Application Access
Identity
Last synthesized: 2026-02-13 00:55 | Model: gpt-5-mini
Table of Contents
1. Okta SSO: 'user is not assigned to this application' blocking app access
2. Missing product licenses, approvals or invitations preventing access
3. Care / Care Stage: account creation, permissions and environment access issues
4. External / contingent-worker accounts for guest access and collaboration
5. Local network/router issues preventing Okta/SSO, VPN and email access
6. Self Service+ visibility for long-term macOS admin access
7. Azure Portal VM visibility missing due to VM access group membership
8. Microsoft Dataverse table ownership and Dynamics security-role mapping blocking Power App access
9. Third‑party meeting notetaker (Fireflies.ai) auto-joining Teams and persistent Enterprise App assignment
10. Managed Identity missing Microsoft Graph appRole permissions blocked Sentinel automation
11. Okta OIDC application registration and client credentials provisioning (redirect URI mismatch)
12. Okta dashboard tile linking to wrong portal
13. Jira board/project admin permissions missing after owner departure blocking edits
14. Azure AD / MS Graph application client secret expiring and requiring renewal
15. Azure AD consent policy gap allowing user-consent to high‑privilege Enterprise Apps
16. PebblePad course content and submission permissions controlled by examination office
17. Cost-center approver/owner entries in Workday causing incorrect tool access-request routing
18. Applicant unable to submit 'Anerkennung von Vorleistungen' online form in Bewerbungsportal
19. SSO access blocked by duplicate/conflicting Atlassian accounts
20. Approval routing stuck due to stale Workday cost-center approver mapping
21. No vendor invitation received after corporate SaaS provisioning request (OpenAI/ChatGPT)
22. Shared SaaS subscription provisioning requiring requester-supplied credentials (Midjourney)
23. Internal service portal and sandbox access provisioning and agent role activation
24. Application license requests via self-service requiring correct approver assignment
25. SaaS access blocked by outdated superadmin ownership or missing superadmin contact
26. Vague report/dashboard access request that had no reproducible access failure
27. Third‑party SaaS access stuck because app wasn't in company catalog or approver was unresponsive
28. Access provisioning for internal transfers blocked by incorrect cost‑center selection and per‑app request requirements
29. On‑prem application inaccessible due to unresponsive host blocking data access
30. Copilot for M365 access gated by IT Service Portal automated request/approval workflow
31. Okta application provisioning propagation delay causing Miro login failures
32. Workday tile in Okta returned error where user had multiple IU addresses and Okta account flagged 'PW Reset' (no resolution recorded)
33. Monday.com board-level edit access blocked despite valid licenses
34. Atlassian sign-in failure due to username/character mismatch resolved via Okta SSO dashboard
35. Corporate ChatGPT access blocked by approval workflow and pending invitation acceptance
36. Legacy AcademyFive account and username-based login blocking access
37. Existing Salesforce account with Okta SSO but missing Salesforce profile/roles prevented access
38. Specialist-delivered credentials or invites for third‑party SaaS access
39. Missing role/group membership in internal apps (PowerApps/Custom apps) blocking user tasks
40. Role‑based onboarding automation requiring event sequencing (SalesTechDev)
41. Jira/Atlassian access gated by Automation for Jira approval then admin provisioning
42. External attendees blocked from Teams training by conditional access
43. Application access blocked by missing assignment, pending approval or vendor invitation
44. Power BI Self-Service Portal report access blocked by missing Power BI entitlement and owner-controlled report permissions
45. Access request for unsupported SaaS (Metabase) routed to owning service desk
46. Okta application not present in dashboard blocking GitLab access
47. SSO-linked third‑party SaaS embedded in Salesforce required active Salesforce session for access
48. Salesforce account provisioning and Okta dashboard tile addition using a reference user
49. Confluence space admin access requests, accidental submissions and license guidance
50. myCampus area access blocked by missing area-specific roles requiring escalation and synchronization
51. Access requests for analytics/dev platforms requiring platform‑owner provisioning
52. Confluence account creation and basic access provisioning
53. Jira access missing due to absent Jira product license; project permissions remained separate
54. Access request auto-closed after approval workflow timeout
55. Policy‑gated SaaS provisioning requiring training enrollment (ChatGPT/GPT‑4)
56. Application access owned by a non‑IT team requiring request redirection
57. Jira board access blocked by missing product license and pending approval
58. Adobe Sign SSO access pending invitations and service-mailbox restrictions
59. Miro team membership, license and admin-rights blocking board creation and internal-board access
60. Enterprise SaaS access provisioning after approver approval and license assignment (Miro)
61. Access requests blocked by product being in pilot/internal test (Copilot)
62. Provisioning blocked by vendor license shortage; re-triggered by toggling Okta group membership after license procurement
63. SAML/SSO workspace‑booking app access requests (Deskbird) for campus presence
64. Dataverse / Power Apps: inability to create Dataverse tables due to missing environment permissions/licenses
65. Miro access failures caused by Okta SSO sessions, locked app state or license-seat mismatches
66. Approval workflow links in Automation for Jira were unclickable, causing pending provisioning
67. External lecturer Okta password/authentication blocking Atlassian access
68. Power Apps 'Präferenzabfrage' entry locked or inactive requiring app-team reset
69. SSO login succeeded but missing product license or feature permission blocked full app functionality
70. Jira project invitation redirected to service portal due to missing project assignment or project-level release
71. Requests for licenses or access where Enterprise SSO / Okta already provided the app
72. Applications requiring Self‑Service assignment before content or Okta tile becomes available
73. Access requests stalled by approval/invitation workflows and Automation for Jira closures
74. Permission alignment for internal systems by replicating a reference user's roles
75. Application login errors for services owned by another internal team — routing to the owning service
76. Office add-in blocked by required administrator approval (Zebra BI for Office)
77. Power Platform environment access blocked by missing environment security-group membership
78. SaaS team seats/tokens consumed or deactivated causing lost team access (Claude team seats)
79. Miro Enterprise access missing from Okta dashboard due to license/assignment and approval workflow
80. Corporate ChatGPT/OpenAI access requests stuck in approval or invitation workflow
81. AI SaaS account creation blocked by organization-level restriction (Claude)
82. SSO access loss due to missing Okta app assignment or group membership and short propagation delays
83. Vonage desktop app access and account provisioning for Windows 11 users
84. Approval workflow mis‑handled (accidental approver action causing state confusion)
85. ChatGPT Team account migration and chat-history preservation concerns
86. Automation-for-Jira auto-declined Software Catalog requests when approver was missing or unavailable
87. Time-limited SaaS account provisioning via approval automation (Storyblok)
88. Staging environment access separate from production (EPOS Stage assignment required)
89. User moved teams but app permissions already present — Okta dashboard visibility confusion
90. SaaS access requests resolved by approver approval and invitation/provisioning (ProductFruits, ChatGPT, Calendly)
91. Access requests stalled by missing or unassigned approver in Automation-for-Jira workflows
92. Playground Assistant capacity and instruction-size limits causing imprecise responses
93. LMS365 course creation/editing blocked by missing LMS group membership
94. Trello board admin requests owned by application team — redirect and owner provisioning
95. Service account provisioning stalled by missing Workday cost‑centre approver
96. No existing accounts for multiple internal portals (myCampus, EPOS, CARE) — manual account creation and credential provisioning
97. 1Password access issues: separate master-password/Emergency Key model and account recovery
98. Okta application assignment / user entitlement missing (SaaS provisioning)
99. Okta app access blocked by cost-center / group assignment mismatch (USU)
100. Internal test environment access blocked by pending approval and request channel
101. Post-device-change access and application-specific 403 error (EPOS / d.velop)
102. Corrupted browser profile causing loss of saved credentials and blocked web app access
103. myCampus staff/backend access missing due to absent staff account or permissions
104. SaaS dashboard or workspace access blocked by missing license/entitlement
105. Salesforce new-user provisioning and credential activation for employee onboarding
106. Service account provisioning for Power Automate / Power Apps automation
107. Access requests resolved by sending invitation or direct admin assignment
108. Temporary admin-elevation option not visible in portals — Self Service app required
109. Okta account state or credential reset required after unexplained SSO login failure
110. Access requests for SharePoint‑managed resource ('Index') pending approval outside IT
111. Access blocked by missing group membership, Okta app enablement or reference-user permission mapping
112. Stage environment access to third‑party testing tool required vendor invitations
113. Application access blocked by missing assignment or unapproved provisioning request
114. SSO login failure caused by account deactivation after prolonged inactivity
115. GitLab repository access requested via Atlassian service portal
116. Broad myCampus authentication outage caused by faulty deployment
117. EPOS access failures due to account profile or missing EPOS-specific permissions
118. Power BI / Power App dashboard sharing for academic users using IT groups and RLS
119. Atlassian site access denied despite Okta SSO and asset assignment
120. User/employee visibility missing in Academy Five due to location-specific permission
121. Developer access provisioning in vendor DB portal (MongoDB Atlas) for collection-level use
122. GitLab access activated by enabling the Okta GitLab application for new user
123. SSO group assigned but no provisioned user account in target SaaS (SSO authentication without app user mapping)
124. SaaS access tied to legacy email after legal name/email change
125. Application edit/repository permissions missing (Confluence, GitLab)
126. Account invitation email delivered to junk/spam preventing onboarding (1Password)
127. Lost Confluence spaces and Jira boards after extended absence (SSO/assignment propagation)
128. Access requests for non‑IT‑managed systems (Workday) redirected to product support
129. Scheduled/integration service inactive blocking Twilio Power Outbound calls
130. Missing Jira project permissions blocking basic ticket operations
131. SSO provisioning mismatch causing 'Unknown User' error in DataDog
132. Missing Okta app assignment or account linking preventing dashboard access (Lucid, GitLab)
133. Jira Service Management access redirected to Service Portal due to missing product entitlement
134. Existing account regained access after password reset or invite delivery
135. App access restored by assigning app roles/groups or enabling SSO entitlement
136. SaaS access contingent on formal Software‑Request approval
137. Sandbox / Playground account provisioned by manual invitation
138. LMS course content and progress not visible due to missing LMS permission group
139. Onboarding bulk SaaS access requests with Salesforce provisioning needing a reference user
140. Existing SaaS account but user unable to sign in due to credentials (password reset resolved)
141. Access blocked until both Okta SSO entitlement and application-owner group membership were provisioned
142. Department‑managed course app (Charly) linked from MyCampus but access controlled by Exams Office
143. SaaS access requiring vendor/portal provisioning or separate SelfService request
144. Invitation-based SaaS access blocked by undelivered invite (resend resolved)
145. Jira board/project access controlled by board/project owner rather than central IT
146. External/guest myCampus account access restored via password‑reset for temporary lecturers
147. GitLab repository access granted by group membership
148. Viva Goals blank/white page in browser resolved by private mode or Teams app
149. Onboarding access gaps when specific applications or reference users were omitted from the request
150. Login failures caused by local SaaS password changes instead of using Okta SSO
151. OpenAI / ChatGPT access provisioned via vendor invitation email
152. Care: granting cross‑location access for centralized B2B Customer Service team
153. Access requests blocked by user confusion and duplicate tickets when some entitlements already existed
154. Access to corporate ChatGPT/OpenAI blocked by missing invitation or pending approval
155. Internal developer tool and documentation access blocked by missing Okta tiles or group assignment
156. Conduktor (Kafka topics) access required platform‑owner permission assignment
157. Installed client but no provisioned account or license (VPN / workspace apps)
158. Platform license granted but board/workspace permissions still owner‑controlled (Miro)
159. SharePoint site access denied despite 'Contribute' permission
160. Private SaaS instance access required vendor invitation link
161. Shared mailbox visibility in Outlook required admin grant plus user-side mailbox addition
162. External instructor using private/non‑corporate email unable to sign in to Okta, Office and myCampus
163. macOS local admin privilege required for installing Teams/npm fulfilled via temporary SelfService elevation
164. Expired or invalid SaaS activation link preventing Datadog access despite Okta tile visibility
165. Salesforce onboarding: permission mapping via comparison/reference user
166. Missing Okta application assignment blocking SSO access to SaaS apps
167. Application access controlled by separate product owner (non‑IT) requiring requester redirection
168. New hire unable to sign into Okta/Microsoft 365 due to initial account/authentication state
169. Product-level account provisioned but content/site access remained owner-controlled
170. Okta application assignment, external‑user provisioning and SSO login loops
171. Access blocked by missing invitation or site‑owner controlled invite links
172. SharePoint booking portal and embedded PowerApp access requiring site/App-owner permissions or AAD security-group membership
173. SharePoint thesis-submission workflow with directory-based supervisor/student access
174. Microsoft Bookings access lost after account converted from cloud-only to AD-backed (license propagation issue)
175. Microsoft Loop access requiring admin enablement/whitelisting
176. Cloudya phone features missing after department transfer (function keys unassigned)
177. Salesforce login failed when password-reset link was broken — Okta SSO tile used to regain access
178. Salesforce Case field visibility missing due to mismatched user permissions and manager‑approved change
179. Atlassian Jira board access blocked by board-level lock requiring owner grant
180. Learning Hub (LMS) course access controlled by HR provisioning
181. Expired 1Password activation link prevented account setup; recovery link restored access
182. PDF editing access requests resolved by internal PDF Creator alternative
183. Automated test-account email contained blank credentials; account not found in CARE or Salesforce
184. Calendly invites and group membership caused invisible users; individual developer accounts requested
185. Approval‑routing error in Automation-for‑Jira blocked SaaS provisioning
186. Missing Okta-assigned SaaS access (account not provisioned or tile not launched)
187. Internal wiki edit permissions were owner‑controlled and required owner grant
188. Datadog access stalled by pending approval and incomplete account verification
189. Salesforce access failures: missing Okta tile, password reset and UAT account provisioning
190. M365 Copilot access blocked by automated license provisioning and missing service‑portal request
191. Vendor document system access granted by account provisioning (d.velop)
192. Team membership blocked by missing Team owner and broken approval workflow
193. Access and permission alignment when multiple reference users or duplicate accounts exist (ePost / Epos)
194. SSO login succeeded but workspace/space access remained owner‑controlled (Storyblok)
195. GitLab account provisioning and Okta-backed GitLab Pages authorization
196. Adding SaaS Enterprise apps to a user’s Okta dashboard during onboarding
197. Confluence access request failed because user lacked a product license at time of request
198. Access request where the user already had an account
199. GitLab access restored by assigning application entitlements
200. Automated provisioning blocked by incorrect or missing approver in entitlement workflow
201. Corporate ChatGPT setup failures resolved by reissuing invitation
202. Onboarding and staging/dev environment access provisioning for multiple tooling
203. Requested access for an unsupported/alternate vendor (Cloudya) closed after confirming team uses different telephony
204. Stalled Automation-for-Jira application requests resolved by manual app assignment
205. Existing Salesforce account access restored via password reset and Okta/portal sign‑in guidance
206. EPOS role/permission discrepancy resolved by backend role propagation
207. Vendor‑managed delayed account creation for Egencia (onboarding latency)
208. Immediate access granted by manual app assignment or admin unlock (Atlassian API / Okta)
209. Atlassian account and content-permission gaps for users and contractors
210. Expired one-time access links for bot/service accounts
211. Salesforce in‑app feature permission (Callout Builder) granted by admin
212. Okta-linked GitLab account locked — admin unlock restored group access
213. Okta SaaS application provisioning requests: assignments applied or deemed unnecessary
214. Developer tool not configured for corporate SSO (invitation-only access)
215. Missing Okta application entitlement or provisioning causing login failures
216. SSO login succeeds but specific in-app features require product-owner role assignment
217. GitLab SSO access denied due to missing Okta app assignment or OAuth email-visibility
218. Internal tool access provisioned by platform owners with environment scope and reference-user permission mapping
219. Application visibility restricted to a specific corporate account/tenant
220. Invitation-based SaaS account provisioning for vendor-hosted services (no existing account/invite)
221. Software provisioning via application Self‑Service / Service Desk portal
222. Access owned by People Projects / HR or non‑IT teams requiring request redirection
223. Internal portal or project visibility missing due to entitlement mismatch with reference users
224. Confluence environment access vs. page‑level restrictions
225. Salesforce direct-login blocked by missing Salesforce-specific security answer
226. Product-level entitlements and account upgrades applied by specialist teams (Figma, Adobe Creative Cloud)
227. GitLab SSO access denied due to missing Okta app assignment or non‑public GitLab email
228. M365 Copilot license/access request pending enterprise rollout
229. Okta dashboard tile missing despite existing service account (SSO app not assigned)
230. 1Password account unrecognized after long inactivity or email/name change
231. Miro access blocked by deactivated account or missing team invitation
232. Figma Developer Mode access gated by product expert enablement
233. Access requests closed when required approver was missing in Automation-for-Jira workflow
234. Missing SSO tile, vendor invitation or product license blocking SaaS sign‑in
235. Intermittent redirect to IT Service Center when opening Jira Service Management link
236. Automating Azure AD security‑group membership from LMS365 course completion (Power Automate)
237. Miro access problems: Okta app assignment vs board‑level permissions
238. GitHub access provisioned via DevOps Service Desk (Jira Service Management)
239. Vendor/brand‑platform managed shop access and cost‑center billing permissions
240. Miro access blocked by private account or missing enterprise provisioning / Okta link
241. Jira board and service-account access requiring product entitlement or area-owner approvals
242. Confluence space access restored by space/admin permission grant
243. Turnitin iPad app blocked by institutional Apple ID domain restriction
244. Azure AD group membership missing or slow propagation blocking Microsoft Teams login
245. New SaaS account requests and approver routing requiring Self‑Service or approver reassignment
246. Login or in‑app permission gaps resolved by credential reset or explicit permission assignment
247. Confluence product access granted; space-level permissions remain owner-controlled
248. EPOS: missing 'recognitions' role prevented entering recognitions
249. Workday inaccessible via direct link; Okta app launch required for SSO
250. Cross‑system access changes after position change (Care, Vonage, Salesforce)
251. Replicating AD group memberships and assigning Office license to match a reference user
252. Request for PMS access redirected to product owner service portal (non‑IT managed)
253. Okta OIDC client registration for backend web app (Authorization Code + client secret)
254. Jira access redirected to home due to missing extended product license/permission
255. Turnitin account inaccessible after email migration and persistent password-change loop
256. Missing SaaS Admin Center profile — vendor re-invite restored Calendly access and calendar sync
257. Okta application assignment missing prevented Lucidchart access
258. myCampus course access granted by matching Care reference-user permissions
259. CARE / myCampus access blocked by missing CARE Community membership or account-name mismatch
260. Calendly account activation and invitation re‑send for team admins
261. Salesforce access when invitation email not delivered but Okta SSO available
262. IU Shop access audit: verifying Okta/Extra‑Account provisioning for suspected users
263. Applicant portal access blocked by incorrect registration email address
264. Approval workflow approver reassignment during approver absence
265. Onboarding gaps when apps omitted from employee initial-equipment form
266. Freshdesk access provisioned via Workday-controlled group membership
267. Data Warehouse (DWH) access for shared mailboxes required platform-owner provisioning
268. Claude API CLI access blocked by insufficient Claude role assignment
269. Claude team membership/approval stuck on pending invitation
270. Service/system account requests for non‑Okta-managed apps and databases
271. Okta user profile update requested to match upstream Salesforce role
272. Perceived revoked SaaS access when user had an active account but hadn’t used Okta SSO
273. Mixed SSO application assignment and separate environment/role requests (jfrog + multi‑environment AWS roles)
274. Missing Case access in Salesforce despite shown group membership
275. Blank/white page after SAML login due to vendor-side redirect issue
276. Corporate ChatGPT account forced daily password resets resolved by platform update
277. Subscription/procurement stalled by incorrect cost center and missing approvers
278. Request for Atlassian Jira admin rights granted for board and team management
279. Missing 1Password invitation prevented account setup
280. CMS domain/team permissions blocked content creation in Storyblok
281. Missing Okta dashboard tile due to absent application assignment (user could not SSO)
282. Access pending approver/specialist invite for vendor-hosted cloud apps (invite required outside Okta)
283. Vendor account not recognized by organization due to username/email mismatch (Figma, 1Password)
284. Datadog access blocked by missing Okta app assignment or pending approver workflow
285. OpenAI / ChatGPT access issues caused by invitation flow and SSO confusion
286. SaaS workspace ownership transfer when owner is a service mailbox or departed user
287. Metabase account provisioning handled by DevOps Service Desk
288. Cloudinary access limited by account identity (IU vs external partner)
289. Access controlled by application/product owners or vendor teams (owner‑managed access)
290. Access requests auto-declined by Automation for Jira due to missing/incorrect approver
291. OpenAI/ChatGPT account limited‑access flag removed by admin
292. Broad Azure/Intune access requests required scope clarification and constrained approval
293. Application and software access requests pending Automation-for-Jira approval
294. Miro access lost after corporate email change or account-email mismatch
295. Application-specific SSO/login failure reported as 'user not found' with vendor-side bug
296. Okta tile visible but in‑app access blocked by application owner / license or account provisioning
297. CARE (academy5) SSO login failures due to account state or Okta-side configuration
298. Internal invoicing app access blocked by missing user-profile permission
299. Application approval workflow auto-declined AI license requests when approver was missing
300. ChatGPT SSO sign-in loop with Microsoft/Okta resolved by direct company‑email sign-in
301. External contractor onboarding with staged/activation-timed Atlassian account and unclear downstream access
302. Ambiguous Claude (Anthropic) access requests lacking chat vs API scope and distribution-rights clarity
303. Provisioning social‑media editor access via third‑party management (Agorapulse)
304. Salesforce queue visibility blocked by preset list-view filters
305. CampusManagement Service Portal access missing due to absent role assignment
306. Confluence access denied due to identity-provider / account mismatch
307. Salesforce mobile app sign‑in failed when Okta SSO did not complete and no native password was available
308. Internalized vs external account mapping causing permission denial in IT Service Portal
309. No Okta and MyCampus access resolved by account resets
310. SAML response status 'not Success' (Responder/Unauthorized) blocking LinkedIn Learning SSO
311. Third‑party SharePoint destination requiring tenant‑level app grant and security approval (Hightouch)
312. n8n webhook creation prevented by insufficient permissions in connected Jira instance
313. Jira Advanced Roadmaps/plan access still denied unless the plan/page owner granted explicit permission
314. Application Self Service: vendor‑specific pre‑request required before Okta assignment (Salesforce Marketing Cloud)
315. Oasis / Special Considerations: screen‑level permissions and targeted access controls
316. VPN access request via Microsoft My Access Access Package and Company Portal installation
317. Application Self‑Service and Automation-for-Jira approval/routing delays
318. SSO access blocked by missing Okta dynamic/group membership for account type
