Configuration incomplete for user provisioning, please check the App Engine Admin group or the XXXX
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2025 06:58 PM
I requested a new instance and using the default catalog item to request something.
Below error always show and can't go through all the process.
Does anyone know the solution?
Configuration incomplete for user provisioning, please check the App Engine Admin group or the system property sn_app_intake.instance_can_provision_users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2025 06:55 AM
Hi @cristine_ye
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0960297
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]
****************************************************************************************************************
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2025 02:08 PM
I don't know if KB0960297 is relevant or if it solves the issue, but I found a workaround that didn't involve App Engine Studio configuration at all. Point is, we've never touched it and didn't have any intent to.
Instead, we found the error @cristine_ye mentioned in our system logs after the submission of a Catalog Item running a Workflow (not a Flow or Execution Plan) that had a Run Script activity.
Specifically, there are two List Collector reference variables on this item, one for sys_user and the other for sys_user_group. The Run Script activity iterates through these after transforming them into arrays and inserts records in the sys_user_grmember table:
var usersArray = current.variables.please_select_the_users.toString().split(',');
var groupsArray = current.variables.please_select_the_groups_for_this_request.toString().split(',');
for (var i = 0; i < usersArray.length; i++) {
for (var j = 0; j < groupsArray.length; j++) {
var gr = new GlideRecord("sys_user_grmember");
gr.initialize;
gr.group = groupsArray[j];
gr.user = usersArray[i];
gr.insert();
}
}
(Before you ask WHY this request exists, just know that we disallow the itil_admin role from directly manipulating group membership due to some... historical mistakes. This request also serves as a bonus audit trail.)
Now, oddly, this thing has been working just fine for a couple years, but the other day someone tried to use it (appropriately) to add a new member to a group that has a bunch of GRC/IRM roles. And it didn't do anything -- silent failure. The only indication that anything went awry was the message in the logs, exactly as @cristine_ye described.
In testing, we found that the catalog item works just fine when submitted by a system admin for that group, but not by someone who only has the ITIL or ITIL Admin role. We reproduced the issue and system log entry in a subprod instance by submitting the request while impersonating the user who originally submitted it in our production instance.
The workaround -- we inserted a 5-second timer in the workflow immediately prior to the Run Script activity. This recontextualizes the workflow execution as a background task and executes the script under the system account instead of the submitter's. The issue is no longer occurring, and all we had to change was the workflow itself, nothing else -- and certainly nothing with App Engine Studio.
