only recent, high priority messages.
For a complete, unfiltered log, you will need to check your Agent logs.
View dynamic permission entitlements
If a dynamic permission has been enforced, select its grid button to view the specific entitlements which have been granted to the corresponding Person:
View blocked entitlements
If the number of modified entitlements exceeds a target system's thresholds, pending entitlement actions are blocked. A red warning triangle is displayed on the navigation bar.
Select the Blocked actions tab to see which operations were blocked for each target system, and why. In the screenshot below, we can see that there are 4 blocked account entitlements, due to that number exceeding the default setting of 1.
Select a system's details button to see a detailed list of blocked entitlement actions for that system:
Resolve blocked entitlements
There are multiple strategies you can use to remediate blocked actions. The method that you choose depends entirely on your current configuration and data.
- If you believe the operations that HelloID is attempting to take are due to an error in the data, then you will need to look at the source data and discern what may be the cause of the problem. For example, if there are too many pending revokes, your data may have too many missing records.
- If you believe the pending operations are due to a misconfiguration of the business rules, you will need to revise those rules. Perhaps your business rule filters are too lax or too stringent.
- If the pending activity is legitimate, then your target system thresholds may be too low. You may need to increase them.
- If the pending activity is legitimate, but outside of the daily norm (e.g., end of year departure of temporary workers or students), you may choose to manually approve the activity. To do so, select the system's blue resume button.
Select the Yes button to confirm.