319. Vendor app login failure resolved by applying application update
320. Zoom–HubSpot integration blocked by requiring Zoom admin install/organization-wide consent
321. CharlyApp showing empty student lists resolved by application-team fix
322. Metabase inaccessible when Okta app and AWS ClientVPN group membership or VPN config were missing
323. Storyblok access required Okta authentication and explicit space assignment
324. External vendor (Simovative) CARE database read access requiring specialist provisioning
325. Deskbird provisioning failed with SCIM error in Okta; reactivating SCIM fixed assignment
326. EPOS 'Buchung beenden' (End booking) permission missing for IT Student Support and then granted
327. Jira permission requests stalled by insufficient requester detail and approval timeout
328. OpenAI / Corporate ChatGPT onboarding: approval and invite inconsistencies
329. Site‑managed digital‑signage (Vineow/ViewNeo) account access held by local site owner
330. HQ intranet (SharePoint) access requests for Walbrook/LIBF area
331. myLIBF login failure via OASIS showing 'Missing Data' for student accounts
332. MyCampus course participant list mismatch blocking grade publication
333. OpenAI / ChatGPT account showing 'Limited Access' and missing Playground after invite
334. Anthropic / Claude invite failed with 'email is already in use' due to duplicate/deleted account
335. Okta dynamic group created from Workday roles (Spendmanager_DYN_Group)
336. Adobe Lightroom mobile/browser SSO failure for single user despite desktop working
337. Company portal missing student record due to Salesforce non-assignment
338. Personal vendor subscription inaccessible when signing in via corporate SSO (identity mapping mismatch)
339. Temporary external contractors needing multi-system developer access and secrets for data migration
340. SSO login broken after account rename/surname change (identity mapping correction fixed access)
341. Manual provisioning and shared‑group/vault assignment requests for small SaaS tools and demo/test accounts
342. Salesforce user provisioning, profile changes and permission-set assignment gaps
343. Service‑Portal and provisioning workflow gaps for SaaS access (Google Analytics, Miro)
344. Team-admin role missing prevented 1Password team invitations
345. Missing vendor Org‑Admin identity blocked Adobe Support ticket access
346. Miro board sharing blocked by instructor account permission state
347. Cross-department collaboration blocked by missing Confluence licenses and cost‑centre charge approval request
348. Content and accounts bound to a personal Adobe ID preventing Enterprise migration
349. Workspace or content access blocked by single-owner/service-account model despite license allocation
350. Limited-test-seat SaaS access for data‑platform tools (DBT Cloud)
351. 1Password vault ownership model prevents removing built-in owners group
352. Okta-managed dynamic groups lacked assignable Owner attribute, breaking PowerApp owner-dependent access
353. Access to apps via a company‑managed/shared account (company-managed assignment)
354. Programmatic SharePoint access blocked for Azure AD client_id (service principal permissions and broken approver workflow)
355. Okta provisioning conflict when user already has vendor account in another instance (SSO account collision)
356. SaaS provisioning blocked by missing workspace or group (Juro onboarding)
357. Marketing Cloud Child Business Unit changes require SalesTech/SalesOps team action
358. EPOS exam-area UI visibility vs assigned roles (exam centers, slots, student data)
359. Metabase access requests owned by DevOps (ticket handoff and routing)
360. Salesforce product-permission requests owned by SalesTech and approval workflow auto-decline
361. Microsoft Clarity / cloud-analytics provisioning requiring security/privacy review and packaging
362. LCC‑managed Power BI Deputatsplaner access issues
363. Mentimeter access blocked by SSO/whitelisting restrictions
364. GitHub Enterprise access requiring group membership and approval
365. Vonage telephony account provisioning and Salesforce record entry
366. ChatGPT / OpenAI: corporate group account not visible after SSO sign‑in
367. SaaS admin role assignment: Monday.com admin privileges granted to requester
368. Access request approvals stuck in Automation for Jira (CC‑Approver) workflow
369. Access requests closed when requester failed to provide required details or respond
370. HTTP 400 when opening internal IT Service Portal from intranet after Okta/portal launch
371. Access requests must be submitted via product‑specific self‑service portals
372. Access requests stalled by missing/incorrect approver, cost‑center or wrong ticket type
373. Requested Okta dashboard tile missing because sandbox has no Okta integration
374. Jira/Atlassian project links redirected to IT Service Portal due to missing project membership or approver workflow
375. SSO launches the main SaaS site but embedded/linkable subcomponents require separate authentication or different owner
376. SonarCloud access blocked by portal/approval workflow (DevOps Portal) rather than immediate entitlement
377. Metabase: Okta SSO sign-in failures and missing in‑app export permissions after migration
378. Provisioning SaaS licenses for shared-mailbox addresses (Mentimeter shared accounts)
379. Automated approval failures and missing SaaS ownership/inventory blocking requests
380. Access provisioning requests submitted with wrong ticket type for new-hire onboarding
381. Expiring SCIM access token for AWS IAM Identity Center interrupted provisioning
382. Twilio ↔ Salesforce call-integration failing with Twilio API 400 'pending Conference Instruction'
383. Travel bookings lost after user name-change in Egencia (account recreation vs. merge)
384. Specialist tool (Guided Conversation Designer) access requires service-portal request
385. Exam / e-assessment platform access lost after platform update (owner-managed by Prüfungsamt)
386. Account provisioning / SSO propagation delays: target-app account creation required
387. Access blocked by missing 2FA (TOTP) on long‑dormant account preventing password reset and app transactions
388. SSO access lost after corporate email change when target SaaS account is managed by HR
389. Shibboleth/SAML school‑login failures with academic vendors (ProQuest / PebblePad)
390. IU Learning Hub (LMS) course resources failing to open due to browser caching or SharePoint permissions
391. Viva Goals (goals.cloud.microsoft.com) access entitlement missing
392. Owner‑ or creator‑managed SaaS resources where IT cannot reassign access
393. Automated provisioning or SSO failures resolved by manual vendor/admin actions or vendor support
394. PMS account and permission requests require vendor/product account‑management forms
395. Salesforce account provisioning by copying a reference user and related SSO permission verification
396. SharePoint file access missing when opening links from a student Salesforce account
397. GitLab access provisioned by account creation and Okta group assignment
398. Legacy ticketing system account absent (OTRS migration)
399. SaaS activation expired verification email with vendor/admin-managed account creation (Salesforce Marketing Cloud)
400. PowerApps invoicing app allowed invoice creation but not viewing previously submitted invoices
401. Service Portal access failed in a single preferred browser after Fastlane setup
402. Automation-for-Jira approval workflows completed by Atlassian Api User assignment
403. Requests routed to IT Service Portal Self‑Service and auto-closed after no requester follow-up
404. Invitation-based SaaS provisioning completed by admin invite and user acceptance
405. Vendor workspace-membership conflict preventing SCIM/Okta provisioning (Mentimeter)
406. Cost‑centre approval workflow routing only to single approver
407. Application Self Service: automated assignment completed via Atlassian API after pending approval
408. CARE application: site-restricted access and missing 'All sites' flag after assignment
409. Azure access granted by replicating another user's subscription roles
410. Application Self‑Service requests stuck in approval or prerequisite workflows
411. Discrepancy between Care/myCampus reporting and Azure AD provisioning preventing AAD group membership
412. Confluence licensing requests cannot be bulk-issued via distribution lists
413. Project/component admin and edit permissions missing in Jira/onCampus resolved by direct grants
414. Confluence sharing blocked for Walbrook/UFred users due to tenant-specific Atlassian group mappings
415. Salesforce profile change required corresponding Okta/Group update
416. Atlassian/Confluence external user blocked from password reset due to missing 2FA and provisioning group
417. Application Self‑Service requests resolved by explicit app entitlement or role assignment
418. Third‑party AI services (OpenAI/ChatGPT/CoPilot) account ownership and IU‑Playground invitations
419. Incorrect product selection in self‑service requests (Marketing Cloud vs Sales Cloud) and integration requests declined
420. Application Self‑Service role approval routing gaps (Ardoq reader/writer vs contributor)
421. Figma license/seat loss resolved by SSO-triggered SCIM provisioning then admin seat allocation
422. RDP/desktop shortcut for on‑prem server appears only when connected to corporate network or VPN (SFIRM server)
423. Granting ChatGPT via Okta group assignment when regular approver unavailable; documentation mismatch
424. Application Self Service requests stalled awaiting approver action then completed via Atlassian API assignment
425. SSO tenant/account mismatch caused JotForm sign-in to use wrong Microsoft identity
426. Application assignment plus user cost‑centre attribute update via Application Self Service
427. Bot/service account Confluence space membership provisioning
428. Assigned Jira issues inaccessible due to missing project membership/role
429. Bulk Okta group membership changes to enable M365 Copilot access
430. Vendor‑managed SaaS SSO failure due to missing vendor account (Egencia)
431. Application Self‑Service approvals processed by Automation‑for‑Jira and Atlassian API assignment
432. Service/bot account access requiring role mapping in production and staging (EPOS automation bot)
433. Application Self‑Service: Atlassian API assignment restored missing app access after Okta changeover or pending approval
434. Vendor account provisioning for JotForm SSO: vendor-side user creation fulfilled SSO request
435. Access request stalled by missing/changed approver and auto‑decline of approval workflow
436. Local client hardware/permission issue (webcam privacy slider) coincident with SSO/login and meeting host errors
437. Onboarding: mixed application entitlement confusion and Salesforce password activation
438. Application integration action blocked by missing role (Oasis 'Push to Workday')
439. Provisioning error created missing project permissions for Jira/Confluence access
440. Procurement‑owned SaaS access requests (Viva Goals) routed outside IT
441. Okta app assignment or app-state (locked) blocking SSO launch to a known account
442. Application feature access denied until role/permission mapping matched a reference user
443. On-site Viewneo digital‑signage access blocked by missing site‑specific credentials and documentation
444. Billing application access lost and escalated to Local Contact Center without technical troubleshooting
445. Browser Google account sign‑in prompt blocked Salesforce click‑to‑dial setup
446. Care provisioning: 'Community' access not selectable for external worker accounts
447. OpenAI Playground access request forwarded to specialist team with no immediate feedback
448. Trello board invite / membership not granting access (invite link or vendor-side board permission issue)
449. Case-management (FS English Thesis) limited-record view due to approver/visibility role mapping
450. GrowthBook access provisioning for service account and requester resolved by product owner
451. Twilio access via Salesforce SSO failed despite password reset and SSO group membership
452. Project-board read-only access: write/visibility controlled by Project Admins (support cannot assign)
453. Access requests stalled when manual provisioning relied on a named product specialist/owner
454. Service mailbox cannot authenticate to vendor app because mailbox is not an Okta user
455. Power Apps blocked when user lacks HR/role attributes (professor) required by the app
456. License‑assignment blocked by UI warning about additional fees when changing agent/dashboard licenses
457. Requests for personal Jira instances or service/API accounts stalled by missing context and approval
458. Viva Goals access lost when dynamic Azure AD license group was missing due to empty Workday-derived attribute
459. Okta admin role lacked permission to edit group memberships
460. Workday Sandbox login fails despite production credentials
461. Viva Engage moderator assignment blocked by role/licensing or community membership
462. SSO works for some vendor shops but a specific shop fails due to vendor-side account state
463. Vendor-side SSO/license visibility mismatch causing lost admin privileges
464. Vendor account provisioning stalled due to missing reference-user information
465. Access requests for non‑IT‑supported apps or missing approver/cost‑center auto‑closed by automation
466. Service accounts, app registrations and tenant‑level governance blocking automation integrations
467. Missing dynamic Azure/AD group membership after account-internalization blocked Service Portal and intranet access
468. Okta-backed shared/service mailbox requested for vendor SSO but self-service and policy prevented immediate provisioning
469. Okta tile visible but launching Jira/Confluence redirected to service portal or denied due to missing product permissions
470. HTTP 404 when launching GitLab via Okta/Jira — workspace or instance-level access routed to DevOps
471. Miro account exists but password‑reset emails not received; Okta Dashboard SSO used as fallback
472. Manual product-owner provisioning for Lucid and Atlassian access
473. GitLab access requests routed to DevOps Service Portal for specialist provisioning
474. Vendor invitation/credential email not received for Twilio access
475. Corporate webshop product missing or broken ordering link (IU Shop business cards)
1. Okta SSO: 'user is not assigned to this application' blocking app access
Solution
Incidents were resolved by restoring the IdP→application assignments and ensuring vendors received the identity, group, license, and attribute data their mappings required. Observed resolutions included:
2. Missing product licenses, approvals or invitations preventing access
Solution
Access incidents were resolved by restoring consistent entitlement, invitation and provisioning state across the identity provider/directory and vendor systems and by coordinating among IdP administrators, licence owners/cost centres, approvers/workspace owners, application owners and vendor support. Observed remediations and outcomes included:
Remediations consistently required tracking until directory and vendor systems fully propagated the corrected entitlement, invitation or provisioning state; the most common final step was ensuring the vendor licence (correct SKU/tier), workspace approval and the IdP‑authenticated account all matched for the user.
3. Care / Care Stage: account creation, permissions and environment access issues
Solution
Access incidents were resolved by reconciling authoritative identity records, restoring or creating downstream accounts and entitlements, completing and validating approval workflows, repairing provisioning integrations, and reassigning applications in the IdP so users and service accounts regained expected capabilities. Key resolution actions included:
Incidents that arose from process failures (for example managers instructed to implement permissions but unfamiliar with the process, absence of a reference user, or approvals that were auto‑closed) were resolved by clarifying the responsible party, supplying or creating a reference permission bundle, re‑opening and applying approved requests, and coordinating follow‑up with product owners so approvals resulted in implemented access.
4. External / contingent-worker accounts for guest access and collaboration
Solution
Recoveries established a single authoritative external‑identity source and end‑to‑end attribute consistency across Workday → Okta → Entra/Azure AD → on‑prem AD. Duplicate, cloud‑only, and misattributed accounts were identified and consolidated, re‑provisioned into the central identity source, merged, or recreated; expired activations and consumed one‑time credentials were confirmed via audit logs and replaced or vaulted with owner/expiration controls. Workday→Okta API mappings and attribute flows were corrected — including contingent‑worker handling, termination‑date propagation, manager sync, and username/UPN/email alignment — and erroneous termination/inactivity values that caused premature deprovisioning were fixed or escalated. Okta writeback behavior and required Workday business‑process permissions were clarified so contact fields behaved consistently for external users; onboarding flows used managed or placeholder addresses or vendor invitations where Workday records lacked emails. Service and bot accounts were represented as contingent‑worker identities or explicitly exempted from automated deprovisioning and their credentials/mailbox access were placed in the enterprise vault (for example 1Password).
When identities spanned tenants or were treated as guests, recoveries either provisioned a corresponding identity in the target tenant or authorized the service principal/guest and then granted the required Teams/SharePoint/group memberships and tenant role entitlements. Cross‑tenant group‑membership failures caused by guests authenticating with a different address were resolved by removing and re‑adding the guest using the invited identity or by provisioning a corresponding local identity so membership and permission checks matched the recorded account. Where apps required Workday employeeID as the mapping key (for example Dataverse/Competency App dashboards), recoveries either populated the missing WorkdayID in HR records, created a reconciled mapping record in Dataverse/Power Apps to associate the guest with the authoritative Workday identity, or provisioned a corresponding internal account so application preferences and competency records appeared in dashboards. Power Platform recoveries also re‑established stale Power Apps connections, cleared client sessions, ensured correct license classes (including premium/license entitlements for external users), synchronized AAD group membership into environment security groups, and reran Power Automate helper flows when group‑membership sync gaps occurred.
Cloud and vendor access recoveries created or synchronized directory/IAM groups and granted project/IAM roles for AWS/GCP to restore console and project access. Okta AccessPacks/PowerPacks and approval flows were verified and reconfigured where required; one‑time or short‑lived credentials that produced “doesn't exist anymore” errors were reissued or replaced with vaulted credentials and the sharing trail was clarified. Mailbox and shared‑mailbox ownership, permissions, and forwarding rules were adjusted so activation and verification emails could be received. Atlassian‑ and SaaS‑specific recoveries consolidated duplicate/self‑registered accounts, corrected vendor emails and product approvals, reassigned seats to the sign‑in account, re‑added users to Confluence spaces and Jira projects, and verified product owner responsibilities. Where access requests were intentionally blocked by corporate data‑protection or intranet policies, recoveries documented the required use case and routed requests for legal and technical approval; in some cases access was denied in accordance with policy.
5. Local network/router issues preventing Okta/SSO, VPN and email access
Solution
Investigations repeatedly found two broad categories of root cause and the support actions that restored access. For network- or ISP-related outages, router restarts or restoration of the user’s Internet service returned connectivity to okta.iu.org, Auth0/MyCampus, and dependent services; support confirmed wider private outages by contacting users through alternate channels (phone or Teams) and provided password-reset instructions and next steps to users’ private email when needed. Remote-session tools were used when possible to reproduce failures and validate restoration. Several incidents involved CDN/routing or ISP changes: logs and user tests showed requests blocked or stalled on the client side and, in multiple cases, access succeeded only when the user connected through a VPN endpoint in Germany, indicating geo/routing/Cloudflare-related delivery issues. Other incidents traced to client-side DNS and filtering (local DNS resolution, pi-hole, adblockers, browser settings including third-party cookie blocking, firewall/antivirus) that prevented app requests after successful SSO; resolving or bypassing those filters restored MyCampus/Auth0 behavior. macOS Jamf Connect OpenID discovery/hostname-resolution failures (for example, errors fetching /.well-known/openid-configuration) were resolved by repairing the JAMF–Okta integration on the backend, which restored Jamf Connect authentication and access to SSO-protected apps. VPN-related access failures were resolved by restoring or re-provisioning VPN profiles: providing the IU_ResetVPN_1.2 VPN/profile package via the Company Portal and having the user install it reinstated VPN tunnels in several cases. Where workstation or PC changes removed VPN profiles or credentials, support verified whether the user had an active VPN profile, reissued access credentials when appropriate, and escalated to Core DevOps when the service-side configuration appeared correct. Triage recorded whether failures were network-wide, VPN-profile-related, Jamf/macOS-specific, or caused by client-side DNS/filters to route remediation to ISP/router, VPN provisioning, JAMF–Okta backend repair, client DNS/filter remediation, or DevOps-side investigation.
6. Self Service+ visibility for long-term macOS admin access
Solution
Investigations identified multiple root causes; incidents were resolved by the specific corrective actions summarized below.
After the applicable corrective actions above (group membership fixes, locating/activating minion catalog entries or republishing the catalog and refreshing inventory, reprovisioning elevation components, renewing config profiles and approvals, UI relocation, MFA re‑enrollment, or fixing approver assignments) affected users regained the ability to request admin access and complete installations or updates.
7. Azure Portal VM visibility missing due to VM access group membership
Solution
Access and management-plane visibility were restored by adding affected users, service accounts, or devices to the appropriate Azure AD groups (examples: UIPath VM access group, IUG‑Sec‑Azure‑SynteaB2B, and Windows “Win11” device groups). After Azure AD group membership propagation (typically ~1 hour) the team’s resources became visible in the Azure Portal and users acquired the group-associated permissions, including the ability to create resources and to sign in to Microsoft 365 from new Windows 11 machines. For cases where portal or RBAC changes did not immediately allow host access, VPN access was provisioned for users and VPN connection details were delivered so they could reach VMs for SSH or maintenance. Host-level remediation included granting administrative access on the VM, removing obsolete or unauthorized keys from the VM’s authorized_keys, and onboarding the VM to Microsoft Defender. Stakeholders were notified and access restoration was confirmed.
8. Microsoft Dataverse table ownership and Dynamics security-role mapping blocking Power App access
Solution
Access and visibility incidents were resolved by ensuring callers (users, guest/external accounts, service principals, and application users) had an active Dataverse systemuser record, valid credentials, required privileges, and any needed Power Apps licensing. Specific remediations that were observed to resolve incidents included:
Troubleshooting traces and calls that were used during remediation included PowerShell, Dataverse Web API traces, Graph API queries, Exchange Online PowerShell (for example Get‑DynamicDistributionGroup), and Power Automate traces. Each incident was resolved by restoring the specific missing identity/entity (systemuser, application user, environment group membership), granting the effective Dataverse/Power Platform roles or metadata privileges, fixing licensing or client credentials, or clearing the approval path in the service‑desk/workflow system.
9. Third‑party meeting notetaker (Fireflies.ai) auto-joining Teams and persistent Enterprise App assignment
Solution
The problem was resolved by deleting the automatically created Fireflies account using Fireflies' account deletion procedure and by removing/unassigning the 'fireflies' Enterprise Application from the user's Azure AD applications in myapps.microsoft.com (locating the fireflies tile, opening the tile menu and removing the assignment). After the Fireflies account deletion and app unassignment, the AI no longer appeared as a meeting participant.
10. Managed Identity missing Microsoft Graph appRole permissions blocked Sentinel automation
Solution
Incidents were resolved by matching the integration’s credential type to the API surface (app‑only service principal/managed identity versus delegated user consent) and by granting the exact Microsoft Graph permission type required plus any Azure RBAC roles required by the target resource. For app‑only scenarios, service principals or managed identities received Microsoft Graph application permissions (examples encountered: Policy.ReadWrite.ConditionalAccess, Policy.Read.All, TI.ReadWrite, ChannelMessage.Read.All) and tenant‑level admin consent was applied; Azure RBAC role assignments (for example Microsoft Sentinel Responder or Reader) were added at the resource group/subscription scope. SharePoint backends that previously relied on delegated credentials were converted to Entra ID app registrations using client‑credentials (client secret) and granted appropriate application permissions (Sites.Selected scoped to the site URL when site‑limited access was required, or Sites.Read.All for tenant‑wide); a site‑level Sites.Selected grant was applied in the SharePoint admin center or via Graph so app‑only uploads, listings, and deletes succeeded. Third‑party connectors that used delegated OAuth flows were resolved after the connector’s delegated Graph permissions and OAuth settings (redirect URI, client secret) existed and tenant/admin consent had been granted; when an integration could not be consented by a regular user, tenant administrators either performed admin consent or a service account with the required role was provided to complete the integration (example: n8n → Teams). For non‑Microsoft SaaS connectors, owning teams produced or retrieved provider‑specific API tokens or OAuth credentials and delivered them via the organization’s secret store (SAFE) for connector configuration. For Graph surfaces that exposed only one auth type (delegated or application), teams used the supported auth type where acceptable or selected alternate export/compliance APIs; operational mitigations such as pagination, incremental/filtered pulls (for example by lastModifiedDate), and export/aggregation pipelines were applied to reduce throttling and scope exposure.
