You might find that the results returned from UMUser/UMGroup SmartObjects show identities and group memberships that should not be there. Identities that you deleted or removed from groups in an Identity Provider (IdP) may still show in the SmartObject results. This article describes this issue which may occur when switching to the Identity Sync Service described in KB002707 Identity Synchronization and Caching.

Cause

Enabling the Identity Sync Service changes the way that K2 populates the identity cache. If you edit or delete an identity or its group membership in an IdP, and then enable the Identity Sync Service before the identity cache synchronizes those changes, you will find incorrect identity information in the identity cache. Here is an example scenario that may cause this issue:

  1. You have user identities and group-memberships in the Identity Store.
  2. You make changes to an IdP, such as editing group membership or deleting a user.
  3. You don't wait for or check that the legacy identity resolver propagates the IdP changes through to your K2 identity cache (The default wait time for this is 8 hours).
  4. You enable the Identity Sync Service, run the initial sync and the ETL process finishes.
  5. Stale identity information is stored in the K2 Identity Cache.

Resolution

To resolve this issue, you will need to run a SQL script on the affected K2 environment.

Contact K2 support before using either of the scripts mentioned in this article and only apply the resolution described in this article if K2 support confirms the issue of stale identity data in your environment.

Two SQL Stored Procedures (SP) are available to help resolve the issue of stale identity information:

  • [SyncEngine].[GetETLStatus]: Checks if the ETL process of the Sync Service is complete.
  • [SyncEngine].[CleanIdentityStaleData]: Cleans stale identity information out of the K2 database.

When to run the scripts

Executing the stale identity clean-up SP the first time, corrects the issue in the database. Executing the SP subsequently will not make changes to the database or cached data. Use the script as a one-time task to address the stale identities issue.

Use the scripts if the following conditions are true (contact K2 support before using the scripts):

  • Only use the scripts after you have enabled and completed a successful initial/full sync with the Identity Sync Service
  • If you notice that you have user information in the Identity Schema that should not be there. The most likely scenario is when using URM SmartObjects to return user identity or group membership information

Running the script

K2 support will guide you through the following steps:

  1. Backup your K2 database
  2. Schedule some downtime, since the execution time of the script depends on the number of identities in your environment
  3. Stop the K2 server
  4. Execute the [SyncEngine].[CleanIdentityStaleData] script
  5. Start the K2 server
  6. Wait for the ETL process to complete (the ETL process starts every 60 seconds). The ETL process might take some time depending on the number of identities in your environment. You can use the ETL status script to check when the ETL process is finished.
Group membership information takes longer to sync than identity information so your users may be able to log in before their group membership is resolved.