Symptom
Sync job error "You don’t have permission to view the user.","status":403"
“Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.”
Environment
- SAP SuccessFactors HXM Suite
- SAP Cloud Identity Services – Identity Authentication IAS
- SAP Cloud Identity Services – Identity Provisioning IPS
Reproducing the Issue
- In the Identity Provisioning Administration Console, select Source.
- From your Source Settings, select Jobs.
- Choose a sync job.
- Then go to Job logs and check the error in the job:
"You don’t have permission to view the user.","status":403"
Cause
- The certificate under "Security Center" has a login name associated to it and the user does not have employee export/import permission over all users:
- From Admin Center, access "Security Center"
- Clicked on "X.509 Certificates" > X.509 Public Certificate Mapping
- See "Login Name" field has user value
- The Integration Name of the certificate under "Security Center" is Identity Authentication Service (IAS).
Resolution
Adding a username in the "Login Name" field is not mandatory, but if you choose to do so, please ensure that the user has all the required permissions. Otherwise the IPS job will fail.
Make sure that the Integration Name for the certificate is Identity Provisioning Service (IPS):
In case you need to make this correction, the current certificate in Security Center must be deleted since the system does not allow duplicate certificate. To download the active certificate - that should be uploaded in the Security Center - go to Source System > Outbound Certificates > Download the Active certificate.
See Also
Keywords
ias, x.509, error, failing, security center, certificate, admin, authorization error, IPS, 403, permission , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , How To