11. Okta OIDC application registration and client credentials provisioning (redirect URI mismatch)
Solution
Okta OIDC and SAML registrations, credential provisioning, and targeted troubleshooting were completed across multiple integrations. Applications were created with exact provided names and redirect/callback URIs (including production, non-production/test, and localhost endpoints such as http://localhost:8501 for Streamlit). Confidential clients were provisioned with ClientId/ClientSecret pairs while public clients were created as client-id-only entries with corresponding openid-configuration metadata. Mis-typed or missing redirect/callback URIs and host entries were corrected and successful authentication responses (id, email, email_verified, name, first_name, last_name, id_token) were confirmed during testing, including reproductions on localhost. One OIDC error — “The redirect URI parameter must be an absolute URI” — was resolved by aligning the application's OAuth redirect URI to the Okta Sign‑in redirect URI and redeploying; successful logins followed.
Service and connector credentials were created with least-privileged scopes where requested and stored in the organization secret store (safe.app). A connector to Wiz was configured to grant Wiz read-only scanning access to Okta; the required connector credentials/secrets were supplied via the safe.app secret store and the integration was validated per Wiz documentation. Other integrations received similar handling: one API credential was limited to read-only User permissions and verified in the Okta Admin Console. Vendor-specific expectations and quirks were recorded: the Netbird client required a client‑secret‑less flow plus an Okta API token (NETBIRD_IDP_MGMT_EXTRA_API_TOKEN) and returned errors when that token was missing; Storyblok required changing its expected SAML Entity ID from “IU Group N.V.” to “IUGroupNV” and Okta metadata.xml was provided to the vendor.
An external-developer AWS federation case that produced errors including “Issuer not present in specified provider”, AuthSamlInvalidSamlResponseException, and “InvalidIdentityToken” was resolved by correcting application assignments and federation metadata; downstream access (for example GitLab) was restored after the applications were assigned to the user. Access controls were applied by assigning only specified users where whitelists were requested and by excluding particular groups when required (for example IU - UFRED and LIBF were omitted from a SynIO app assignment). An OIDC application for Marketing Intelligence AI Agents was created for production and development; redirect endpoints and ClientId/ClientSecret pairs were stored in the organization secret store and the application was integrated with Jira Self Service for approver-managed access. For a Twilio issue routed through Salesforce SSO that produced a persistent page error, screenshots and client-side troubleshooting were captured while awaiting user confirmation. For Metabase (Pro license), SAML SSO and SCIM provisioning metadata (SAML Single sign‑on URL and Entity ID, SCIM endpoint and token) were obtained from the Metabase Admin panel, SSO and SCIM provisioning were completed, and Metabase was added to the application self‑service dropdown so users could request access.
12. Okta dashboard tile linking to wrong portal
Solution
Tile and downstream access problems were resolved by correcting tile configurations and target URLs, adding missing tiles created during provisioning, and separating distinct portals into individual tiles so each tile pointed to the intended endpoint. Third‑party apps that returned HTTP errors or failed to launch (for example LinkedIn Learning) were resolved by enabling and validating SSO so tiles opened the correct destinations. In cases where users reached non‑production endpoints despite successful Okta SSO, directing users to the production endpoint removed the authentication symptom after Okta logs showed no SSO errors. Browser‑specific rendering issues (notably Viva Goals in Firefox) were avoided by using alternate browsers; a Jira launch error was cleared after removing stale Okta/Atlassian cookies and browser cache so subsequent launches used Okta SSO. Role and group mapping questions were clarified where applicable (for example a USU user’s access was granted through the configured 'USU KnowledgeCenter' app rather than a separate 'USU HelpCenter'). Duplicate or ambiguous display names were disambiguated by renaming Okta app tiles (for example relabeling two Qualtrics tiles to “Qualtrics Customer Experience” and “Qualtrics Employee Experience”); the relabeling was applied by the specialist team and confirmed by the requester. A UI expectation issue was also resolved when a user could access the Okta dashboard from the Okta mobile app but could not find an equivalent quick‑launch button on a laptop; access was achieved by signing into the Okta web portal (https://okta.iu.org/) from a browser so the dashboard was available in the desktop environment.
13. Jira board/project admin permissions missing after owner departure blocking edits
Solution
Access and permission failures were resolved after identities, product entitlements, tenant/site privileges, and project/board roles were restored or corrected and IdP/group mappings and account provisioning were fixed so entitlements applied to the intended identities. Service Portal access had been granted in cases where users could view requests but not edit them; editing, changing assignees, or moving issues between boards was restored only after the board owner granted board edit permissions or added the user to the required project/board role or group. JSM-specific failures (unable to be selected as assignee or to post customer-visible comments) were resolved by assigning the appropriate JSM project role or granting the agent product entitlement. Orphaned projects, hidden boards, and blank Confluence space pages regained visibility after project-role reassignments, owner transfers, or broadening board filters to include referenced issues. Visibility blocked by Issue Security Levels was restored by adding users to the relevant issue-security-scheme memberships. Pending automation approvals and approver-blocking workflows were cleared either by executing the pending approvals or by granting the required approver/project role. Service accounts, automation agents, and API integrations were placed into correct IdP groups, reprovisioned/resynced, and stale or duplicate accounts were consolidated; when global admin rights were inappropriate, integrations used shared service-account API tokens held in the organization’s secret store or specialist teams completed tenant-scoped changes. Routine elevated operations were performed by project admins or specialist teams and, in a few cases, temporary Jira admin rights were granted when no other path existed. Permission and provisioning changes typically propagated within minutes; several incidents were closed after administrators granted the missing project/issue permissions that had caused redirection from issue URLs to the Jira start page.
14. Azure AD / MS Graph application client secret expiring and requiring renewal
Solution
Expired or invalid application credentials for Azure AD app registrations and third-party integrations were replaced. For an MS Graph application (client ID adb86181-f837-4230-aa2d-ea400b2e77b8) a specialist created a new client secret and delivered it via a single-use retrieval link; the requester retrieved and validated the secret. A Microsoft Teams integration between IU and LIBF tenants (app coursefeedanalytics_libfdevapp) was restored after the required TENANT_ID, CLIENT_ID, and CLIENT_SECRET were provided for the app registration. An Okta→JFrog integration was fixed when the DevOps team supplied a new JFrog API token and the token was updated in Okta; Okta authentication then succeeded and JFrog was accessible via https://okta.iu.org/. Tickets were closed after confirmation that authentication and service access were restored.
15. Azure AD consent policy gap allowing user-consent to high‑privilege Enterprise Apps
Solution
The issue was resolved by restricting broad user consent and routing high‑privilege consent through Azure AD's admin consent workflow. The tenant's Enterprise applications 'User consent for applications' setting was changed to block user consent for apps that requested offline_access, Microsoft Graph *.All scopes, or collaboration write scopes. The built‑in Admin consent requests feature was enabled and integration with Automation for Jira was configured so consent requests generated approval tickets. A retrospective audit was performed by exporting oauth2PermissionGrants and appRoleAssignments via Microsoft Graph queries and AzureAD PowerShell, inappropriate grants were revoked, and future consent requests for the targeted scopes were required to obtain an approved admin consent ticket.
16. PebblePad course content and submission permissions controlled by examination office
Solution
Support verified they did not hold administrative rights to change course- or application-level permissions and routed affected users to the non‑IT teams owning the learning, exam and assessment applications. Support provided contact addresses and knowledge‑base references and, in individual cases, forwarded tickets to Fachteam/specialist teams for an access check. Key owning teams and contacts used in resolutions included: akad-pruefungsamt@iu.org for Online‑Examen/iubh-onlineexams account and permission issues; pruefungsamt-fernstudium@iu.org and assessment-tool-operation@iu.org for central examination and assessment‑tool operations; the Zentrales Prüfungsamt service board (Jira Service Management) for additional central exam contacts; zpa-dualesstudium@iu.org and lehrende-pruefungsmanagement-dualesstudium@iu.org for dual‑study exam administration and Charly; the Lecturer & Course Coordination (LCC) Service Portal (example: BUGR01) for course booking and lecturer requests to grant student access to IU Learn materials; and people-project@iu.org for IU Learning Hub and IU Upskilling matters. In some cases tickets recorded Automation for Jira approval-workflow entries or other pending approval states; resolutions involved the examination office re-checking approval/authorization status and correcting course/application permissions. Tickets were closed after users acknowledged the guidance or after no response within the ticketing SLA when applicable.
17. Cost-center approver/owner entries in Workday causing incorrect tool access-request routing
Solution
Support traced misrouted approvals to approver/owner entries authored in Workday and to application-specific routing records that propagated downstream; the IT service portal’s approver field was not editable so selected cost centers or application routing entries determined the approver. Observed symptoms included departed or irrelevant approvers receiving requests, approvers receiving requests they could not open (portal error: "No access / You do not have permission to view this request"), approvers cancelling requests, and approvers receiving frequent unrelated approval notifications. Remediations were grouped into permanent fixes and immediate/workaround actions.
Permanent fixes: Workday/HR cost-center ownership entries were corrected so the intended approver propagated downstream; employment status and entitlement were verified when a nominated approver could not be reached or lacked permissions; requesters who had selected the wrong cost center were asked to recreate requests with the correct Workday cost-center reference; where application-level routing was incorrect (for example a module tutor in Syntea/Synthea), the application routing record was updated so requests were delivered to the current owner.
Immediate/workaround actions: incorrect approver assignments were removed directly from affected Jira tickets to stop recurring notifications; Okta assignments or app-specific admin-group membership were adjusted so application approvals and provisioning could proceed without changing Workday records; affected requests were reassigned inside the application when applicable (for example reassigning a Syntea module to the new tutor). Where applicable, users were advised to contact Workday support or HR (for example: wd-support@careerpartner.eu) or their manager/HR to remove erroneous approver assignments.
18. Applicant unable to submit 'Anerkennung von Vorleistungen' online form in Bewerbungsportal
Solution
Requesters who could not submit the 'Anerkennung von Vorleistungen' online form were referred to the Bewerbungsportal support team (careerpartner servicedesk) and given the servicedesk URL so they could create a support request in the Bewerbungsportal queue; the IT ops ticket was closed after that referral. For applicants who reported login failures — including reports that contained the error code STUDY_INFO_CANT_REACH and the message “no booking info available” (often accompanied by JSON fields and browser details) — IT confirmed the applicant portal was not supported by the IT Service Portal and instructed reporters to open a support request via the IU Meldeportal (Jira Service Management). In all cases IT ops recorded the relevant context (browser, timestamps, Salesforce opportunity when present) and concluded by redirecting the requester to the appropriate Bewerbungsportal or IU Meldeportal support channel before closing the IT ops ticket.
19. SSO access blocked by duplicate/conflicting Atlassian accounts
Solution
Investigations identified two common root causes: duplicate or conflicting identities (multiple Jira/Atlassian profiles or legacy external .ext accounts) and provisioning/mapping errors during renames or app assignments. Resolutions included aligning users to the SSO‑managed identity and removing or disabling duplicate accounts where feasible; when legacy accounts remained for migration, support provisioned equivalent permissions on the SSO account or provisioned the legacy account as required. Teams corrected SCIM/Entra/Azure/Okta provisioning so username and email attributes matched the SSO identity, eliminating cases that forced users to sign in with a .ext address. For workflow approvals, setting the correct Jira profile as the approver and reproducing the session/profile selection during escalations revealed underlying duplicate‑identity or username mismatches. In non‑Atlassian cases (GitLab), access was restored by reassigning the correct Okta account to the GitLab app when an email typo had linked the wrong account and by deactivating the incorrect account.
20. Approval routing stuck due to stale Workday cost-center approver mapping
Solution
Investigations found routing failures caused by stale, missing, or incorrect approver/manager data across identity and approval sources (Workday cost-center mappings, Microsoft MyAccess approver lists, and Jira project/location assignment fields). Resolutions included removing departed or incorrect approvers and reassigning correct approvers so approval workflows resumed routing: Workday cost-center approver entries were corrected so Jira imports and Automation for Jira resumed approvals; Microsoft MyAccess approver lists were cleaned (departed approvers removed from AWS Access Groups and groups reassigned to current approvers); and Jira project/location fields (Real Estate Manager / Key‑User, location assignments) were updated to stop tickets being routed to former owners. When approvals were blocking provisioning, administrators completed access manually (direct Okta application assignment or invitation) and recorded manager approvals in the IT Service Portal after approver mappings were corrected. In some cases users had been granted Workday approval permissions they should not have had (for example trainees receiving invoice-approval tasks); those permission removals were handled by Workday support rather than IT (contact address used: wd-support@iu.org), and some Automation for Jira tickets were auto-closed without confirmation of the change. Affected systems referenced in these resolutions included Workday, Microsoft MyAccess, Jira Service Management and Automation for Jira, AWS Access Groups, Okta provisioning, Confluence, and the IT Service Portal (SDesk).
21. No vendor invitation received after corporate SaaS provisioning request (OpenAI/ChatGPT)
Solution
Issues were resolved by restoring the vendor-side invitation and identity state so the vendor recognized the institutional account and assigned tenant/project membership or licenses. Support removed stale or expired invites, reissued or resent invitation links (including sending invites directly when provisioning web forms were blocked with “Your response has already been submitted”), and confirmed invite acceptance when vendor UIs still showed users as unaccepted. Administrators added users to the workspace/default project or assigned required licenses so tenant-level features and the model-selection UI returned (covering ChatGPT product vs OpenAI API/Playground and GPT‑4 access). When existing vendor accounts prevented corporate membership, vendor password resets, replacement invites, or vendor‑side account merges resolved conflicts caused by personal Google‑linked free accounts; support also clarified when accounts were not federated so users signed in with vendor credentials rather than SSO. Support corrected incorrect email or display-name mappings, cleared or completed blocked approval workflows, remediated related authorization errors (for example SharePoint access‑denied on provisioning links), and caused users to sign out and sign back in so vendor permissions refreshed. Support also advised checking spam folders, provided product-specific links (Chat Playground vs OpenAI API/Playground), and supplied internal request or admission links when available.
22. Shared SaaS subscription provisioning requiring requester-supplied credentials (Midjourney)
Solution
Support observed a small set of recurring outcomes determined by whether usable shared credentials existed, whether the vendor supported team/shared seats, whether identity provider/SSO mapping prevented non‑owner logins, and whether Procurement owned/stored credentials. Resolutions recorded which of those constraints applied and followed one of these outcomes:
Additional observed nuance from Calendly: an invitation sent to a credentialless/functional shared mailbox produced a password prompt that could not be completed because the mailbox had no password, but the invitation email enabled a named user to accept and manage the service by signing in via Okta SSO with their own account when the vendor supported that flow. Support therefore noted that some vendors (for example, Calendly) were effectively incompatible with passwordless functional/shared mailboxes for direct mailbox sign‑in, but invitations landing in those mailboxes could sometimes be accepted by a human who authenticated with org SSO.
Where IT did not manage vendor budgets or accounts (for example, Lieferando), support declined to provide access and advised using a personal account and submitting an expense claim via Workday. Each ticket recorded whether shared credentials existed, whether vendor supported team/shared seats, whether SSO mapping blocked non‑owner logins, whether Procurement owned or stored credentials, and whether a budget needed to be assigned; the chosen resolution reflected those constraints.
23. Internal service portal and sandbox access provisioning and agent role activation
Solution
Access was restored through a combination of automated and manual provisioning actions. In some cases Application Self Service/Automation for Jira triggered an Atlassian Api User system action that assigned the requested non‑production application to the user. Other incidents were resolved by recreating or reactivating missing accounts (including CARE/myCampus) and confirming successful authentications after password resets. Okta visibility was restored by relinking or re‑adding app assignments to user Okta accounts, directing users to umbrella Okta portals when appropriate, and re‑exposing hidden dev/stage/UAT app tiles. Where role propagation failed between environments teams either restored automated data‑syncs or manually applied missing authorization roles in non‑production instances (including restoring Hyperion EPOS links such as epos_be.ds-exam and epos_fe.ds-exam). Jira Service Management access issues were resolved by assigning missing JSM licenses, granting Agent/User or Admin roles, adding users to portal or team access groups, and completing pending Automation for Jira approvals so users could view/assign/answer/close tickets. When access‑request forms lacked selectable options or agents could not forward tickets, users were asked to resubmit via the responsible service portal and specialists provisioned environment accounts (including multiple test accounts when requested) and communicated access details. Corporate software distribution problems were resolved by publishing applications to the Company Portal and granting access; for macOS, support supplied installer packages directly, granted temporary admin elevation for installation when needed, and delivered license keys via Save App. Support‑board and dashboard permission problems were resolved by granting the appropriate board/dashboard permissions. Restored access was confirmed by successful logins, restored application visibility, presence of roles/permissions in non‑production environments, ability to download/install software, and ability to view/edit/assign/close tickets.
24. Application license requests via self-service requiring correct approver assignment
Solution
Pending or blocked self-service application and license requests were resolved by restoring correct approver assignments and correcting Automation for Jira assignee/CC-approver values so approvals routed to the user's manager or primary cost-center approver. Automation for Jira had generated explicit 'missing approver' notifications and automatically closed or declined approval-type tickets when no approver was recorded or when approval windows expired (~14 days); staff identified the appropriate approver, updated approver and cost-center metadata (Workday was used as the source of truth for cost-center data), and re-routed or re-opened approval workflows so approvals could complete. In at least one renewal case users self-activated/renewed access without IT intervention and the request was closed as completed. For SSO/Okta-managed applications support teams enabled the app entry and assigned users to existing or newly-created Okta access groups or Azure AD groups so the app surfaced on the Okta dashboard or the Application Self-Service portal; enabling and assignment typically propagated in approximately 5–10 minutes. Directory- and device-managed licenses were assigned via Active Directory/Intune and delivered through Company Portal when applicable; when full licenses were unavailable users were sometimes given limited or viewing-only access or assigned team/subscription accounts. Where provisioning required explicit AD-group membership a preexisting Azure AD group (for example ApplicationRight_Adobe-Sign) was used and inventory/cost-center mappings were reconciled with the internal inventory system. Requests that were procurement-related or already covered by institutional capabilities were redirected or declined. Resolved tickets recorded confirmed delivery of the license/subscription or completion of access provisioning and how the user would access the service (for example, via the Okta dashboard, an emailed password/setup link, or a team account).
25. SaaS access blocked by outdated superadmin ownership or missing superadmin contact
Solution
Access issues were resolved by identifying who controlled tenant-, site-, or business‑manager‑level administration and correcting stale or restrictive approvals, authorizations, and SSO/license state. Specific outcomes included adding administrators to superadmin/rosters to restore onboarding and experiment access in AB Tasty; authorizing Atlassian MCP on site-level Atlassian sites so the Claude integration could access Jira/Confluence; addressing a Canva outage where zero group members and unavailable licenses coincided with a shared account by temporarily permitting email/password sign‑in until SSO and licensing were corrected; transferring Viewneo access by updating an existing special “Extra” account email so the requester could sign in when the interface blocked adding users; and changing a Meta Business Manager setting that had blocked assigning developer/admin rights so the IU Meta account could obtain developer permissions and complete a WhatsApp integration. For marketing/email platforms (CleverReach), efforts included locating the account owner and escalating to a specialist; in at least one case no copy of a requested November 2023 mailing could be recovered because no staff retained access to the CleverReach instance and no archive was available. When account ownership could not be re-established, resolution required vendor or specialist intervention and sometimes concluded without recoverable content.
26. Vague report/dashboard access request that had no reproducible access failure
Solution
Support attempted to reproduce reported access failures by signing in to the named dashboard, report, or application with the user’s account and by confirming whether the content or app was accessible. When users could not identify the exact resource, support requested the resource name and escalated tickets to specialists or the owning team for deeper investigation. Power BI or Microsoft Fabric incidents that referenced row‑level security (RLS) were forwarded to the specialist team and users were directed to obtain access from the report owner. For Confluence and other collaboration platforms, support verified the user’s license/status and general account access before closing or handing off the ticket. For Company Portal–published applications, support verified whether the app was published and where it appeared (for example, Webex appeared under the Windows 11 section) and noted documentation inaccuracies about approval requirements. For Okta‑launched applications, support checked application assignments and provisioning in the Okta dashboard and confirmed access by having users launch the app through Okta (for example, Cursor access was resolved by confirming assignment and launching via Okta). For third‑party consumer web services (for example LinkedIn), support suggested browser‑level troubleshooting such as trying a different browser, clearing cookies/cache, and disabling tracking or adding the site to tracking exceptions; where the service was outside IT ownership, users were directed to the vendor or owning team via Jira Service Management. Where no reproducible error was present, support documented transient access failures and noted when Okta profile reviews showed no misconfiguration and access later succeeded after retry. Tickets were closed after users confirmed access, after handoff to the owning or specialist team, or when there was no user follow‑up.
27. Third‑party SaaS access stuck because app wasn't in company catalog or approver was unresponsive
Solution
Support cleared stalled approval requests using approaches tailored to the cause. When the app or sandbox was missing from the company software catalogue, requesters were directed to the owning team’s service portal or support logged a new software/sandbox request that documented required users and integration/feature requirements (for example Workday integration, mobile barcode scanning). Administrators sometimes enabled/whitelisted and published the application or sandbox to the company portal; published entries typically appeared in the portal within about 30 minutes. When approvals were delayed by incorrect or unresponsive approvers, support reopened or rerouted approvals by updating the approver in Automation for Jira; in some cases designated approvers completed approval directly in the SaaS which finished provisioning. Where automated approval routes failed or requests had timed out, support performed manual provisioning actions to complete access: adding users to the company‑managed account in the SaaS, adding the app to users’ Okta dashboards/assignments, re‑enabling accounts, or sending direct invites/emails. Support observed that some Automation for Jira requests auto-declined after the 14‑day approval window and could not be reopened, and that some tickets routed to specialist teams were closed as 'Won't Do' or otherwise declined without provisioning; resolution-label mismatches were noted when an approver had granted access but the ticket was still marked 'Won't Do'. For software using form‑based license mapping, selecting the correct license variant (for example 'Miro (Free Restricted)') resulted in automatic license assignment once the form was approved. Tickets sometimes contained a 'request timeout' comment even when a later approval or correct form selection caused provisioning; when Okta already showed an assignment, support verified the assignment, informed the requester that the application was available, and closed the ticket.
