PingOne

Group provisioning FAQ

The following section contains common questions and answers about group provisioning.

How do I debug when group synchronization failed on the target?

To debug the group sync failure, on the sync summary, click the Audit Logs link to go to the Audit page. On the Audit page, you can view the audit report for any detailed error messages in the audit logs.

Review the Provisioning Group Sync Failure and Provisioning Group Membership Failure audit events to check which group or membership failed and the reason why it failed.

For additional debugging, use the correlationId in Splunk to find any ERROR or WARN logs. You can also check the status of the group on the Group Provisioning tab.

How do I know if there is a membership sync failure on a group that is part of a provisioning rule configuration?

If there is a membership sync failure, the sync summary shows the failure.

In the sync summary, click the Audit Logs link to go to the Audit page. On the Audit page, you can view the audit report for any detailed error messages in the audit logs.

Review the Provisioning Group Sync Failure and Provisioning Group Membership Failure audit events to check which group or membership failed and the reason why it failed.

You can also go to Directory → Users → Sync Status to check the membership sync status.

How do I debug when the Groups section of the sync summary reports failures?

To debug the group sync failure, click Audit Logs to go to the Audit page. On the Audit page, you can view the audit report for any detailed error messages in the audit logs.

Review the Provisioning, Group Sync Failure, and Provisioning Group Membership Failure audit events to check which group or membership failed and the reason why it failed.

For additional debugging, use the correlationId in Splunk to find any ERROR or WARN logs. You can also check the status of the group on the Group Provisioning tab.

How do I filter for group provisioning sync events in the audit events?

To filter audit events for group provisioning sync events, in the Filter field, enter provisioning.

The available audit events for group provisioning are:

  • Provisioning Group Membership Sync Failure

  • Provisioning Group Sync Failure

  • Provisioning Sync Failure

  • Provisioning Sync Started

Screen capture of event type for provisioning.

Is there a membership status in Directory → User ?

Yes. Learn more about membership status in Using user identity details to identify sync issues.

Can I see the status of a group in Directory → Groups ?

Yes. Learn more about group status in Using group identity details to identify sync issues.

Can I sync nested groups as part of a group provisioning?

Yes. However, you must select the child groups that you want to sync over.

Selecting a parent group does not automatically provision its children. The provisioning service doesn’t automatically provision all subgroups within a group (nested groups) unless selected explicitly.

What does the message the target doesn’t support group provisioning mean?

At present, target systems Service Now, Zoom, LDAP Outbound, Salesforce Contacts, and Leads, do not support group provisioning. Only user provisioning is supported for these target systems.

What does the message the target user id is unknown mean?

The user has not been created in the target and could not be added to group memberships. Retry the sync after creating the user.

Are external groups that are synced using JIT supported for outbound group provisioning?

No. Syncing of JIT groups is not currently supported.

How many groups can I configure as part of a provisioning rule?

Provisioning supports 1000 groups to be synced to the target system.