Once HelloID provisioning has run an enforcement of the business rules, you can see which entitlements have been given out, and their current state, on the Entitlements page. You can also see which, if any, entitlements were blocked due to thresholds set on the target system.
Navigate to Business Rules > Entitlements to get started.
The first tab on the entitlements page is the Overview. This lets you see every entitlement that has been enforced, and its result. This list can be searched and filtered with the text box and filter controls just above the list.
For various reasons, an entitlement may not be granted successfully. Perhaps there was a drop in communication, or the generated account's username was too long, or some other reason. When an entitlement process encounters an error, this will be reflected in the Status column of the list.
In the event of a failed entitlement, select the blue retry button to the right of the status, to retry the enforcement process.
To view a log, select the white details button to the right of the status. Note that it may take a few minutes for logs to populate after entitlements are enforced.
A dialog box appears, which contains error messages from the target system:
For PowerShell target systems, this dialog box displays all log messages. For Active Directory and Azure ID target systems, it displays only recent, high priority messages.
For a complete, unfiltered log, you will need to check your Agent logs.
View blocked entitlements
If the number of entitlements being granted or revoked for a target system exceeds that system's thresholds, activity for those entitlements will be blocked. This will cause a red warning triangle to be displayed on the navigation bar. You will also see in the entitlements overview a blocked status, as seen in the screenshot below.
On the Blocked summary tab, you can see a summary of which entitlements and operations were blocked for each system, and why. In the screenshot below, we can see that there are 400 blocked account entitlements, due to that number exceeding either 100 or 50% of the total population.
Handle blocked entitlements
There are multiple ways that you can handle or remediate blocked entitlements in HelloID provisioning. The method that you choose is entirely situational and dependent on your current configuration and data.
- If you believe the operations that HelloID is attempting to take are due to an error in the data, then you will need to look at the source data and discern what may be the cause of the problem. For example, if there are too many pending revokes, your data may have too many missing records.
- If you believe the pending operations are due to a misconfiguration of the business rules, you will need to revise those rules. Perhaps your business rule filters are too lax or too stringent.
- If the pending activity is legitimate, then it may be that your target system thresholds are too low. You may choose to increase the thresholds in this case.
- If the pending activity is legitimate, but outside of the daily norm (e.g., end of year exodus of temporary workers or students), you may choose to manually approve the activity. This may be done from the Blocked summary tab by clicking on the resume button for the entry in the summary table.