28. Access provisioning for internal transfers blocked by incorrect cost‑center selection and per‑app request requirements
Solution
Support verified the user’s new department/cost‑center and new position with the previous team lead and checked Workday status before applying identity or group changes; provisioning that depended on Workday or cost‑center data was held until the HR record, approvals and job description were present. Users were informed when particular tools required separate self‑service requests (for example Miro and BIC). When access requests were blocked by incorrect approver assignment, the approver was changed to the manager so the request could complete. For urgent onboarding where HR data or cost‑center was not yet available, specialists temporarily provisioned access by directly assigning the application in Okta and recorded authorized exceptions in the approval workflow (Jira). Role‑aligned permissions were set by mirroring a comparable reference user’s rights when available, and application‑level permissions were adjusted for systems that maintain internal permission models (for example EPOS and Salesforce role scopes). Telephony issues were investigated for account‑state problems: a deactivated Vonage account was identified as the cause when Salesforce refused to register/update the telephony entry; telephony tasks were resolved by reactivating or recreating the telephony record/extension, assigning external numbers, re‑issuing activation emails or performing password resets as required, and confirming provisioning in the telephony system. Shared mailbox access was granted through Exchange/Office365 mailbox permissions. Tickets were closed after the correct cost‑center and Workday status or required confirmations were present and the requested application, mailbox or telephony access had been provisioned.
29. On‑prem application inaccessible due to unresponsive host blocking data access
Solution
IT restarted (powered on) the e-test server, which restored access to the E-test admin application. The user moved all scanned documents from the application to the designated network shared drive while access was available. After confirmation that files were successfully transferred, IT powered the server off again and the incident was closed.
30. Copilot for M365 access gated by IT Service Portal automated request/approval workflow
Solution
Access failures were traced to multiple, distinct causes and were resolved with actions specific to each cause. Requests submitted via generic or incorrect portal forms were reprocessed after support identified them and the requester submitted the dedicated Copilot for M365/Application Self Service request; generic tickets that were not resubmitted were closed as “Won’t Do.” Tickets stuck in Automation for Jira approval workflows were cleared by reassigning or adding alternate approvers so an approver took ownership; once approved provisioning proceeded. Enterprise application assignment was performed either by administrator assignment in Azure AD or programmatically (via the Atlassian API) when appropriate; where preview licenses could not be assigned users were informed of license‑unavailable status or explicitly added to a preview user group. Some automatic provisioning dependencies were recorded as gated on completion of designated Learning Hub courses; support recorded the gate and removed it only after course completion was confirmed. Support also recorded that requesters had to personally accept Microsoft’s Copilot terms of use before activation and warned users not to include GDPR‑relevant data in prompts. Microsoft activation was observed to take up to ~48 hours. For Copilot Studio/playground access, support provided temporary credentials and a seven‑day time‑limited link and treated the playground as a test environment; moving any bot or configuration to production required a separate request. Tenancy and admin‑account requests were resolved by clarifying tenant decisions (for example, using a single tenant and reusing existing accounts) or by creating admin accounts where required.
31. Okta application provisioning propagation delay causing Miro login failures
Solution
Access failures were resolved by repairing or restoring identity provisioning and SSO integrations and by correcting account- and assignment-related conflicts; in one case a GitLab outage cleared after a short wait. For Miro, support restored access by enabling or creating the enterprise Miro application assignment for the iu.org Okta account, assigning the appropriate Atlassian product license on the Okta profile when required, adding users to the IU group so membership appeared in Okta, and correcting account-type conflicts for users with preexisting free Miro accounts. When users attempted alternate identity providers (Google or Microsoft) while the tenant required Okta SSO, access was restored by enabling the Miro assignment on the user's Okta profile and confirming enterprise team membership; some specific boards prompted an additional Microsoft sign-in which cleared after the user completed that flow. Restoring broken Miro SSO integrations cleared broader failures. Provisioning and SSO changes typically propagated within minutes (commonly 5–10 minutes); several incidents cleared after a short retry or the next day, and transient in-app password errors or failed password-reset attempts were observed while provisioning synchronized. For a reported GitLab login failure, support advised waiting approximately five minutes and retrying; the user retried and access was restored without further action. Users were routinely signed in via the Miro tile at https://okta.iu.org/ as part of resolution when relevant.
32. Workday tile in Okta returned error where user had multiple IU addresses and Okta account flagged 'PW Reset' (no resolution recorded)
Solution
Incidents were resolved by addressing one of several account-level or integration-level issues that blocked Okta-to-Workday SSO/provisioning. Support first confirmed the Workday tile identity (users provided screenshots and support verified the tile’s three-dot menu/email shown). Resolutions observed in tickets included: correcting the email address shown on the Workday app tile in the user’s Okta dashboard, re-enabling/reactivating Okta’s Automatic Push (Okta-to-Workday provisioning) so the Workday account could be provisioned/paired, and performing a repair to the Okta–Workday configuration/integration when simple fixes did not restore access. After these changes users regained access (one record noted both Workday and Egencia access were restored). Records also noted account confusion from multiple IU identities and occasional 'PW Reset' flags; some earlier instances recorded causes but no remediation in the ticket notes.
33. Monday.com board-level edit access blocked despite valid licenses
Solution
Support verified application account status and license entitlements and observed that the root cause determined the remediation. Where Okta assignment, provisioning, or account lockout prevented access, assigning users to the application or its provisioning/access group, enabling/unlocking the Okta account, and granting the application license via the Okta Dashboard restored viewer/edit/create capabilities; administrators reported that Okta changes sometimes required about 5–10 minutes to propagate. Pending in-app approval workflows (for example Automation for Jira approvals or Lucidchart request approvals) were completed and restored edit rights. For Figma, assigning users to the correct access group (for example IU-ZZ-OK-ASS-Figma) and enabling account feature toggles (for example Dev Mode) restored space edit permissions and UI options. For Miro, team-level permissions and board/Area ownership occasionally prevented board creation; Miro admins restored functionality by changing board/Area ownership, promoting co-owners, or recovering service-account credentials and admin-console links. Support observed that Miro’s in-app Join Request flow sometimes failed to add membership immediately and that affected users sometimes created resources in other teams as a workaround. Support clarified that IT managed licensing and SSO provisioning while resource-level permissions and ownership were controlled by board/space owners or product admins; when licensing and SSO assignment appeared correct but users still lacked rights, escalations to resource owners or business specialists resulted in ownership or membership changes that restored edit access.
34. Atlassian sign-in failure due to username/character mismatch resolved via Okta SSO dashboard
Solution
Access was restored most often by completing the Okta SSO flow from the Okta app launcher/portal, which used the updated Okta identity and allowed immediate access even when browsers or PCs displayed incorrect-password prompts. Backend logs in multiple incidents showed Okta SSO flows succeeding and user accounts present in the target application while end-user browsers reported credential errors; in several cases the same credentials worked from mobile or via Okta. In rename/email-change cases the Okta automation had updated the account but browser sessions still used the old identity; launching the application from the Okta portal used the updated username and resolved the sign-in. Where the target application (notably Atlassian) rejected passwords, administrators reset the application account password and users completed the emailed reset link; some resets did not take effect until the user signed out of an active IU mailbox/session. In incidents caused by broken integrations or malformed SSO configurations, re-establishing or reconfiguring the Okta–application integration restored normal SSO behavior and access to saved intranet links and billing/support portals.
35. Corporate ChatGPT access blocked by approval workflow and pending invitation acceptance
Solution
Access was restored when both a valid OpenAI/ChatGPT invitation was accepted by the intended identity and the organization’s approval/provisioning workflow completed. Common resolved causes and observed fixes included:
In multiple resolved cases the decisive actions were support‑sent invitations accepted by the correct account/identity (including ensuring the correct Microsoft account/browser session) combined with approver action (including cost‑center or C‑level approvals) and any necessary manual provisioning of group/team membership.
36. Legacy AcademyFive account and username-based login blocking access
Solution
Support located an existing legacy AcademyFive/CARE account for the user and confirmed the application required username-based (not email) login. Support provided the user’s CARE username (examples: "ka.maier" or "alessandro.de-matteis") and verified the account and requested access/role were assigned to match a reference colleague. A password reset had often been performed prior to the report; in one case the user completed a password change but still received a generic "Sorry!" sign-in message. In prior incidents access was restored after assigning the correct username-based account/role and allowing time for authentication and role propagation (~10 minutes); transient CARE integration errors (including "Allgemeiner Fehler bei der Verbindung zu CARE") resolved after propagation and retry. Support had also suggested using the myCampus credential form (e.g., a.de-matteis@iu.org) when appropriate. The incidents were characterized by transient authentication/propagation behavior rather than persistent configuration changes.
37. Existing Salesforce account with Okta SSO but missing Salesforce profile/roles prevented access
Solution
Investigators confirmed whether the user had a Salesforce account, that authentication flowed through Okta, and that the Salesforce application tile was enabled. When sign‑in failed despite matching in‑Salesforce entitlements, account comparisons to a reference user revealed missing Okta group membership or incorrect Okta Salesforce profile mapping; adding the missing Okta group or correcting the profile mapping in Okta restored access on next sign‑in. For users who signed in but lacked expected UI or functionality, administrators restored access by assigning or mirroring in‑Salesforce entitlements (profiles, roles, permission sets, public group memberships, creation rights) and by applying named list/view assignments (for example the “Praxispartner” view); colleagues with the required privileges sometimes applied identified permission sets directly. Permission changes that required managerial consent (for example enabling the Profile and Permissions Switch Flow used for UAT/Prod testing) were granted after obtaining manager approval (including accepted alternate manager approval where provided) and matching the user’s permissions to the reference account. When no Salesforce account existed, provisioning created the account; when creation attempts reported an existing account or there were locked accounts or metadata/display‑name mismatches, investigators located the existing account, corrected metadata, assigned the appropriate Salesforce license, unlocked the account, and triggered the account notification email. For Queue issues investigators confirmed whether incoming email addresses were routed directly to a Salesforce Queue (which removed messages from user mailboxes), verified queue membership and permissions, mirrored a departing/reference user’s queue membership when appropriate, or routed membership changes to the SalesTech team via the organisation’s Service Desk when support lacked the required privileges. Third‑party integration UI errors (for example Vonage/Twilio getToggles null‑reference) often resolved after in‑Salesforce permission fixes and Okta profile/group fixes; persistent defects were escalated to the application specialist or the vendor. Requests for privileged entitlements restricted to SalesTech (for example OnCampus) were routed to the SalesTech team or to external vendor support through the organisation’s Service Desk portals.
38. Specialist-delivered credentials or invites for third‑party SaaS access
Solution
Specialist teams restored or removed access by delivering, recreating, or revoking working invites and credentials, completing outstanding approval or provisioning steps, reallocating licenses, or coordinating with the owning team or vendor to finish provisioning. Actions that resolved issues included sending or resending direct email and SelfService invites, locating invites misrouted to spam and confirming delivery, allowlisting vendor notification addresses, and adjusting user email settings to permit registration links. When SSO was expected, technicians verified and used the enterprise SSO entry (for example signing in via the Okta app dashboard or using the same Okta credentials) and tracked team‑scoped SSO provisioning until vendor access appeared. Where internal request forms were blocked or unavailable, technicians bypassed the form by issuing direct invitations. Secure credential delivery used time‑limited 1Password links or the IU SAFE Portal; lost or device‑bound credentials were addressed by triggering password resets or account‑recovery emails, creating replacement accounts and recording credentials in the vault when appropriate, or allocating 1Password licenses. For platforms requiring explicit domain mapping, administrators requested and applied domain assignments before sending invites; technicians also checked for domain‑activation discrepancies that prevented access (for example differences between @iu‑study.org and @iu.org) and noted when vendor accounts were already deactivated. Where administrative ownership was unclear, stored admin credentials were reassigned in the vault, users were added to the appropriate team, and provisioning was tracked until completion while team‑vault membership and team‑scoped SSO remained the owning team’s responsibility. Vendor‑integrated issues were resolved by creating the vendor‑side user record, ensuring vendor‑to‑application mapping, assigning the correct role (for example in Salesforce), and enabling/unlocking or whitelist‑enabling vendor accounts so dashboards and integrated functionality became available. Requests to remove or unlink third‑party bindings were completed by verifying vendor account status (including already‑deactivated accounts) and performing the disconnect on the vendor side. Tickets were closed after a working invite, credential, reset, recovery email, license allocation, role assignment, vendor unlock, or completed unlink/disconnect was delivered, or after no confirmation was received from the user following delivery.
39. Missing role/group membership in internal apps (PowerApps/Custom apps) blocking user tasks
Solution
Investigations repeatedly found access failures caused by missing, misaligned, or out‑of‑sync application roles, group memberships, SSO/IdP entitlements, in‑application roles, Teams/application membership, environment-level membership, licensing, or organizational policy constraints. Resolutions observed across incidents included the following:
40. Role‑based onboarding automation requiring event sequencing (SalesTechDev)
Solution
The MEA onboarding form and automation were updated to include the SalesTechDev role and to sequence notifications. A role entry was added to the Access and Permissions dropdown and a subtask/trigger flow was implemented so DevOps is notified only after the starter's IU email account was created. The change ensured third‑party account invites and tool provisioning were created against an existing IU email and included the expected downstream accounts (1Password, Conduktor, Confluence, Jira, DataDog, Port).
41. Jira/Atlassian access gated by Automation for Jira approval then admin provisioning
Solution
Stalled approval workflows were cleared or completed in the relevant approval systems (Automation for Jira and other approver routing) and approver routing/CC‑approver entries were corrected or reassigned. In some cases support bypassed or manually finished stalled Automation for Jira approvals so provisioning could proceed. After approvals completed, required permissions were granted via the user’s Atlassian account/Atlassian ID and owners added users to owner‑controlled Jira boards, projects, spaces or dashboards. Administrators or specialist teams then enabled/unlocked Okta accounts, added users to the required Okta/security groups (including bulk additions) — for example IU‑ZZ‑OK‑ASS‑Atlassian‑Jira Software, IU‑ZZ‑OK‑ASS‑Atlassian‑Jira Service Management and IU‑ZZ‑OK‑ASS‑IT Service Portal CampusManagement in this environment — and assigned licenses or guest status as needed. Mailbox and service‑account work was routed to specialist teams or existing shared mailboxes to avoid duplicates. Conflicting or duplicate requests were denied or closed after verifying existing access. For Microsoft Teams admin requests, roles were assigned in Azure AD/Entra (not the Teams developer portal) so privileges appeared in the Teams Admin Center. Provisioning changes typically propagated within minutes (commonly ~5–30 minutes), after which Okta SSO sign‑in and application access were restored and IT Portal redirects were removed. When tenants required development/testing, tenancy risk was noted and work was performed in a sandbox/dev tenant when available or after required approvals and risk acknowledgement.
42. External attendees blocked from Teams training by conditional access
Solution
An external IU account was provisioned for the speaker (steven@vanbelleghem.biz), which allowed the user to sign in to Teams and join the Manager Learning Hub session. Access was verified and the ticket was closed; other external attendees were to be granted similar external accounts if needed.
43. Application access blocked by missing assignment, pending approval or vendor invitation
Solution
Access was restored after the missing tenant- or vendor-side entitlement, invitation/approval, license/seat allocation, account/profile creation or reactivation, or in‑app group/role/org/space membership had been completed and directory/SSO changes had propagated. Representative resolutions included:
• Azure/Okta application assignment: granting direct or group assignment in Azure AD Enterprise Applications (or assigning the app in Okta) resolved AADSTS50105 'application is configured to block unassigned users' errors and restored Outlook/Teams add‑in linking and app access. Adobe Creative Cloud access was restored by assigning the appropriate Azure AD group to student accounts.
• Vendor-side group/role membership: adding users to vendor-managed groups or roles inside vendor consoles (for example assigning users to an Adobe Sign product group) restored product access when licensing existed but group membership was missing.
• Vendor invitations and vendor-managed accounts: resending invitations or having vendor administrators create or reactivate vendor accounts and bind licenses to SSO identities restored access (examples included Figma invitations and vendor admin account creation).
• Vendor licensing via internal request systems: granting vendor product licenses directly to vendor-specific accounts through internal provisioning workflows resolved access gaps (example: GitHub Copilot access was granted to a named GitHub account after a DevOps/Atlassian service‑desk request).
• Enabling/configuring vendor SSO: completing or correcting vendor SSO setup removed vendor SSO error pages and allowed normal SSO flows to proceed (example: Agorapulse Okta SSO).
• Approvals and automation: completing pending approver actions or repairing approval routing for application-request workflows removed approval-state blocks.
• Procurement/provisioning sequencing and duplicate records: resolving cases where procurement created license records before vendor accounts, or where provisioning sources produced duplicate order entries, restored expected mappings between identities and licenses.
Timing observations: directory/SSO provisioning typically propagated within ~5–10 minutes though some app visibility or Company Portal entries took longer (one case ~24 hours); an initial SSO login sometimes created a vendor profile before in‑app space/role assignments took effect. Okta-initiated SSO flows sometimes bypassed Azure AD assignment checks while deep links that invoked Azure AD could surface AADSTS50105 blocking. In all incidents users regained access once the missing entitlement, invitation/approval, license/seat allocation, profile creation/reactivation or membership change had been completed and allowed to propagate.
44. Power BI Self-Service Portal report access blocked by missing Power BI entitlement and owner-controlled report permissions
Solution
Support used the Company Report Overview and the Power BI Admin Portal to identify report owners, workspace administrators, and whether access depended on owner-controlled permissions or on Azure AD / Power BI group or workspace membership. When access was blocked by missing group/workspace membership, support added users to the required Azure AD or Power BI Premium group so the app or report opened. When users were redirected to a Power BI SignupRedirect URL, support found incorrect Microsoft 365 entitlements (for example an A1 assignment) and restored tenant-appropriate Power BI access by assigning the correct Power BI entitlement. For owner-controlled reports and apps, support confirmed that final access changes had to be carried out by the report or workspace owners via the Power BI 'Send Request' workflow or by workspace owners changing membership/permissions; support informed users who the owners and workspace admins were and escalated unresolved access requests to those owners. When report or app content appeared missing (for example PA Cube not containing course evaluation data), support confirmed data availability with the data steward/subject team (Academic Quality Management) and escalated content gaps to the owning team. For apps managed by separate business units, support directed users to the managing team's service portal when internal forwarding was not possible. When a report owner account had been deleted and created an orphaned report, resolution required workspace-owner or tenant-administrative action to reassign ownership or update workspace membership so access could be granted.
45. Access request for unsupported SaaS (Metabase) routed to owning service desk
Solution
Support confirmed that access provisioning for affected applications was owned by teams outside first-line IT and could not be granted by the first-line service desk. Metabase access and ownership were handled by the DevOps Core Service Desk (Jira Service Management at careerpartner.atlassian.net/servicedesk/customer/portal/31); requesters were directed to create access requests there. IFLM/MyCampus/IU Library access was handled by Academic Coordination (s.academiccoordination@iu.org). First-line support recorded the correct owning team and routing in incident records before closing tickets. Some access requests exhibited Automation for Jira behavior: Automation had added a CC approver and logged approval status prior to reassignment and, in some cases, auto-closed tickets as “Resolution: Done.” Other redirected tickets were closed with the resolution “Won't Do” when action was redirected to the owning service desk. Users who raised requests through the owning teams’ service desks subsequently completed access provisioning.
46. Okta application not present in dashboard blocking GitLab access
Solution
Agents restored access by verifying the user's Okta application assignment was enabled so the app tile appeared on https://okta.iu.org/ and users launched services from there; enabling the app typically propagated in ~5–10 minutes. Agents unlocked Okta accounts that were blocked (including accounts blocked after deletion/recreation) and enabled Okta SSO for the account. When simply enabling the Okta app did not restore access, agents performed application‑specific provisioning or escalated to DevOps/Core Service Desk or the application owners to link accounts and grant in‑app permissions. Application‑specific actions included creating application accounts and assigning required folder/space permissions (for example Cloudinary), linking GitLab accounts to Okta per IU group guidance, granting Salesforce Marketing Cloud users access to the correct business unit/environment, and adding non‑org‑wide SSO apps (for example HashiCorp Terraform) to Okta using SAML metadata and provisioning users via an Okta group. Agents also cleared temporary account locks caused by repeated failed logins and resolved provisioning held by Jira Service Management approvals by sending approval requests and updating approver assignments so automated approvals could complete. GitLab‑side administrative issues requiring account linkage or repository permissions were escalated to DevOps when app‑owner intervention was required.
47. SSO-linked third‑party SaaS embedded in Salesforce required active Salesforce session for access
Solution
Support confirmed the user possessed the required Okta/SSO permission and the Salesforce permission set, and that First‑Login and account creation via the LMS/Salesforce had been completed. Support observed that manual Twilio sign‑in produced a “wrong email address or wrong password” error, that the user was sometimes using an incorrect/favorited direct Twilio link or bookmark, and that Twilio reported browser pop‑ups were blocked. The issue was resolved by ensuring the user accessed Twilio from the corporate SSO entry point (LMS/“Chihuahua‑Link”) while an active Salesforce session/tab remained open so Twilio could inherit the Salesforce authentication context, by removing/updating direct Twilio bookmarks, and by allowing pop‑ups for Twilio. After these actions the user was able to access Twilio. Live troubleshooting/escalation via Teams was offered if access still failed.
48. Salesforce account provisioning and Okta dashboard tile addition using a reference user
Solution
Support verified and corrected user identity attributes (including typos in username or email) or updated/created the supplied reference user when attributes were missing or incorrect. Administrators created or updated the account in the target system and provisioned the identified permissions (groups, skills, licenses). For SSO-enabled apps they granted the Okta application assignment and added the app tile to the user’s Okta dashboard; when immediate sign-in failed they re-applied or reconfigured the Okta assignment and allowed time for provisioning to propagate (propagation completed within minutes in some cases or resolved by the next day). For license-managed apps (for example Deskbird) support granted the license and confirmed the user received the activation email. For telephony/UC apps (Vonage/NewVoiceMedia) administrators created the provider user record, assigned the extension/number, recorded the provider user ID (for example a Vonage-ID) in Salesforce, and sent the activation email. When organizational approval workflows required requester confirmation, support triggered the confirmation/activation email (often via Jira automation) and completed provisioning after confirmation. Tickets were closed after users confirmed access.
49. Confluence space admin access requests, accidental submissions and license guidance
Solution
Support verified the user's Confluence account state, license, and identity-provider (Okta/Azure AD) group membership and mappings. When users were assigned to restrictive groups (for example 'Confluence Guest') they were moved to the appropriate full-access group and/or granted a Confluence license; this restored editing rights immediately in several incidents, while some license or permission changes required up to 48 hours to propagate. Missing or incorrect IdP group mappings were corrected and affected users were provisioned into the proper groups (for example Azure AD groups used for Confluence access). Transient SSO/session issues were resolved by re-login or browser/session refreshes. Automation for Jira access-request queues were reviewed where present; accidental or duplicate requests were rejected and requests requiring space- or page-owner authority were escalated to or approved by the owner or specialist team. When spaces were missing from admin listings, staff located the space, reassigned ownership and permissions, and confirmed corresponding IdP group mappings. Page-level permission issues were escalated to the page owner or last editor and resolved when the owner updated page permissions. Requests for additional Confluence licenses and Exchange/Office 365 shared-mailbox access were handled via the Service Portal with provisioning tracked in Jira/Jira Service Management.
