Can someone help with sporadic ACL errors when creating/updating accounts via Okta/AD sync?

Denton
Tera Contributor

‎01-11-2019 05:03 AM

I am seeing this error on Okta when *some* new users are being imported or updated.

For example a new user attempted to log in yesterday and could not sign in. Okta is configured to automatically set up a new ServiceNow login on first login. The Okta logs are showing:

An error occurred while assigning this app.

Automatic provisioning of user Firstname Lastname to app ServiceNow UD failed: Error while creating user FirstnameLas: Errors during execution: Error executing createNewUser: 403. Operation Failed. ACL Exception Insert Failed due to security constraints. Error Code: null

Unfortunately, I'm not too sure where to look with this one. Most new end-users can log in without issues. 

If anybody can help I'd greatly appreciate it. I know it's not a lot to go on, but I can provide any information needed.

Thanks!

 

0 Helpfuls
  • 1,831 Views
1 REPLY 1

Darren_Cantrill
Kilo Contributor

‎03-28-2019 05:53 PM

1. Check your user roles for OKTA "userid" with ServiceNow (quick fix add admin role and then make check the box for "web service access only"). The error:

Push user reactivation in external application
failure : Errors during execution: Error executing reactivateUser: 403. Operation Failed. ACL Exception Update Failed due to security constraints. Error Code: null

2. OKTA uses a field called "External ID" under the "Edit User Assignment" settings that has to match the sysid of the user you are sync'ing to. If these fields don't match then you'll get the following error:

Push user's profile to external application
failure : Errors during execution: Error executing pushUserProfile: 404. No Record found. Record doesn't exist or ACL restricts the record retrieval. Error Code: null
 

For example, looking at my info in OKTA SSO / OKTA TEST / SYSID PROD / SYSID TEST:

PROD OKTA: b7ce74eddb3d9340965f4b8b0b96192a

TEST OKTA: b7ce74eddb3d9340965f4b8b0b96192a

sn PROD sysid: b7ce74eddb3d9340965f4b8b0b96192a

sn TESTsysid: b7ce74eddb3d9340965f4b8b0b96192a

 

When OKTA kicks back an error (item #2 above):

PROD OKTA:271feec3dbfb2f44fb362ab74b9619e3

TEST OKTA: eb0f6643dbf363c4b09ce3a84b9619c5

sn PROD sysid: 271feec3dbfb2f44fb362ab74b9619e3

sn TEST sysid: 271feec3dbfb2f44fb362ab74b9619e3

 

Hopefully this helps.