50. myCampus area access blocked by missing area-specific roles requiring escalation and synchronization
Solution
Support investigated affected accounts by comparing them to working reference profiles and realigned area‑specific role assignments and group memberships. Missing roles (for example myCampus dashboard roles, EPOS Lecturer, myCampus admin/impersonation role required for “Anmelden als”, Key User) were granted and incorrect assignments (for example Employee/AUTOR used instead of Lecturer) were replaced; these corrections restored missing UI elements, impersonation, tutor/unit functionality, instructor enrollment/un‑enrollment, dashboard action buttons and News posting in multiple cases. Where access requests had empty Application fields or incorrect approvers, support corrected the request records, fixed approver assignments and—when appropriate—forwarded the request to the responsible onCampus Service Team or another specialist queue; in one case the onCampus team performed role/permission adjustments to grant Key User access. Accounts provisioned under alternate usernames or routed to the wrong login portal produced credential/provisioning mismatches; support resolved those mismatches so users could set passwords and authenticate, after which role corrections produced the expected UI. Tickets reporting HTTP 403 'Zugriff verweigert' after successful password resets were investigated as application‑specific provisioning or SSO/mapping inconsistencies; aligning application provisioning and role mappings restored access. Cases where components (DS Competency, EPOS, Infocenter, CARE) did not recognize instructor status or where course enrollments did not appear in myCampus were escalated to specialist teams; specialists corrected role mappings, remedied provisioning/synchronization and logging faults, and allowed role visibility to propagate (sometimes requiring overnight synchronization). Media and Learning Hub issues involving "kein Video MIME Typ" or upload failures were routed to media/learning‑hub and platform specialists for investigation of MIME metadata/streaming headers and storage handling. Device‑specific or mail/calendar client problems reported alongside some tickets were handled by device/email support and did not result from account role or provisioning changes. Where remaining UI differences reflected expected permission boundaries, support explained the behavior to users.
51. Access requests for analytics/dev platforms requiring platform‑owner provisioning
Solution
Support identified the owning team or approver and routed permission requests to that owner when central IT lacked direct provisioning rights. Platform specialists performed provisioning for systems they owned; when a platform was not in the software catalog or lacked an Okta/Entra group, specialists either enabled access outside the catalog or assigned platform entitlements directly. When ownership or approver was unclear or cross‑team, requests were routed to DevOps/platform/product specialists or forwarded via the Atlassian service desk to the appropriate owning team. Notable platform resolutions included: • Metabase — platform specialists handled create‑collection and CSV/XLSX export permissions; some dataset export actions required dataset‑owner approval. • dbt Cloud — the Data Platform/DWH team granted evaluation access by assigning dbt Cloud entitlements via the identity provider to a limited set of users. • Sonar/SonarCloud — DevOps processed requests via the DevOps Core Service Desk and granted project access. • Omni — view/read access and platform entitlements were enabled directly when the platform lacked an Okta/Entra group. • SharePoint — restricted access was granted when possible, site‑specific access‑form links were provided when present, and SharePoint site owners were identified for full site or dataset permissions. • TFS — support verified membership and noted when project or board owners had to assign required permissions. • AWS accounts — support determined Infra vs DevOps ownership, forwarded requests to the relevant specialist team, and used Microsoft MyAccess where applicable to grant account access. • Datadog — approvers and approval routing were updated so the platform could grant access. • QuickSight — requests were submitted through the DevOps Portal and account/dashboard access was granted. • MongoDB UI (external users) — prior Company Portal guidance was corrected and the request was routed to the DevOps Core Service Desk and processed through Jira approval automation. • JFrog — identified as a developer tool supported by DevOps and referred to DevOps owners for account provisioning. • vSphere/VMware — access was granted in the vSphere environment by the platform owner/admin and the user was notified. These actions resolved requests where provisioning required platform‑owner intervention or non‑catalog entitlement assignment.
52. Confluence account creation and basic access provisioning
Solution
Access issues were resolved by application owners or administrators provisioning accounts, assigning product licenses/entitlements, and granting required permissions. For Atlassian Cloud, administrators provisioned accounts and assigned Confluence and Jira licenses either in the Atlassian admin console or by assigning entitlements in Okta; license/entitlement assignments commonly activated access within minutes though recipients occasionally experienced short propagation delays. Space- or project/board-level permissions and Confluence page invitations were granted by space admins or page creators when needed; some pages remained inaccessible until an explicit page-level permission or invitation was added. Support verified existing accounts when requests referenced Workday employee IDs and created or activated access for users who lacked accounts. Attempts to grant access to an email distribution list (for example legal@iu.org) were not supported; access was granted to individual user accounts or supported group objects instead. Metabase access was granted by the application owner on request. Index Searcher (index.de) access was provisioned after submission of the official SharePoint access-request form on the IUBHFS site. Activation timelines ranged from minutes for entitlement/license assignments to the next business day for some request workflows; support confirmed access after provisioning.
53. Jira access missing due to absent Jira product license; project permissions remained separate
Solution
Affected accounts were missing the required product entitlement/license in the identity provider (commonly Okta). Assigning the appropriate product entitlement (for example, 'Jira', 'Jira‑SM', or 'Confluence') to the user account restored product-level access after directory/IdP propagation (typically within 5–10 minutes). In several cases a user’s regular password or password-reset flow had failed until the entitlement was applied; after the license assignment the user signed in via the identity provider dashboard and product access was restored. Clearing the browser cache or stale sessions was used when cached credentials interfered with login. Project-, board-, and Confluence-space permissions were not changed by the entitlement assignment and continued to require grants from the respective project, board, or space owners. Requests for applications not managed by IT (for example, Freshdesk) were redirected to the responsible team (HR/WD‑Support, wd-support@iu.org).
54. Access request auto-closed after approval workflow timeout
Solution
Requests submitted via the intranet/Software Catalog or Jira Service Management remained in 'Waiting for approval' while Automation for Jira sent automated reminders. Designated approvers sometimes only commented rather than using Jira's formal approval control, so the configured approval window (commonly 14 days) elapsed without a formal approval. Automation for Jira then automatically transitioned and closed those requests—commonly marking them Declined or Done—and appended messages such as 'declined automatically (14 not approved or approver no longer available)' or 'your ticket was not approved ... and will be closed automatically now.' Target-application provisioning did not occur because the formal approval action was never completed, and Automation for Jira–closed tickets could not be reopened. Incidents were resolved when one of two outcomes occurred: the designated approver completed Jira's formal approval within the configured approval window, or the requester submitted a new access request that routed to the correct cost-center/manager approver. In one observed case (Storyblok), no backend provisioning errors were found; the user saw a token-expiration-style login failure and access was restored only after the access request was resubmitted selecting the user's own cost center so the correct approver could approve.
55. Policy‑gated SaaS provisioning requiring training enrollment (ChatGPT/GPT‑4)
Solution
Access requests were withheld or denied when organizational prerequisites, role‑based exclusions, or separate provisioning workflows were required. For OpenAI/ChatGPT, independent ChatGPT/GPT‑4 accounts were not issued; cooperative OpenAI accounts were provisioned only after users were enrolled in designated IU Learning Hub learning paths (for example the generative AI in teaching path and the 'Master of Prompts' path). For Copilot for M365, support verified that users held an appropriate base license (for example M365 A5), enrolled users in the 'Copilot for M365 Essentials' self‑learning course in the IU Learning Hub, and then moved requests into the Copilot provisioning workflow or performed Azure AD/application assignment when necessary. Copilot licenses were configured to assign automatically once the course status reached 'completed'; license and feature propagation across M365 apps could take up to 72 hours and assignments were not always accompanied by separate notifications. Some employee groups (for example IU Internationale Hochschule GmbH) were excluded from the Copilot rollout and GDPR/terms‑of‑use restrictions (users were instructed not to include GDPR‑sensitive data in prompt context) were communicated. For internal systems such as the Prüfungswesen, support refused permission grants when policy prohibited employee‑students from receiving examination‑system access without explicit Hochschulleitung approval; the workflow showed approvals pending, support recorded the leadership‑approval requirement, and tickets were auto‑closed after 14 days of no reply. Ticket and provisioning workflows used tools such as Atlassian Automation for Jira and Azure AD application assignment; support staff initiated learning‑path enrollments, triggered provisioning automations, and performed manual assignments as appropriate.
56. Application access owned by a non‑IT team requiring request redirection
Solution
Support triaged incoming access requests, identified when provisioning, licensing, approver workflows, SSO/app entitlements or other entitlement changes were owned by non‑IT teams or external providers, and recorded the owning team/provider and their contact channel (email, portal, Teams channel or service board). Tickets captured any interim IT corrections performed (for example fixing an approver, enabling an SSO/app entitlement, or correcting a username) and attached automation or Jira evidence where available to indicate outstanding owner tasks. Resolutions were recorded as either owner‑side fulfilment or documented redirection to the owner’s support channel; tickets were closed after owner fulfilment or after recording the owner’s pending actions or the requester’s redirection outcome. When support could only create an account but could not manage in‑app permissions or UI controls, support informed the requester, recorded that limitation, and closed the ticket. Representative outcomes included: owner‑managed access‑request forms or portals (for example Unternehmensportal requests redirected to the IU Meldeportal), Workday cases routed to Workday or project leads, DevOps tool requests routed to the DevOps/Core Service Desk or repository owners after approver corrections, cloud data platform requests redirected to the DataAnalysts team with notes about Azure App Registration dependencies, marketplace/library subscription requests routed to library contacts, and specialist fulfilment such as Twilio role changes forwarded to the specialist team and applied with an effective date. Tickets were also closed as "wont‑do" where access was entirely owner‑controlled (for example DKIM/domain requirements preventing third‑party sends). Tickets consistently recorded owner contact details, interim IT actions, attached evidence of owner fulfilment or pending owner actions, and the final redirection or owner‑fulfilment outcome. In cases of platform‑subsystem ownership, support sometimes noted they lacked access to a subsystem (for example a Real‑Estate ticketing subsystem where the "Share +" option was missing for a user) and recorded attempted workarounds (such as @‑mentions) that did not grant access.
57. Jira board access blocked by missing product license and pending approval
Solution
Product access issues were resolved by approving and assigning the appropriate Jira/Atlassian license via the Automation for Jira approval workflow. When the primary approver was unavailable, a temporary approver substitution was requested and the substitute approver granted the access so the automation completed. After the license assignment, users were advised to sign in through the Okta Dashboard to access the Atlassian site. In cases where the board page still showed access denied after license assignment, support confirmed that board-level permissions were controlled by the board owner and the user was instructed to contact the board owner to obtain owner-assigned board access.
58. Adobe Sign SSO access pending invitations and service-mailbox restrictions
Solution
Access issues were resolved by provisioning the user's Adobe account and/or assigning Adobe Sign/Acrobat entitlements; after provisioning the identity provider sent activation/invitation emails or SSO access began working, typically within the provider's delivery window (roughly 30 minutes to later the same day). Users who attempted SSO before provisioning saw "Access Denied" or were prompted for an Adobe password they did not have, and users without the Adobe Sign entitlement received an error stating the e-signature service "is not included in my package." Requests that named service-mailbox addresses were rejected and were not provisioned. In cases where Okta SSO had not yet been established but licenses were already present, access was achieved by installing Adobe Creative Cloud via the Company Portal and signing in with the IU email/password; support also noted unrelated Adobe notification emails could be ignored.
59. Miro team membership, license and admin-rights blocking board creation and internal-board access
Solution
Support verified each affected user’s Miro provisioning state (including the Okta Miro tile) and corrected entitlement and permission mismatches. Actions taken included enabling the user’s Okta Miro access, assigning the appropriate Miro license (Full/Enterprise or the corresponding Education license when relevant), adding users to the correct IU Miro team/group, and granting board-level edit permissions or extended Miro admin scope where required. In cases where a user could view a board but not edit it, support either provisioned a Full-License (or Education administrative license) via the New Software request flow or had the board owner grant edit rights; access to create boards and to use standard templates only became available after the license/permission change propagated. License and permission changes typically propagated within 5–30 minutes (commonly 5–10 minutes), after which users were able to create, edit, and access internal/public boards and templates.
60. Enterprise SaaS access provisioning after approver approval and license assignment (Miro)
Solution
Access issues were resolved by addressing either the approval workflow or licence/application provisioning. When automation logs showed an approver awaiting action or messages such as 'approval reminder suspended', support either contacted the approver (the approver retried the approval and the workflow completed, granting edit access) or asked the requester to resubmit the access request with required fields (for example, cost-center and designated approver), which allowed the automation to proceed. Other cases were resolved by correcting approver-assignment misconfigurations in the Automation for Jira application-request workflow. Where users lacked an enterprise licence, administrators provisioned a MIRO Full Version (Enterprise) licence and enabled the Miro Okta application for the account; provisioning typically propagated in about 5–10 minutes and the Okta SSO tile then reflected workspace access and edit/write permissions. Licence-choice discussions were documented: support confirmed whether a restricted/free licence sufficed or a paid full licence was required (the full paid licence was noted at €110/year), and for some users support recommended the free/Education version instead and closed the request as 'Won't Do' when appropriate. Requesters confirmed successful logins after licence assignment or after switching to the free/Education option.
61. Access requests blocked by product being in pilot/internal test (Copilot)
Solution
Investigations established whether provisioning failures were caused by product availability (pilot/preview), account eligibility, approval workflow gaps, ambiguous product selection, or training-enrolment restrictions. Actions and outcomes included:
62. Provisioning blocked by vendor license shortage; re-triggered by toggling Okta group membership after license procurement
Solution
Additional vendor licenses were procured and added to the tenant, and provisioning was then retriggered by removing the user from the Okta application group and re-adding them (re-assigning group membership). After the license count increased and the group membership was toggled, the application successfully provisioned access for the user.
63. SAML/SSO workspace‑booking app access requests (Deskbird) for campus presence
Solution
Access issues were resolved by restoring the Deskbird entitlement in the organization’s IdP (Okta or Azure AD) or by adding the user to the Deskbird access group (for example IU-ZZ-OK-ASS-Deskbird-All-Access). Where provisioning was blocked by pending approvals, clearing those workflows unblocked provisioning; SSO assignments and provisioning typically propagated in about 5–10 minutes and restored the expected SSO flow. Some cases required assigning a location‑specific role entitlement in addition to the app/group assignment (for example the “AL” role for Berlin) before booking capability returned. Vendor‑side account deactivations required Deskbird administrators to reactivate vendor accounts or restore internal roles because central identity support lacked vendor admin privileges. Sign‑in failures after an email change were restored by triggering the IdP flow (for example signing in via the IdP dashboard or using an IdP redirect from the Deskbird sign‑in page); normal provisioning and tile visibility returned once IdP assignments/approvals propagated. In several incidents the application assignment itself was handled via Application Self Service and automated workflows: Jira automation and Atlassian API calls were used to CC approvers and assign the Deskbird application to users. When other SaaS were affected, affected users were launched via the IdP/intranet or given IT‑triggered password resets with time‑limited links (~24 hours). Support also observed intermittent browser compatibility problems affecting Deskbird; in some deployments integrating Deskbird into Microsoft Teams improved access and experience. Requests sometimes coincided with local device or resource permission gaps (for example access to the “Zeugnisdrucker” printer); in those cases administrators mirrored an existing user’s device/permission configuration so users could complete tasks like printing after Deskbird access was restored. Users were notified after assignments, approvals, or vendor restorations and confirmed access.
64. Dataverse / Power Apps: inability to create Dataverse tables due to missing environment permissions/licenses
Solution
The five users were added to the relevant access/security group that carried Dataverse permissions for the Personal Productivity environment. Once group membership propagated the users were able to create Dataverse tables and proceed with their feedback‑management automation.
65. Miro access failures caused by Okta SSO sessions, locked app state or license-seat mismatches
Solution
Access was restored by unlocking/enabling the Miro Enterprise application in Okta or by unblocking/reactivating the user’s Miro account tied to the current email address. Where applicable users were given appropriate seats: staff received paid/licensed seats and other users were assigned a Free Miro license via the Okta Self Service portal. In several cases automated provisioning or manager-approval flows did not complete, so application owners granted access or seats manually. Board-level permissions that were limited to read/comment were updated to edit/collaborate when required. Affected users signed in through corporate Okta SSO and were informed that license and permission changes typically propagated after a short delay and that self-assignment was available through the Okta Self Service portal.
66. Approval workflow links in Automation for Jira were unclickable, causing pending provisioning
Solution
Support recreated or rerouted the request and, where the approval link remained unusable, changed the designated approver or had the application owner manually granted access to the requester. The manual approver change and direct permission assignment cleared the pending state and allowed the users to sign in and access the requested applications.
67. External lecturer Okta password/authentication blocking Atlassian access
Solution
Support issued an Okta password-reset email to the lecturer; the lecturer used the reset link to set a new Okta password and Atlassian access was restored.
68. Power Apps 'Präferenzabfrage' entry locked or inactive requiring app-team reset
Solution
Two distinct remediation patterns resolved these incidents. When the survey entry or app-level record was locked or inactive, the Präferenzabfrage application team reset the user’s survey entry and reactivated the record, after which the lecturer could edit the survey. In cases where the app did not recognize the user as an instructor due to account inactivity or authentication issues, Okta and myCampus password resets were processed; following the resets the user regained access. Tickets also noted browser/account selection details: the Preference Survey was accessed in Microsoft Edge and the IU Microsoft account needed to be selected for the app to recognize the instructor account.
69. SSO login succeeded but missing product license or feature permission blocked full app functionality
Solution
Access failures were resolved by ensuring vendor-side product licenses and feature permission sets were assigned and that provisioning/sync processes reflected those assignments. Examples: a Miro user was added to the Miro application in Okta and their account was upgraded from a free/restricted to a Full (Enterprise) license so they could create and manage shared boards; Adobe Sign users were granted Adobe Sign licenses and MegaSign/bulk-send permissions and, after license assignment, were advised to install Adobe applications via Adobe Creative Cloud from the company portal; a Bing Copilot user's Designer permission was re-added by support and the Designer view became available via a direct feature link. For Lucid Suite, an approval workflow was created, approvers were notified, and the Atlassian API/user-assignment was used to assign the Lucid Suite application so the user could edit Lucidchart diagrams. Support observed that assignment/activation emails, approval workflows, and permission propagation times varied by vendor (from minutes up to ~48 hours); automation and Jira logs recorded approval and provisioning activity. When vendor landing pages did not expose direct shortcuts to features, direct feature URLs were used as temporary workarounds.
70. Jira project invitation redirected to service portal due to missing project assignment or project-level release
Solution
Access failures were resolved by restoring missing product- and object-level permissions and ensuring accounts were active and provisioned. Resolutions included reactivating disabled Atlassian/Jira accounts, granting Jira product license access plus explicit project- or board-level permissions, and adding required Confluence space permissions. Several incidents required time for account provisioning to propagate before links worked. Okta/SSO sign-on did not confer product or project access when those permissions were absent; after permissions were applied users were able to open intended projects/boards. In one case a project-level release/setting was verified by the product owner. In some cases clearing Atlassian-related browser cookies and accessing Jira from the Okta portal were performed and coincided with restored board access. After these changes affected links loaded the intended project/board/pages and requesters confirmed access.
71. Requests for licenses or access where Enterprise SSO / Okta already provided the app
Solution
Access requests were resolved by confirming the application was available through the organisation's Okta/Enterprise SSO and verifying it appeared in the user's Okta dashboard. Agents confirmed users could sign in to okta.
72. Applications requiring Self‑Service assignment before content or Okta tile becomes available
Solution
Access failures were resolved by restoring or reprovisioning application assignments, completing app‑specific approval flows, or adjusting user permissions. When an Okta application was assigned but not visible, technicians enabled the application in the user's Okta account via Application Self‑Service which restored the dashboard tile and sign‑in. When accounts or licenses had not been created after SSO migrations or applications were unassigned, provisioning or reassigning the app through the organisation's Self‑Service/IT Service Portal and finishing the app‑specific approval workflow reprovisioned entitlements and restored access. In several cases an administrator added the application at the organisation level and users completed an app onboarding step (for example, Confluence onboarding that granted access to TheyDo), which resolved authentication failures. For portal navigation issues (for example, a Learning Hub link missing from the top bar), an administrator adjusted the user's permissions/access rights which restored the navigation item; in that case clearing browser cookies did not resolve the issue. Users were informed that application assignments and permission changes commonly required approval before accounts or licenses were provisioned.
73. Access requests stalled by approval/invitation workflows and Automation for Jira closures
Solution
Pending access failures were resolved by advancing stalled approvals, correcting approver configurations in Jira Automation so queued requests moved forward, and reissuing outstanding invitations when acceptance had not completed. Invitation deliveries were confirmed in users' mailboxes and invites were resent when acceptance had not completed profile linkage; provisioning was confirmed only after invite acceptance. Okta group membership and group‑based provisioning were verified; where propagation lagged or assignments were absent, licenses or assignments were applied manually. Provider APIs were used to assign applications when the normal flow did not complete (for example Atlassian API assignments for Atlassian‑managed apps and for an observed Qualtrics dashboard license assignment). In cases where applications required owner action after approval (for example CARE), administrators completed location and permission assignments to finalize provisioning. In contract‑linked or portal scenarios (for example the Freelancer Invoicing App), support explicitly granted the required app permissions after the user saw the access prompt so the user could proceed. After these actions, assignments and license propagation were confirmed before requests were closed.
74. Permission alignment for internal systems by replicating a reference user's roles
Solution
Access entitlements were aligned by comparing the requester to the designated reference user and matching roles, AD group memberships and platform/application assignments in the target environment. Missing accounts and platform/application licenses were provisioned and Okta app assignments were created or adjusted to mirror the reference account. Where central IT managed application-internal module rights (for example the 'Prüfungsmanagement' module in Care) those module permissions were set; where permissions were managed outside central IT (for example Jira board membership) application or board owners were engaged to grant access. When the named reference user lacked expected entitlements support either selected an alternate reference or corrected the reference account (for example by adding missing AD group memberships and triggering AD group synchronization) and then re-verified access. Requesters were asked to supply a reference user when details were missing; requesters were placed into the same application area or account scope and given matching account-level objects, dashboards or module rights. Approvals and effective dates were recorded in the ticket workflow. Where Self Service Portal automation or approval workflows ran successfully, application assignments were sometimes completed by an Atlassian API automation user and approval/CC entries were retained in logs; when automation failed or stalled support manually provisioned access to match the reference user and tracked approvals in the workflow. Initial login problems were handled separately: correct sign-in links and account-type guidance were provided, and when an existing account already had sufficient privileges support advised using the correct username format and the 'forgot password' flow to regain access. After changes users were sometimes instructed to use the application’s refresh control or restart the client/browser to make granted permissions visible. Persistent or complex issues were escalated to application experts and, when required, credentials or accounts were created and forwarded after provisioning. Some requests included application-specific data or report requests (for example EPOS reports to identify external lecturers using private email addresses); these were treated as separate work items and were executed or documented only when the ticket workflow captured the required steps.
75. Application login errors for services owned by another internal team — routing to the owning service
Solution
IT Operations confirmed that account provisioning and access entitlement for Connectedware/Produktionsmanagementsystem (PMS) were owned by the PMS/product team rather than central IT. Central IT routed affected users to the PMS team's support channels and closed central tickets after directing users to open an access-request via the Connectedware portal or the Produktionsmanagementsystem Fernstudium Jira Service Management instance (atlassian.net), selecting the appropriate access-request category (for example 'Request access to PMS'). Incidents included Okta sign-in failures when users attempted to authenticate with their email as username following PMS access-configuration changes; no detailed error codes were recorded in central IT tickets. In multiple cases the owning PMS/product team later restored access with no troubleshooting or remediation recorded in the central IT ticket; some access requests were declined and central tickets were closed without remedial action (occasionally marked 'Won't Do').
76. Office add-in blocked by required administrator approval (Zebra BI for Office)
Solution
Access failures were resolved after a tenant administrator granted the required application approval/consent or manually added and approved the applications in the Entra (Azure AD) tenant. In one case a tenant admin approved an individual user’s access and a Zebra BI Office add-in sign-in succeeded. In incidents affecting Microsoft Teams apps (Copilot and Shifts), clearing the Teams client cache did not restore access; access returned only after an administrator added the apps and approved the required permissions. In a Funnel.io connector case, the requester and an Entra/Azure AD administrator met and the admin granted the required permissions/admin consent for the Funnel.io Microsoft Ads connector; the connector then successfully authenticated. After tenant-level approvals were applied, users could sign in or complete connector setup and blocked functionality returned.
77. Power Platform environment access blocked by missing environment security-group membership
Solution
Affected users typically regained access after their Azure AD group membership and Power Platform environment membership were reconciled. In environment-scoped incidents a Power Platform administrator refreshed affected users' environment membership from the Power Platform admin center, which restored membership in the environment security group and allowed canvas apps to open. In other incidents a new Azure AD security group was created and tied to the Power Platform environment; that group was used to manage environment membership and Power Platform license provisioning, after which users gained access. For app-level access controls, assigning users to the PowerApp-specific Azure AD groups that controlled the app's access (examples observed: IUG-AAD-ASS-PowerApp-FreelancerInvoicing-AppUser and IUG-AAD-ASS-PowerApp-ModulSkillset-AppUser) restored access when users were missing from those groups. Across resolved incidents the underlying cause was missing AAD group membership or missing Power Platform license; restoring membership or provisioning the appropriate license resolved the issue. In at least one ticket support also added the user to the required group and attempted browser cache/cookie clearing and alternate browsers, but the app page still failed to load and support could not open the link; that case was escalated to the app-owning (LCC) team, indicating that when group/license reconciliation did not restore access the failure could be app- or environment-managed and required app-owner investigation.
78. SaaS team seats/tokens consumed or deactivated causing lost team access (Claude team seats)
Solution
Access incidents were resolved in two ways depending on the cause. When team seats/tokens had been deactivated or misapplied, a Claude specialist restored entitlements by re-adding or reactivating the users' team seats/tokens; affected accounts regained access to shared project spaces, chat history, integrations and normal team functionality. In cases where provisioning failed because there were no available provider licenses, the application team escalated license entitlement with the Claude provider and negotiated additional or reallocated licenses; one reported case remained unresolved at time of closure with no permanent fix applied.
79. Miro Enterprise access missing from Okta dashboard due to license/assignment and approval workflow
Solution
Access was restored by assigning or reassigning the Miro Enterprise application/entitlement to the affected Okta user accounts and ensuring associated license entitlements were present. In multiple cases the assignment followed the organization's access/license approval workflow; an administrator (for example, Michael Lutz) granted the Miro entitlement in Okta and users then saw the Miro tile and could sign in to the Enterprise workspace. One incident involved Microsoft 365 SSO failing and support directed the user to initiate SSO from the institution's Okta portal while an administrator granted the missing Okta app permission; after the assignment the user could access Miro. The common resolution in this pattern was restoration of Okta app assignment/permissions and any required Miro license entitlements.
80. Corporate ChatGPT/OpenAI access requests stuck in approval or invitation workflow
Solution
Requests were completed by ensuring a valid approver was assigned and any vendor invitation was accepted. When Automation for Jira left approval tasks unassigned or approvers could not see actions, support confirmed approval status with approvers, reassigned approval tasks, or assigned an acting supervisor so the workflow proceeded and vendor invites were sent. When Microsoft Forms intake produced no follow-up or showed 'already submitted', support provided the correct account-request link and the user completed the form; access was then enabled. Administrators manually sent ChatGPT/Playground and GPT‑4 invitations or created accounts where automated invitation/provisioning failed, and provisioning and licensing were validated after acceptance. Email delivery and Jira automation logs were reviewed to verify invite and approval actions. Product ownership routing was corrected when requests had been submitted to the wrong support channel. Local client issues were addressed when relevant (for example clearing browser cache resolved an LMS course/completion problem). Internal IU systems outages were recorded as a contributing factor when they blocked account setup; one outage was resolved on 2025-06-16 which allowed the user to complete ChatGPT Playground setup via the provided links. Requests identified as informational or withdrawn were closed; requests where users never accepted vendor invitations remained inactive and were auto‑closed after the 14‑day timeout.
81. AI SaaS account creation blocked by organization-level restriction (Claude)
Solution
Access failures were resolved by either enabling the account within the organization’s SSO environment or by transient backend propagation after SSO enforcement. In one case the user was granted an assigned Claude license and the Claude account was authorized for the institution’s Okta SSO; after those changes the user signed in successfully. In another case a privately purchased Claude Pro account created with a company email became inaccessible when company SSO was enforced but signing in again after the enforcement restored access and the user regained access to the subscription.
82. SSO access loss due to missing Okta app assignment or group membership and short propagation delays
Solution
Access incidents were resolved in multiple ways depending on cause and affected system. When missing app access was due to Okta assignment or group issues, restoration of the user's Okta app assignment or required Okta group membership, re-enabling the Enterprise application assignment, or completing an Okta account reset restored access. Administrators re-enabled specific applications in Okta for affected users (examples included CARE/AcademyFive and Deskbird). Where provisioning changes were recent, downstream portals typically populated after a short propagation window (commonly 5–10 minutes); some Microsoft365/Co‑Pilot365 cases required up to 15–20 minutes. Separately, a subset of incidents (including a Cursor AI/Claude AI API case) resolved without recorded administrative remediation and reappeared after a longer interval (hours to about a day). After assignments/groups were corrected or the system-side propagation completed, users regained sign-in access and application availability.
83. Vonage desktop app access and account provisioning for Windows 11 users
Solution
A Vonage access/account was created for the affected user in the target environment (Windows 11 when applicable), the access/license request in the provisioning workflow was completed, and the new account record was recorded and linked in Salesforce. When a referenced Twilio account could not be located during provisioning, a Vonage account was created directly to restore access. The ticket was closed after the account and license were provisioned and recorded.
84. Approval workflow mis‑handled (accidental approver action causing state confusion)
Solution
The approver corrected the approval state and the request was recorded as rejected. The approver directed the requester to the institution's ChatGPT information page on the intranet for guidance and offered a direct point of contact (the approver) for any remaining questions. The ticket was closed with the request rejected.
85. ChatGPT Team account migration and chat-history preservation concerns
Solution
The approver executed the approval workflow and triggered an invitation for the user's existing ChatGPT account. The user received the invitation and was informed that their existing chats should remain available after the account is moved to the Team. The invitation was sent and the request was closed as completed.
86. Automation-for-Jira auto-declined Software Catalog requests when approver was missing or unavailable
Solution
Automation-for-Jira detected missing, null, or unavailable approver fields on approval-type application access requests and automatically declined and closed those requests after the platform's 14-day approval timeout. The automation left log entries and posted messages on tickets (for example: "your ticket is missing the approver" and "Your ticket has been 'declined' automatically (14 not approved or approver no longer available)"). In multiple incidents support attempted to change or assign replacement approvers, but when no valid replacement was present or required-role approvals did not arrive the automation still timed out and closed the request. Closed requests could not be reopened and no provisioning or catalog changes were performed. Affected workflows included Software Catalog and individual application workflows such as d.velop, Calendly, Microsoft Bookings, ChatGPT/OpenAI, ScreenPal, Okta, and Salesforce Marketing Cloud (requests referenced Windows 10 and Windows 11). Requesters resubmitted new access requests that specified an appropriate approver to obtain access.
87. Time-limited SaaS account provisioning via approval automation (Storyblok)
Solution
Approval was requested from the configured CC-approver and the Storyblok account was provisioned for irina.simon.ext@iu.org with read access to all DACH spaces. An expiration date was set to end of the calendar year and the user validated access through Storyblok SSO and confirmed via Teams.
88. Staging environment access separate from production (EPOS Stage assignment required)
Solution
Two distinct access causes were handled separately. For EPOS Stage access, an administrator assigned and provisioned the user to the EPOS Stage application in Okta; after assignment the user could open the stage environment from their Okta Dashboard and the access gap was closed. For the Jira Sandbox admin request, support identified the EPOS project (https://careerpartner.atlassian.net/browse/EP) and attempted to copy production data into the Sandbox and mirror project permissions so the requester could operate with admin-level rights for Automation for Jira testing. The Sandbox remained unlicensed (only a Jira Standard license available) which prevented granting the requested admin permissions; no technical change resolved the permission limitation during the ticket and the request could not be fulfilled under the current license state.
89. User moved teams but app permissions already present — Okta dashboard visibility confusion
Solution
Support verified that the user already had the necessary permissions for both Jira and Miro and that the applications were accessible from the user's Okta Dashboard. The user was informed of the Okta-assigned access and subsequently confirmed they could open both applications.
90. SaaS access requests resolved by approver approval and invitation/provisioning (ProductFruits, ChatGPT, Calendly)
Solution
Requests for third-party SaaS access were processed through the Software Catalog approval workflow (often surfaced via Automation for Jira). Tickets were resolved once the recorded approver approved and the vendor invitation or license assignment occurred. After approval: ProductFruits access was added and verified on users’ Okta dashboards; OpenAI ChatGPT team/group-account and ChatGPT Pro invitations/licenses were issued to the requested users (separate from individual Playground access); Calendly invitations were sent; and Lucid Suite (Lucid Spark and Lucidchart) was assigned to users’ Okta accounts. Jira automation sometimes continued to indicate approvals were pending while approvers manually issued invitations or assignments. Some tickets were later auto-closed when users did not confirm receipt of delivered invitations.
91. Access requests stalled by missing or unassigned approver in Automation-for-Jira workflows
Solution
Incidents were resolved by ensuring the Automation-for-Jira approval step referenced a valid approver or by confirming the request had already been processed. Where approval steps referenced no valid approver (empty assignee, unset/hidden manager field, departed or unlinked approver account, or an approval role that had been removed), support corrected or re-linked the approver; once a valid approver was set the approval completed and provisioning proceeded. When an approver declined because they were not the correct approver or were unsure, support recorded the decline and closed the request as Declined. In cases where the approval role had been removed because the request had already been processed, support informed the approver/requester that no further action was required and closed the ticket (sometimes marked Won't Do). When downstream provisioning performed assignments directly, issuing the application assignment through the identity/provisioning bridge triggered delivery (examples: assigning GitLab via okta.iu.org triggered provisioning; assigning Deskbird via the Atlassian API user granted the license). When an identical request had already been provisioned elsewhere the original ticket was closed as Won't Do. When no valid approver existed, requesters were asked to provide an appropriate approver or to resubmit the request with correct approver information; support also offered manual account creation if the requester supplied a reference user and approver confirmation, otherwise tickets awaited requester response and were later closed.
92. Playground Assistant capacity and instruction-size limits causing imprecise responses
Solution
The request was escalated to the owning team and an invitation to join the ChatGPT Team was issued to the requester. The requester accepted the ChatGPT Team invitation, after which the Playground Assistant (KPM Course Finder) delivered the expected capacity and precision and the issue was marked resolved.
93. LMS365 course creation/editing blocked by missing LMS group membership
Solution
The request was escalated to the LMS365 specialist team. A named specialist (Marcel Hebestreit) added the user to the LMS365 groups that granted course create/edit permissions. After group membership was applied the user was able to create and edit courses and the ticket was closed.
94. Trello board admin requests owned by application team — redirect and owner provisioning
Solution
IT Operations confirmed Trello administration was owned by the Team Teaching Formats, advised requesters to use that team's service portal, and forwarded/redirected the request. The Team Teaching Formats completed the provisioning and granted the requested admin rights on the IU_FS Trello board to the specified users.
95. Service account provisioning stalled by missing Workday cost‑centre approver
Solution
The IT team closed the Jira provisioning request and marked it Done without creating the Cloudinary service account. The requester was informed that the Workday cost‑centre manager needed to be corrected and that the Cloudinary account creation request would need to be re-submitted once the Workday cost‑centre/approver information was fixed. No SSO-enabled user was provisioned during the original request.
96. No existing accounts for multiple internal portals (myCampus, EPOS, CARE) — manual account creation and credential provisioning
Solution
Technicians first checked for an existing account and the correct sign‑in location (verified the portal URL and the exact username/email on record) and then provisioned or assigned accounts as required. For myCampus, technicians verified or provided the username tied to the separate myCampus password store and re‑triggered the portal password‑reset flow when reset emails had not arrived; they also validated which institutional email/username was registered and corrected mail routing or activation state when required. For Okta‑integrated services (for example DeskBird, EPOS where applicable), accounts were assigned through Okta and successful sign‑in via okta.iu.org was confirmed; when Okta accounts were present but not activated (which in some cases prevented creation of Helpdesk portal tickets), technicians used administrative channels to activate or provision accounts before proceeding. CARE accounts were created using explicit loginname values. EPOS/Epost access used the IU email address and the existing Okta password mapping so users could sign in with their email; EPOS account information was sometimes reused to complete recognition/application entries, course bookings, or to integrate with downstream services such as EBSCO. LIBF accounts were created by the specialist team when required. Technicians used comparison/reference users to replicate required permissions during provisioning and verified successful sign‑in to the requested portal(s); where users did not confirm permission parity, access was assumed based on the replicated reference configuration. When users reported ambiguous service names, sign‑in locations, or which institutional email to use, technicians requested clarification and corrected the URL/identifier before continuing.
97. 1Password access issues: separate master-password/Emergency Key model and account recovery
Solution
New 1Password accounts were provisioned either by assigning the 1Password application in the identity/provisioning system (Okta), which generated activation/invitation emails that users received and confirmed, or by processing license requests submitted through the application self‑service portal (Atlassian Service Desk). For accounts awaiting activation, administrators unlocked the user’s Okta account and triggered or resent the activation/invitation email so the user could complete activation and access their vault. For users who had forgotten their 1Password master password or Emergency Key, account recovery flows were initiated and recovery emails were sent; access was restored after users completed the recovery link flow. Support clarified that 1Password authentication relied on a separate master password and Emergency Key and was not integrated with SSO/Okta. Where users had a valid license but still lacked access to a specific vault, support confirmed that vault-level permissions were granted by the vault owner (not centrally by the provisioning team); users were directed to the vault owner or designated colleague to obtain vault access. In one instance a license assignment request was processed while access to the OnePortal vault was granted only after the requester was referred to the vault owner for permission.
98. Okta application assignment / user entitlement missing (SaaS provisioning)
Solution
Access failures were resolved by provisioning or enabling the SaaS application in Okta and linking users’ Okta identities to the target service. Technicians assigned applications to users or Okta groups, applied required licenses/entitlements and billing cost-centers, and treated separate application instances (for example prod vs UAT) individually. Where vendor-side SAML was required, Okta app SAML metadata endpoints, sign-on URIs, entity IDs, audience URIs and encryption certificates were supplied to vendors so they could import metadata.xml and accept Okta assertions; product/service accounts and author permissions were created or linked as needed. Locked user or service accounts were unlocked in Okta to restore SSO access. Service and API accounts were granted the application, appropriate API-access permissions, and had API/service tokens replaced when expired or invalid; automation/service accounts were configured per request (for example MFA exemption for automation). Requests to add SAML role assertions (for example assignedRoles in a SAML claim) or to enable SCIM provisioning were recorded and scheduled. In instances where an Okta app tile existed but the service had not yet been initiated, launching the tile triggered the SSO redirect and restored access. Changes typically propagated within about 5–10 minutes and technicians confirmed access restoration before closing the ticket.
99. Okta app access blocked by cost-center / group assignment mismatch (USU)
Solution
Requests to add or enable missing cost-centers for the USU application were escalated to the specialist team. The specialists updated the Okta application/group mapping to include the missing cost-centers (examples included CC16000 "Service Operations" and CC10690 "Teacher Experience"), and in one case the IU-CFCM-Leser mapping was updated. After the cost-center was added to the USU app mapping, users whose access failed because of the cost-center mismatch regained access. For proactive enablement requests (no current access errors), the cost-center was enabled in Okta and the requester performed subsequent group assignments manually.
100. Internal test environment access blocked by pending approval and request channel
Solution
Support advised using the SalesTech Service Portal to submit the access request. Once the request was processed through the portal the Automation-for-Jira approval completed and the SF Test environment access was granted; the ticket was closed.
101. Post-device-change access and application-specific 403 error (EPOS / d.velop)
Solution
D.velop access issues were resolved by performing password resets and ensuring users used their Care/myCampus credentials for EPOS. EPOS account permissions were aligned to a working reference user role; this restored access for multiple affected accounts. In several cases signing out of EPOS and signing back in was required for the permission changes to take effect. Where the HTTP 403 persisted after permission alignment and session refresh, the issue was escalated to the EPOS specialist/application team, who applied a final fix and cleared the error.
102. Corrupted browser profile causing loss of saved credentials and blocked web app access
Solution
Access to affected SaaS (Salesforce, Twilio) was restored by launching the applications through Okta application links which bypassed the corrupted local profile state. Investigation identified the Chrome user profile as corrupted and responsible for lost saved credentials and rendering issues; the profile was deemed unrecoverable. Normal browser-based access was re-established by moving to a clean browser profile (recreating the Chrome profile) and re-authenticating, while Okta links served as the immediate workaround.
103. myCampus staff/backend access missing due to absent staff account or permissions
Solution
Access problems were resolved either by creating a dedicated BackEnd user account and granting the same rights as the referenced staff member, or by assigning the specific MyCampus staff permissions to the requester’s existing account (for example, enabling creation of 'Praxisberichte'). The required permission scope was clarified via Microsoft Teams before changes were applied. Requesters were given credentials or confirmed working access after changes; it was documented that MyCampus permission synchronization can take until the next day for additional staff options to appear in the user’s profile.
104. SaaS dashboard or workspace access blocked by missing license/entitlement
Solution
Access was restored by assigning the required product entitlements: an administrator granted the DataDog account access so the user could view the Twilio backlog dashboard, and a Confluence product license was assigned to the affected user. Both users tested access and confirmed the dashboards/pages were accessible; license/entitlement propagation was expected to occur within minutes.
105. Salesforce new-user provisioning and credential activation for employee onboarding
Solution
Case owners verified whether a Salesforce user record already existed by searching the org and checking last login. They recorded the new user's full name and approver confirmation when required and created a Salesforce user account and assigned a profile where none existed. Usernames were assigned (not always corresponding to an actual mailbox), and permissions were set; when requested, permissions were copied from a specified reference user. Invitation/activation or password‑reset links were sent to the user's email and provisioning was confirmed. Tickets were closed after the activation/invitation was issued or per the requester's instruction when no login confirmation was received.
106. Service account provisioning for Power Automate / Power Apps automation
Solution
Service accounts in the svc.iu-it.org namespace were provisioned for requesting teams so they could run, transfer, or manage Power Platform automations; requesters were notified and follow-up ownership/usage details were sent by email. When requests involved related services (for example Power BI) or surfaced Microsoft trial-expiration warnings, support verified the service account's Microsoft licensing (for example confirming a Per User Plan license covers Power Automate flow functionality). In at least one case the license verification showed the required functionality was already covered and the trial warning did not indicate an actionable problem, so the access request was cancelled and closed as "Won't Do." Affected systems included Power Platform/Power Automate, Power Apps, Power BI, and Azure AD/Office 365 service account licensing and provisioning.
107. Access requests resolved by sending invitation or direct admin assignment
Solution
Resolutions began with confirming whether the user's account or presence existed on the target interface and then taking the appropriate administrative action. Recorded outcomes included accepting or resending missing invitations, creating accounts when none existed, locating or providing existing usernames/credentials, and directly assigning required roles, permissions, or space/folder membership. In several cases a service account or administrator applied assignments after approvers were identified; one Datadog case required a team lead to name approvers and a DevOps contact before the role was applied. Agents verified SSO/Okta availability for apps (for example confirming Confluence and Salesforce appeared in Okta and that the user was logged into Salesforce) and used platform-specific recovery flows (for example restoring Care access via the myCampus “Forgot Password” flow). Other recorded resolutions included granting Growthbook after invite acceptance, resending internal Playground invites, restoring Adobe Sign by applying required permissions, provisioning Calendly/Zoom and other SaaS accounts by sending invites, and adding users to a Storyblok Forms space. Where resource names were ambiguous, agents clarified folder or SharePoint names to locate the correct target. One resolution required hardware provisioning: a purchase order was created, hardware was ordered, automatic credential dispatch was configured, and credentials were subsequently sent to the user. In some cases the absence of a reference-user entry (for example in OTRS) indicated access was not required and the ticket was closed as no-action-required.
108. Temporary admin-elevation option not visible in portals — Self Service app required
Solution
Temporary administrative elevation was provided through the Self Service application in Okta. In the Presenter App case, support opened the Self Service app in Okta, selected the temporary admin entry (30‑minute elevation), and the user completed the Logitech Spotlight Presenter installation. For Adobe Creative Cloud/InDesign on Windows 11, support assigned the user to the Okta group IU‑ZZ‑OK‑ASS‑Adobe‑Creative Cloud to grant the Creative Cloud license and had the user install Creative Cloud/InDesign via the Company Portal while signed in with their IU email and Okta password; the license assignment plus installing via the Company Portal addressed the access/licensing and privilege errors. Where installations reported “higher privileges” errors, the Self Service temporary admin elevation was the mechanism used to obtain the required local admin rights.
109. Okta account state or credential reset required after unexplained SSO login failure
Solution
Two primary resolution patterns recurred. In many incidents technicians verified the user’s Okta profile and application assignments, triggered an Okta account reset, and the user completed the activation/reset flow after receiving the Okta email; SSO authentication then succeeded. In other cases a simple re‑authentication at the Okta portal (okta.iu.org) or confirming application access via the Okta Dashboard restored access without a full reset. Incidents involving Workday and Fonto TEAC required additional coordination: support sometimes added the user as a ticket participant or confirmed Workday application visibility in the Okta Dashboard, while Fonto issues that were outside Okta ownership were routed to the Fonto support team (projekt-teaq@iu.org). Several tickets described activation/reset links that failed to open or were not acted on by users; those cases often remained unresolved when users did not follow the link. A subset of incidents showed passwords out of sync between Okta and other identity sources (for example Windows/Microsoft authentication or Workday-backed identities), which was documented in ticket notes and in some cases required cross‑team coordination to investigate; outcomes were not always recorded when the user’s state persisted. Affected targets included Atlassian/Jira, Workday, Fonto TEAC, Office, MOSES, course‑management tools, and VPN.
110. Access requests for SharePoint‑managed resource ('Index') pending approval outside IT
Solution
Support determined the affected resources were governed by the SharePoint site or area owners and therefore could not be provisioned by central IT or via the Automation for Jira workflow. Requesters were informed that access had to be granted by the site/area owner using the site's access-request mechanism or site-specific access-request form; for the Index resource support provided the SharePoint page URL (https://iubhfs.sharepoint.com/sites/IUG-Knowledge/SitePages/DS-Regeln-in-der-STudienberatung-.aspx) as the correct request location. When a site owner could be contacted directly they granted the required permissions (for example, edit rights on the Mitarbeiterliste), resolving the issue. Automation for Jira entries remained in an awaiting-approval state and access was provisioned only after the site/area owner approved the request; when support could not identify the owner because they lacked access to the area users were advised to contact the site owner or their manager.
111. Access blocked by missing group membership, Okta app enablement or reference-user permission mapping
Solution
Access issues were resolved by ensuring the user identity, application assignments, group memberships and identity-source mappings were consistently provisioned and by correcting any missing licenses or MFA registration. Specific fixes observed across incidents included: enabling the application's Okta SSO assignment; adding users to Learning Hub or application-specific SharePoint groups; adding the Okta group into Atlassian Access when an Entra/AAD group existed but the Okta identity was not mapped; correcting Atlassian references to an outdated external address so authentication redirected to the current identity endpoint; creating Salesforce accounts with the same permission set as the referenced user and allowing the approval step to complete; assigning the correct Microsoft 365/Power BI license or ensuring the user signed in with an organizational account to remove the “upgrade to an account” prompt; and installing or registering MFA clients/devices (for example, installing Okta Verify Desktop or registering the provided YubiKey) when MFA device registration was missing or the Okta Verify client was not running. Changes were given time to propagate (typically ~5–10 minutes) and access was rechecked after propagation.
112. Stage environment access to third‑party testing tool required vendor invitations
Solution
Access was granted by sending Mailtrap environment invitations to the affected users. Invitations included the environment link and any usage instructions required; recipients confirmed access and the blocking for Stage E2E testing was removed.
113. Application access blocked by missing assignment or unapproved provisioning request
Solution
Access for affected users was restored after administrators directly granted the required application entitlements or approved pending provisioning requests. In reported cases admins assigned users to the Abrechnungs‑App and to Jira and users confirmed access worked after a short propagation delay. In a separate incident where a user could not open a web access link, restoration coincided with escalation to the user’s team lead and direct contact between support staff and the user; the user later confirmed access was restored.
114. SSO login failure caused by account deactivation after prolonged inactivity
Solution
Affected users’ Salesforce accounts/Okta entitlements were re-enabled by an administrator. In successful cases the account reactivation propagated shortly afterward and the user launched Salesforce from the Okta dashboard (SSO) and access was restored. Some tickets recorded only the reactivation action without a confirmation of successful login; in those cases support also instructed the user to sign in to the institution’s Okta dashboard and launch Salesforce from there, and requested the exact error message when sign-in still failed.
115. GitLab repository access requested via Atlassian service portal
Solution
Support provisioned the GitLab application via Okta when a user’s account or application assignment was missing. For repository-level access, support confirmed whether project membership existed in GitLab and whether a project-specific Atlassian/Jira access request had completed; where requests were pending, approvers or admins processed approvals (in one case via Jira automation) and repository owners or DevOps granted the requested membership (for example, viewer access). In cases that produced “Not Found (gitlab.com)” errors or failed link opens, support verified the repository URL and informed the requester when the provided link was incorrect. Tickets were closed after the GitLab application assignment, approval workflow completion, correct repository membership, or corrected link restored access to the repository.
116. Broad myCampus authentication outage caused by faulty deployment
Solution
Investigators correlated the authentication errors with a recent deployment and identified a faulty deployment as the root cause. Functionality was restored after the faulty deployment was reverted/fixed and system health returned to normal; monitoring showed the error rate subsided and normal login behavior resumed.
117. EPOS access failures due to account profile or missing EPOS-specific permissions
Solution
Access and functionality issues in EPOS were resolved by restoring each affected account’s EPOS-specific state and permission set to match a known-working reference account. Technicians compared Okta and EPOS account configurations against colleagues with the same role and reproduced failures via the Okta EPOS tile and via Salesforce to confirm scope. Remediations included correcting incorrect EPOS profile fields (for example wrong email), removing invalid field values, and adjusting or removing incorrect Okta group assignments to mirror the correct configuration. Missing EPOS-specific permissions and incorrect role/group assignments were provisioned or removed to restore required edit rights (for example enabling write access to the Finance/Finanzreiter tab, document-management modules, or Studierenden Verwaltung); changes that required specialist handling were forwarded to the specialist team for direct processing. For multi-user incidents, teams coordinated bulk role/permission assignment and compiled lists of affected user accounts/email addresses for the specialist team to apply changes. Affected users were asked to sign out and sign back in; authentication mismatches and HTTP 403 errors cleared after re‑authentication and session‑cache refresh, and permission and role changes were given time (typically ~5–10 minutes) to propagate before re‑login. Reports of identifier mismatches from third‑party systems (for example CARE ID) were recorded alongside account-state fixes so the source of identifier changes could be investigated while access was restored. Some tickets were root-caused to permissions/role differences but were closed before changes were applied; those recommended coordinated role assignment and collection of affected-user lists for bulk remediation.
118. Power BI / Power App dashboard sharing for academic users using IT groups and RLS
Solution
Access was planned to be granted via IT-managed Azure AD/ALEA security groups (the IUG-AAD-DYN-M365-Sharing-AcademicTeacher group was referenced) so that professors and lecturers received view-only entitlements to the specific report. Guidance and configuration focused on applying group-based sharing and Row-Level Security (RLS) to prevent access to pages with student personal data, coordinating changes through the ALEA group management flow and the relevant service mailbox.
119. Atlassian site access denied despite Okta SSO and asset assignment
Solution
Investigators confirmed the Okta Atlassian asset and IUG-Atlassian-SSO assignment were present but observed two distinct causes that resolved these access failures. In some cases the Atlassian account did not have Site Access at the Atlassian site level; granting Site Access in the Atlassian site admin console restored portal access. In other cases users remained signed in with sessions that did not reflect current permissions; a full sign-out and subsequent sign-in via Okta refreshed the session and allowed access to Confluence spaces. Each remedy was verified by the user regaining access after the respective action.
120. User/employee visibility missing in Academy Five due to location-specific permission
Solution
It was confirmed the manager's default location was set to 'Distance Learning' and the employee lacked access permission for that location. The employee was granted the required 'access' permission for the 'Distance Learning' location in Academy Five and subsequently appeared in the schedule, restoring the manager's ability to approve leave.
121. Developer access provisioning in vendor DB portal (MongoDB Atlas) for collection-level use
Solution
DevOps provisioned the requested MongoDB Atlas (account.mongodb.com) developer access and granted the user authorization to the specified target databases (reportserver and reportbuilder) and collections consistent with the referenced user. The user confirmed they could access the Atlas account and collections after provisioning.
122. GitLab access activated by enabling the Okta GitLab application for new user
Solution
Support enabled the GitLab application on affected users' Okta accounts (okta.iu.org) and assigned GitLab licenses when required; those access changes propagated within the typical 5–10 minute window. When access requests were stuck in pending approval, support corrected approver assignments or completed the approval in the workflow (for example Jira automation) so the Okta app assignment could proceed. For accounts that had been created outside Okta or where SSO was not yet provisioned, support unlocked SSO or routed the request to the DevOps Service Desk to provision or link the account. Support also advised users to link their GitLab account to the institutional IU group (https://gitlab.com/groups/iu-group) when applicable. Cases that produced unexplained errors immediately after accepting GitLab’s Terms of Service were escalated to DevOps for further investigation. The same Okta app-assignment and approval-check process was applied when granting access to other institutional applications (for example AWS or integrations used for deployments such as Salesforce).
123. SSO group assigned but no provisioned user account in target SaaS (SSO authentication without app user mapping)
Solution
Support confirmed Okta authentication had succeeded but access failed because the SaaS did not map the SSO identifier to an active local account, the local account was inactive or unlinked, the SSO identifier (username/email) differed or contained a typo, provisioning/import runs had not yet created the account, or the user’s org membership or license had been lost after an email/username change. Incidents were resolved by one of the following corrective actions depending on the SaaS onboarding model and root cause: administrators created or reactivated the local SaaS account and associated or relinked the Single Sign‑On ID/email to that account (examples: re‑adding and linking a Miro account; restoring a license after an email change); where onboarding was automated, access became available after the provisioning/import run or after support manually triggered an Okta user‑import/task so the user record imported immediately (Workday example); directory email/identity mappings were corrected or duplicate external accounts were consolidated/enabled so the SaaS could match the SSO identifier (GitLab contractor example); in cases where the assigned SaaS username differed from the user’s email, the username/email mapping was corrected and the user regained access (Salesforce example). Tickets also showed app‑specific misleading errors (Datadog “Unknown User…”, SAML‑membership errors, Port.io “access_denied” with 404, verification codes delivered but login still failing, and forgot‑password emails not received). Where a SaaS required its own access request process, support redirected requesters to that portal and some tickets were closed after no response. Overall, resolution required aligning the SaaS account/organization/license state with the SSO identifier or allowing provisioning/import propagation to complete.
124. SaaS access tied to legacy email after legal name/email change
Solution
Support determined that affected users' application accounts remained associated with their prior email identity, and resolution varied by application. In one ChatGPT Playground case support removed the old account entry, created a new account/entry for the user's current email, and sent an invitation to the updated address which restored access. In a PMS case the account was still linked to the old email and support referred the user to the application owner’s service portal so the application team could update the account email; access was restored after the app team updated the record. In a MyCampus case the stored MyCampus email differed from the user’s Microsoft 365 address, causing password-resets to be delivered to an unavailable address; support instructed the user to authenticate to MyCampus via the Okta dashboard and access the MyCampus app while signed in with the existing Microsoft 365 account, which restored access without updating the app-stored email. Resolution paths therefore included reprovisioning or recreating the account by support, sending an invitation to the updated email, referral to the application team/service portal to edit the account, or using SSO (Okta) to bypass app-level password-reset/email mismatches when supported by the application.
125. Application edit/repository permissions missing (Confluence, GitLab)
Solution
The incidents were resolved when the application owners/admins granted the appropriate application-level permissions to the affected users. Confluence editing rights were assigned by the Confluence space admin (Stefan Amarasinghe) and GitLab project/repository access was granted by the GitLab owner/admin (Ramazan Arslan), after which users could edit pages or access the GitLab resources.
126. Account invitation email delivered to junk/spam preventing onboarding (1Password)
Solution
Support resent the 1Password invitation to the user's email address, which restored the normal account-join workflow after the new invitation was received in the user's inbox.
127. Lost Confluence spaces and Jira boards after extended absence (SSO/assignment propagation)
Solution
Support restored Confluence visibility by granting the user general Confluence access so the missing spaces could be re-added to the user's view. Jira access was restored after the user signed in via the Okta dashboard, logged out and back in, and allowed a short period for Okta/SSO provisioning changes to propagate; subsequent login presented the normal Jira boards. No further remediation was required.
128. Access requests for non‑IT‑managed systems (Workday) redirected to product support
Solution
IT support identified that Workday access and administration were handled by HR rather than IT. Requesters were informed which team owned Workday permissions and directed to the HR Workday support mailbox (wd-support@iu.org) for permission changes or administrative questions; IT then closed or relinquished the ticket. When Automation for Jira recorded a 'pending approval' status, IT noted the approval workflow was external and that follow-up needed to occur with the HR/Workday support channel or the listed approver. In cases where requests were misrouted to other product teams (for example EPOS), IT recorded the misrouting, advised the requester to contact HR for Workday access, and closed the ticket. Some tickets were closed automatically after a period of inactivity (system-marked Done after 14 days); they could be reopened if the requester replied within the system's reopen window (7 days).
129. Scheduled/integration service inactive blocking Twilio Power Outbound calls
Solution
The request was forwarded to the specialist team, who confirmed the user already had a Twilio account, granted/activated Twilio access for the user, and ensured the Power Outbound service/process was started and running according to its schedule (service run scheduled from 10:00). The user tested after the scheduled start time and confirmed calls were arriving, which resolved the issue.
130. Missing Jira project permissions blocking basic ticket operations
Solution
Access failures were resolved by ensuring the user had an active Jira account and by assigning appropriate project- or board-level permissions and roles so users could view, create, edit, assign, download attachments, and transition issues. In Service Portal cases, the Jira Service Management role was applied when required. External-collaborator incidents were resolved by granting external access and applying permissions to the Jira account that matched the user’s Jira identity when multiple email addresses existed to avoid giving access to the wrong address. Several incidents were traced to conflicting project-role assignments (for example, a single user assigned both Member and Developer); removing the conflicting role and setting the correct project role restored access. License assignment was applied when required. Account and permission changes typically propagated within a few minutes. Board-level access for specific boards was sometimes managed separately by project owners.
131. SSO provisioning mismatch causing 'Unknown User' error in DataDog
Solution
Okta-to-DataDog provisioning mismatches were resolved by reassigning the DataDog application to the user's Okta account and allowing Okta provisioning/synchronization to complete (several hours). After the sync the user appeared in DataDog user management and an invite was re-sent to the user's email; accepting that invite activated the account and restored SSO access. In one incident a technician recreated the Okta user account which also restored Datadog access, but the same recreation produced a brand-new Miro user without previous boards or edits; those Miro resources could not be restored by IT and required re-invitation by the board owner(s).
132. Missing Okta app assignment or account linking preventing dashboard access (Lucid, GitLab)
Solution
Affected applications were assigned to users' Okta accounts via the Okta Dashboard, which made the app tiles available and, when applicable, provisioned new service accounts. For Lucidchart, assignment in Okta provisioned access once any portal approval completed. GitLab users who had pre-existing standalone accounts required linking those accounts to Okta/SSO; the portal assignment plus account-linking restored normal SSO access. Several tickets reflected access requests that were pending approval in the Okta portal; completion of the assignment resolved those gaps. In one case the user's Okta record remained associated with an old email address, and correcting the Okta email/association and adjusting the Service Portal/Atlassian account mapping restored SSO access.
133. Jira Service Management access redirected to Service Portal due to missing product entitlement
Solution
The incidents were resolved by granting the affected user a Jira Service Management product entitlement on their Atlassian/company account (site access). After the JSM product license was provisioned on the user account, direct Service Desk links opened the Service Desk interface, portal entries (including Service on Campus) became visible and clickable, and assigned project roles functioned as expected. In these cases the root cause was that product-level Jira Service Management access had not been provisioned during onboarding despite correct project role assignments.
134. Existing account regained access after password reset or invite delivery
Solution
Support verified that affected accounts already existed and restored access by reissuing password‑reset emails or application invitations. When an account had an incorrect or outdated email, support updated the account email and then sent a fresh reset or invitation; when users had not completed an initial reset/invite, a new notification was sent. Okta‑managed access used Okta password‑reset emails; application access used email invitations (for example, Growthbook) and, in one case, a new d.velop invitation was issued. When users could not initiate a password change or create a ticket, support waited until the user was online and performed live troubleshooting to investigate and resolve authentication (for example, Atlassian/IUGroup) while confirming successful sign‑in. In situations without a prior ticket or notification, support located the account by the reported email address before reissuing credentials; users confirmed receipt of reset/invite emails and subsequently regained access.
135. App access restored by assigning app roles/groups or enabling SSO entitlement
Solution
Application owners or administrators granted the missing resource permissions and entitlements. Examples from these tickets: the SharePoint site access was granted by the site administrator; SF Macros permissions were enabled for the named users by the Macros administrator (Sarah‑Maria Vogel); a security‑group owner added the user to the InvoicingApp access group; the Deskbird Okta application was activated for the user's Okta account; and EPOS staff and employee roles were assigned to the new developer. Users confirmed access after group/role changes propagated.
136. SaaS access contingent on formal Software‑Request approval
Solution
The user was informed that an approved Software‑Request was required and provided the Software‑Request form link. After the Software‑Request was submitted and approved through the service portal, access credentials for the SaaS (Calendly) were issued and the user gained access.
137. Sandbox / Playground account provisioned by manual invitation
Solution
Support sent a Playground invitation email from the application owner (Vogel, Sarah‑Maria) to the requester (Ester), which provisioned the Playground account and allowed the user to access the environment. The ticket was closed after the invitation was sent.
138. LMS course content and progress not visible due to missing LMS permission group
Solution
Support added the user to the LMS permission group (LMS Gruppe). This change restored access to IU Learning Hub / LMS365 course items and Microsoft Teams–hosted materials, and allowed learning progress to be recorded rather than appearing as "not completed." The ticket status was updated accordingly. For membership or dynamic-group issues that prevent permission-group assignment, the People Projects team (people-projects@iu.org) was identified as the owner to adjust or investigate group membership.
139. Onboarding bulk SaaS access requests with Salesforce provisioning needing a reference user
Solution
IT provisioned the requested accesses for Miro, Salesforce, Jira and Confluence and added the user to Canva. As part of the Salesforce setup process the IT team requested a Salesforce reference user to complete role/profile mapping. The user was asked to verify that all requested accesses were available post-provisioning.
140. Existing SaaS account but user unable to sign in due to credentials (password reset resolved)
Solution
Support confirmed an active account record for the user in the target SaaS and issued a password reset link. The reset link was delivered to the user and the requester confirmed restored access after completing the password reset process. No further configuration or role changes were required.
141. Access blocked until both Okta SSO entitlement and application-owner group membership were provisioned
Solution
Access was restored by ensuring both the user's Okta SSO entitlement and the application-level GitLab group membership were provisioned. In practice, ITOPS enabled the user's Okta SSO entitlement so the user authenticated via corporate SSO; DevOps then adjusted project access or added the user to the appropriate GitLab group to grant repository and package access. In one incident a 404 on the iu.tech site was resolved after the user switched to Okta SSO authentication (and/or DevOps adjusted GitLab access). DevOps support was engaged when application-level changes were required.
142. Department‑managed course app (Charly) linked from MyCampus but access controlled by Exams Office
Solution
Support determined the affected applications were managed and provisioned by the Zentrales Prüfungsamt (Exams Office) rather than central IT, so central IT could not create accounts, assign roles, or grant application licenses. Reported symptoms varied: external apps showed a 'start a free trial' prompt when institutional SSO or entitlements were not provisioned, users saw 'You are not authorized to view this portal' when accessing the Prüfungsamt Jira Service Management board, platform functionality or user profiles were inaccessible, and some instructors were signed in with student roles (e.g., Moodle mod_quiz). Access and functionality were restored after the Prüfungsamt provisioned the required accounts/licenses or corrected role/enrollment assignments on the respective platform; instructors regained grading privileges once roles were fixed. Users were referred to the Prüfungsamt service intake (Jira Service Management at atlassian.net) or to Exams Office contacts (zpa-dualesstudium@iu.org, akad-pruefungsamt@iu.org, lehrende-pruefungsmanagement-dualesstudium@iu.org) for provisioning and entitlement requests. When the application was outside central IT responsibilities, support sometimes closed tickets after making the referral.
143. SaaS access requiring vendor/portal provisioning or separate SelfService request
Solution
Cases were resolved by recognizing two distinct provisioning models and following the model each product required. For vendor‑provisioned products, Okta group membership alone did not create an active application account and requests were handled through the vendor or an Application SelfService portal (for example, a Port.io request submitted via the Atlassian service portal was processed and closed as Done; Marketing Cloud provisioning required the external Marketing Cloud request portal and the vendor request link was provided). For products that supported self‑signup, access was resolved by the user creating an external account (for example, the user created a free Figma account with team‑lead approval attached).
144. Invitation-based SaaS access blocked by undelivered invite (resend resolved)
Solution
Incidents were resolved by one of two primary outcomes observed across tickets. In many cases support reissued the missing email link (a resent invitation, password-reset email, or access-token/reset link restored onboarding or account access). In several incidents the invite or reset had been routed to spam/quarantine or labeled as phishing by the mail client; admins resent the invite after confirming the quarantine and advised recipients to check Spam/quarantine folders. In other cases users gained access by signing in through the identity provider portal (for example, Okta SSO granted access to JFrog) which bypassed the undelivered email flow. One ticket recorded forwarding the issue to vendor support and a vendor agent sending a reset link directly to the user. Support sometimes could not locate the originally sent message because sent-items copy was not enabled, which was noted during troubleshooting.
145. Jira board/project access controlled by board/project owner rather than central IT
Solution
Support verified that affected users had an active Atlassian account and valid Jira/Mondayboard product access, and granted product access when it was missing. Investigation showed the incident was isolated to a company-managed board/project whose membership, browse, and watch permissions were controlled by the project/board owner rather than by central IT; granting product-level access alone did not enable viewing or watching issues. Incidents were resolved when the project owner added the user in Project settings > People (Users and roles) and assigned a role that included Browse Projects/watch rights (for example, Browser/Viewer). When the project owner could not be identified from platform metadata, agents advised contacting the tenant/Jira admin to identify or assign an owner or requested the requester supply the owner contact; some tickets were closed after 14 days with no response. Tickets were closed after product access was granted when applicable and after users were informed that owner-controlled membership was required to view/watch the project or issues.
146. External/guest myCampus account access restored via password‑reset for temporary lecturers
Solution
Support verified that the external lecturer account was still active (christian.mayer.ext@iu.org) and confirmed account validity. The lecturer was instructed to use the myCampus 'forgot password' flow to set a new password and regain access; the ticket was closed after this guidance.
147. GitLab repository access granted by group membership
Solution
Access was restored either by adding the user's account to the IU GitLab group/organization or by re-granting the user's project-level permissions in GitLab. In some cases users had submitted requests via the DevOps Portal (Atlassian Service Desk) and access was fixed after the account was added to the group; in SSO-related cases administrators re-applied project permissions which resolved SSO login/access failures. Systems involved included GitLab and the institution SSO; after permissions were updated users confirmed they could access the repository or project and were directed to verify their GitLab group or project membership.
148. Viva Goals blank/white page in browser resolved by private mode or Teams app
Solution
Support confirmed correct licensing and group membership and the immediate workaround that resolved the blank page: opening Viva Goals in Microsoft Edge InPrivate mode. An alternative workaround that also worked was using the Microsoft Teams Viva Goals app. Clearing browser cache or using private/incognito mode were recommended if the issue recurred.
149. Onboarding access gaps when specific applications or reference users were omitted from the request
Solution
Investigators confirmed the application had been omitted from the original onboarding request and no reference-user mapping existed. The missing SaaS application (GitLab / Miro) was manually enabled/assigned in Okta for the user; the app became available within minutes after assignment. Requesters were informed to include specific applications and a reference user in future onboarding tickets so standard app entitlements are provisioned automatically.
150. Login failures caused by local SaaS password changes instead of using Okta SSO
Solution
An administrator issued a Salesforce password reset and informed the user to sign in via the Okta SSO portal (okta.iu.org), where no separate Salesforce password is required. After the reset and guidance to use Okta SSO, the user's access was restored and the ticket was closed.
151. OpenAI / ChatGPT access provisioned via vendor invitation email
Solution
When vendor invitations were missing, blocked, or invalid, administrators generated and sent the vendor invitation to the user’s corporate email and resent fresh invitation links (sometimes more than once) when original links had expired or failed. Support checked provisioning and access-request systems and, when an account already existed for the user, closed the ticket without issuing a new invite. Email delivery was confirmed and delivery issues were addressed (including routing to Spam/Junk). Support handled request‑form states that incorrectly showed completion by manually dispatching the vendor invite. In cases where vendor signup required mobile phone/SMS verification and users lacked a company mobile device, support re-sent the invite and advised users to provide a private/personal mobile number so the verification step could be completed. Access was provisioned after users accepted the vendor invitation and finished account setup (including any required phone verification).
152. Care: granting cross‑location access for centralized B2B Customer Service team
Solution
Care administrators updated the affected user accounts to grant cross-location and cross-regional access and to restore missing section-level permissions (notably the 'Prüfungsleistungen' / Examination results section) and role assignments in Care Admin and Academy Five. The permission and role changes were applied by the Care admin (Mike Möhling) and took effect immediately or after the users signed out and signed back in; users confirmed access afterward.
153. Access requests blocked by user confusion and duplicate tickets when some entitlements already existed
Solution
Support reviewed ticket history and system entitlements, confirmed that GitLab and AWS memberships were already present for the user, and granted the missing Confluence access. Duplicate tickets were identified and consolidated; the user was notified of the existing provisioned access, the newly granted Confluence entitlement, and that the outstanding request was closed.
154. Access to corporate ChatGPT/OpenAI blocked by missing invitation or pending approval
Solution
Access was restored when an administrator sent the organization-level ChatGPT/OpenAI invitation to the user's corporate email. The user accepted the invite and confirmed they could access the corporate ChatGPT account; the ticket was closed after confirmation.
155. Internal developer tool and documentation access blocked by missing Okta tiles or group assignment
Solution
The users' accounts were granted the required application permissions and group memberships and new Okta application tiles were added to their Okta dashboards. After the assignments and providing the Okta portal link where applicable, users were able to open Jira and view Conductor/Kafka events and the Syntea documentation in GitLab.
156. Conduktor (Kafka topics) access required platform‑owner permission assignment
Solution
Access failures were resolved by ensuring the Conduktor SaaS entitlement/application was assigned in Okta and allowing Okta application assignments time to propagate (about 5–10 minutes). Where users could authenticate but could not view topics, the platform owner granted topic‑scoped Kafka permissions (for example, Student Enrollment topics). Conduktor admin requests were resolved by adding users to the Conduktor Okta admin group / assigning the Conduktor admin role. Support also assigned Conduktor licenses (and Figma licenses when requested). Dev-auth (auth-dev) account provisioning was treated as out of scope and was referred to the DevOps/service owner.
157. Installed client but no provisioned account or license (VPN / workspace apps)
Solution
Access failures were resolved either by provisioning missing accounts/licenses and granting required permissions after obtaining administrative approval, or by directing users to the correct service sign-in endpoint. Named administrators assigned NordLayer and Deskbird licenses/accounts and granted Twilio Flex access on user profiles; once provisioning completed, users were able to sign in. In some Twilio/Flex incidents the problem was resolved by having users sign in via the Twilio Flex URL (https://flex.twilio.com) or an alternate Twilio sign-in link when the standard portal failed. These incidents commonly occurred during onboarding or role changes and were closed after confirmation that provisioning or the correct sign-in endpoint allowed successful authentication.
158. Platform license granted but board/workspace permissions still owner‑controlled (Miro)
Solution
General Miro access was enabled by assigning a Miro license to the user's Okta account. It was noted that, even after licensing, access to particular boards could still require the individual board owners to grant explicit permissions.
159. SharePoint site access denied despite 'Contribute' permission
Solution
Access was restored by increasing the user's effective site permission level from Contribute to Edit by adding the user to the site’s default Members group; the original Contribute grant remained but the Members-group Edit membership produced the needed access. This membership change was applied and verified on the Syntea (Synthetic Teaching) SharePoint site. One additional ticket recorded UI symptoms (missing top navigation/menu and an 'enable Office Graph' prompt) and a failing Okta dashboard link; that ticket noted access was restored but did not document the remediation steps.
160. Private SaaS instance access required vendor invitation link
Solution
Access was restored either by issuing invitation links for the organization's private SaaS instance or by confirming that the SaaS did not apply to the target resource. Administrators generated and sent invitation links (examples observed: Growthbook and d.velop); recipients used those links to create/activate accounts and join the workspace, after which access was granted. In other cases an investigation found no account or site entry in the vendor dashboard (example: ViewNeo) and the device's content was updated locally via USB, so SaaS access was not applicable and no invitation was issued. These outcomes applied to single or multiple users and did not require changes to SSO configuration.
161. Shared mailbox visibility in Outlook required admin grant plus user-side mailbox addition
Solution
Administrators granted the user permissions to the shared mailbox on the mailbox object. After the admin-side permission assignment, the user gained access by adding the shared mailbox to their Outlook client (per Microsoft support guidance). The combination of admin grant + user-side mailbox addition resolved the access issue.
162. External instructor using private/non‑corporate email unable to sign in to Okta, Office and myCampus
Solution
Support inspected sign‑in history and confirmed prior successful logins, then generated and sent password‑reset/activation emails for Okta and myCampus when users had incomplete activation flows. For one incident support identified that external‑lecturer license assignments had been changed, which disabled desktop Office apps while web access remained; an admin re‑applied/reset the appropriate license assignment and desktop Office functionality was restored. Teams/Exchange access and Moodle/myCampus were checked for inconsistent credential acceptance (cases were observed where an older password still granted access via MyCampus/Teams while direct office.com access required the newly set password). Vendor‑managed billing/Abrechnungstool issues were communicated to the vendor and considered out of scope for internal SSO support. Several tickets remained awaiting user action when users did not complete the provided password reset/activation steps.
163. macOS local admin privilege required for installing Teams/npm fulfilled via temporary SelfService elevation
Solution
The user was added to the Mac admin group which made the SelfService 'Admin for 30 min' app available. The user launched the 'Admin for 30 min' app to obtain temporary administrator privileges and then successfully installed Microsoft Teams and npm.
164. Expired or invalid SaaS activation link preventing Datadog access despite Okta tile visibility
Solution
Support reviewed Okta provisioning records and the associated service request state and either re‑completed or re‑issued the account activation/invitation so a fresh confirmation email was generated; after the re‑invitation processed, users reported access was restored. In at least one incident where the emailed activation link redirected to the institutional login and would not accept credentials, support instructed the user to sign into Okta and launch the application from its Okta tile (SSO), which immediately restored access without issuing a new invitation. Incidents commonly involved Okta provisioning's time‑limited confirmation window (typically ~3 days) causing unconfirmed accounts to present as login failures; account renaming or username mismatches were suspected contributors in some cases.
165. Salesforce onboarding: permission mapping via comparison/reference user
Solution
Support used an existing Salesforce reference user where available: support searched for the nominated account and replicated the reference's profile, permission-set assignments, approver settings and public-group memberships to the requester account. The same reference-user mapping was applied for console/organizer access (Service Cloud, Marketing Cloud) and for access needed to retrieve DWH source data. Specific missing permissions were added when required (for example granting the DMSD permission to create Selbstzahlerverträge). When a valid reference user was missing or the reference had outdated/incomplete permissions, tickets were escalated to SalesTech or permissions subject-matter colleagues who identified the correct role and permission mapping and applied the changes. When frontline support lacked the privilege to modify rights (being limited to account creation), requesters were directed to submit a SalesTech Service Portal or Jira Service Management request and the SalesTech/permissions team applied the permission changes. For integration-related requests (for example read-only access so EPOS staff could open linked Salesforce records), approvals were recorded in tickets but support repeatedly requested a valid reference user before provisioning; provisioning actions and approvals were recorded in the ticket when completed, though some tickets lacked technical steps or were closed for inactivity.
166. Missing Okta application assignment blocking SSO access to SaaS apps
Solution
Issues were resolved by ensuring the user had the required Okta Enterprise Application assignment or membership in the SSO group for the target service. Support located the user in the Okta Admin Console and either assigned/activated the relevant Enterprise Application (examples: Monday.com, OneTrust, Microsoft 365, Confluence, or Okta‑integrated AWS apps such as aws.CP.AIG2M.Dev) or added the user to the designated Okta SSO group for group‑based integrations (examples: Atlassian/Jira and Storyblok; IU‑ZZ‑OK‑DYN‑Atlassian‑SSO). Several tickets noted that product licenses (for example Jira) were already provisioned but SSO access remained denied until the application assignment or group membership propagated. When an application tile was not visible in the user’s Okta Home, support verified that the user could authenticate to Okta and used the Okta Dashboard group listing to access the application while investigating; after assignment or propagation completed, users authenticated via Okta SSO and reached the target application. In one Confluence case support assigned/activated the Confluence app in Okta and directed the user to check the Okta portal for the tile.
167. Application access controlled by separate product owner (non‑IT) requiring requester redirection
Solution
Support determined that the two applications were managed by the LCC team and informed the requester that access must be requested from that owning team. The ticket was closed after advising the user to contact LCC for the app‑level permissions required for course assignment and scheduling.
168. New hire unable to sign into Okta/Microsoft 365 due to initial account/authentication state
Solution
The issue was resolved by sending a password‑reset link to the employee’s registered recovery (Gmail) address. After the user reset their password via that link and completed an initial Okta sign‑in, Microsoft 365 access succeeded via Okta SSO.
169. Product-level account provisioned but content/site access remained owner-controlled
Solution
Product-level entitlements and accounts were provisioned (Confluence, SharePoint, Salesforce, MyCampus). In each case the remaining blocker was content-level permissions controlled by space/site/course owners: Confluence and SharePoint access had to be granted by the space/site owners, and MyCampus/Salesforce visibility was aligned by using a supplied reference user. IT created the accounts (Salesforce password-setup email sent) or assigned the product entitlement, requested a reference user where needed, and confirmed that after owners copied/assigned the matching content permissions the users could access the requested pages/courses.
170. Okta application assignment, external‑user provisioning and SSO login loops
Solution
Access issues were resolved by provisioning or assigning the target applications and licenses within Okta and by creating/activating target‑system accounts for external collaborators. Temporary access was granted by assigning the Okta application with an expiration date (example: Deskbird access set to expire 28‑Feb‑2025). For external/consultant Atlassian users an Atlassian account was created and a password‑reset/invite link was delivered to the consultant's private email, and users experiencing a login loop were routed to the IU Service Portal/Okta tile so Atlassian SSO mapped correctly to their IU session. Requested Confluence, GitLab, Figma and Lucidchart entitlements were assigned in Okta so the developer could sign in via the institution SSO.
171. Access blocked by missing invitation or site‑owner controlled invite links
Solution
Access was restored by ensuring outstanding invitations were delivered or by having site owners/site administrators issue invite links and add users to site membership. For the d.velop portal a new invitation email was triggered and delivered; in at least one case an incorrect approver attribute on the user record was corrected before the invitation was sent so the portal accepted the access change. For SharePoint affected site owners or administrators issued invite links and added users to the site; in several cases users were directed to ask someone who already had access to identify the site administrator because IT support could not grant site access directly. After invitation emails or links were delivered and any approver/permission attributes were fixed, users confirmed successful access.
172. SharePoint booking portal and embedded PowerApp access requiring site/App-owner permissions or AAD security-group membership
Solution
General SharePoint access to the TeamsProvisioningAdmin/booking portal was granted by IT. For PowerApp or area-specific permissions that were owner-controlled, the site/app owners were engaged and users were added to the owner-managed group. Where required, a new Azure AD security group was created and populated with members from the Teams channel and project owners were assigned (owners set as requested). Adding the user to the group that had the PowerApp permissions restored the denied booking/PowerApp actions and the requester confirmed access.
173. SharePoint thesis-submission workflow with directory-based supervisor/student access
Solution
A SharePoint-based submission workflow was implemented that created one entry per thesis (displayed as tiles). Staff could lookup supervisor and student via the directory when creating an entry; the system granted both the selected supervisor and the student access to the thesis-specific SharePoint folder and provided the student with a submission link. Permissions were scoped per-entry so supervisors could access submitted files and students could upload only to their assigned folder, meeting the requested data-protection and access requirements.
174. Microsoft Bookings access lost after account converted from cloud-only to AD-backed (license propagation issue)
Solution
Support identified that the user account had been migrated from cloud-only to an AD-backed account and confirmed the user needed the AD-based A5 group license that includes Bookings. The A5 group license was assigned to the AD account and time was allowed for license assignment and propagation. After propagation completed, Bookings access and edit capabilities were restored and verified with the user.
175. Microsoft Loop access requiring admin enablement/whitelisting
Solution
An IT administrator enabled and whitelisted the requesting user for Microsoft Loop. After the user was provisioned/whitelisted for Loop, the user confirmed that Loop access worked successfully.
176. Cloudya phone features missing after department transfer (function keys unassigned)
Solution
An administrator updated the user’s Cloudya profile by adding and configuring the missing function keys in the Cloudya WS Südwest system. The configuration changes propagated within a few minutes and the user confirmed the phone features were working afterwards.
177. Salesforce login failed when password-reset link was broken — Okta SSO tile used to regain access
Solution
Access was restored by signing in to Okta and launching Salesforce from the Okta dashboard tile; Okta SSO authenticated the user and opened Salesforce without requiring a local Salesforce password reset. This approach resolved cases where the Salesforce password-reset email contained an expired or non-functional link and browser-based attempts (cache clearing, alternate browsers) had not worked.
178. Salesforce Case field visibility missing due to mismatched user permissions and manager‑approved change
Solution
Investigators compared the affected user's Salesforce permissions to the colleague's and confirmed the user lacked the same access needed to view Quality Codes. The incident was converted to a Service Request because the permission change required manager approval. After the manager approved, the user's Salesforce permissions were adjusted to match the colleague's permissions. The user was then able to process Cases and view the Quality Codes.
179. Atlassian Jira board access blocked by board-level lock requiring owner grant
Solution
The board was confirmed to be in a board-level locked state that required an explicit access grant from the board owner/administrator. Support verified the requester’s membership on the Jira board but found the required board permissions were not assigned. The board owner/administrator granted the missing board-level permissions on the Jira instance, after which the requester’s access to the board and its tickets was restored.
180. Learning Hub (LMS) course access controlled by HR provisioning
Solution
Investigations produced two common resolution outcomes. In cases where course entitlements were controlled by HR, support determined that access had to be provisioned through HR provisioning; HR required the LMS correlation ID, timestamp and the user’s email, and handled requests via the people-projects@iu.org mailbox. In other cases support corrected Azure AD configuration—either by adding the LMS course/application entry (recorded as “LMS Kurs im AAD”) or by adding the user to the Azure AD group that grants intranet/Learning Hub access—which restored access. Tickets were closed after confirming access or after notifying users when no further response was received.
181. Expired 1Password activation link prevented account setup; recovery link restored access
Solution
Support verified the 1Password account state, found the account already activated, and sent a 1Password recovery link so the user could set a new password. The recovery link allowed the user to regain access and the ticket was closed.
182. PDF editing access requests resolved by internal PDF Creator alternative
Solution
The user was advised to install PDF Creator 24 from the Company Portal as it provided the required PDF editing tools. Support confirmed that the alternative met the user's needs provisionally and kept the option to enable Adobe Acrobat if the portal-provided app proved insufficient.
183. Automated test-account email contained blank credentials; account not found in CARE or Salesforce
Solution
Support attempted to locate the user in CARE and check the linked Salesforce Opportunity but could not find the person and lacked Salesforce access to investigate further. The technician documented that CARE exposes usernames when searched by AcID/MNR/full name and that stored passwords cannot be read (only reset). As an immediate workaround the requester manually sent the missing access credentials to the user so the test account could be used; the ticket was closed after the manual delivery.
184. Calendly invites and group membership caused invisible users; individual developer accounts requested
Solution
Support validated which individuals required their own Calendly access and provisioned individual accounts for the named developers. The team reconciled Calendly group membership and admin assignments so invited users became visible in the correct group rather than being hidden by the duplicate/group‑membership configuration; access was confirmed for the requested users.
185. Approval‑routing error in Automation-for‑Jira blocked SaaS provisioning
Solution
The ticket was updated to assign the correct approver in the Automation-for-Jira workflow, which generated a new approval request. Once the proper approver reviewed the request, the application owner granted the DataDog entitlement via Okta and the user was authorized to access the requested dashboard.
186. Missing Okta-assigned SaaS access (account not provisioned or tile not launched)
Solution
Access was restored when the user’s Okta account and entitlements were provisioned or corrected so SSO entitlements and application tiles appeared on the Okta dashboard. Common fixes that resolved incidents in this category included assigning or enabling the Okta SSO entitlement for the affected user, completing a Self Service access request in the IT Service Portal that received the required cost-center manager approval (which auto-provisioned the app tile), and provisioning or correcting the user’s registered email in the service portal/Okta so the user could sign in. Specific product actions recorded: administrators activated entitlements for GitLab and Confluence; Deskbird was enabled so it launched correctly from the intranet and Teams; assigning Salesforce to a user’s Okta dashboard removed repeated Microsoft Authenticator re-authentication in intranet/Teams flows; and SharePoint permissions surfaced through the CARE integration were restored when SSO succeeded but content access returned “access denied.” Okta entitlement changes typically propagated in about 5–10 minutes. Separate space- or product-owner approvals could still be required for access to particular areas or content. (One matched ticket recorded the symptom but contained no actionable resolution details.)
187. Internal wiki edit permissions were owner‑controlled and required owner grant
Solution
Edit access was granted by the page owner (Sarah‑Maria Vogel) on 2024‑08‑13 at 09:10, after which the requester (Klaudia) acknowledged having the required edit permissions on 2024‑08‑16. The change resolved the inability to edit the wiki page.
188. Datadog access stalled by pending approval and incomplete account verification
Solution
Access was granted after the Automation-for-Jira approval step was processed and the Atlassian provisioning API assigned the Datadog application to the users. For one onboarding case, Conduktor was also enabled in Okta. Users were required to complete Datadog's verification email; the Datadog tile appeared in Okta and access became available after verification. Remaining service requests (Sentry, AWS, JFrog, SonarCloud) were escalated/handed off to the DevOps team for their separate provisioning workflow.
189. Salesforce access failures: missing Okta tile, password reset and UAT account provisioning
Solution
Support initially issued Salesforce password‑reset links and recommended signing in via the institution's Okta 'My Apps' SSO tile. When users did not receive password‑reset emails or could not reset a password, administrators verified and re‑enabled/provisioned the Salesforce application assignment in Okta so the Salesforce tile appeared on users' dashboards; affected users then regained access via Okta SSO without requiring a password change. For UAT/testing access, administrators created UAT accounts and sent verification emails when they had environment access so users could complete activation. In cases where support confirmed they did not have access to the UAT environment, support could not create or manage UAT accounts and users were directed to the Salesforce team for account recovery or new UAT access. For new hires, Salesforce access was provisioned and accounts were aligned/mapped to a reference user to replicate required permissions. Twilio telephony access requests were recorded and handled separately when applicable.
190. M365 Copilot access blocked by automated license provisioning and missing service‑portal request
Solution
Support determined that Copilot licenses were provisioned by an existing automated workflow. The issue was resolved by having the user submit the designated 'Copilot for M365' provisioning form in the IT service portal (Jira Service Management) and complete the required Learning Hub introductory course; completion of the form and course triggered automatic assignment of the Copilot entitlement. The ticket was closed after the user was informed that the license had been assigned.
191. Vendor document system access granted by account provisioning (d.velop)
Solution
Support resolved d.velop access issues by ensuring users had active, provisioned d.velop accounts or valid invitations. In some incidents a new d.velop account was created and provisioned for the user, after which access to vendor-hosted applicant documents was confirmed. In other incidents support resent the user’s d.velop invitation and requested the user to accept it; tickets noted follow-up for confirmation and were closed when no response was received. Access was confirmed after account creation or after the user accepted the resent invitation.
192. Team membership blocked by missing Team owner and broken approval workflow
Solution
The approver mapping in the Automation for Jira workflow was corrected. Where the Jira approval UI could not be used, an approver left a manual approval comment which was accepted. Team ownership/admin rights were adjusted so the requester could add the new member, and the pending SharePoint approval was completed accordingly.
193. Access and permission alignment when multiple reference users or duplicate accounts exist (ePost / Epos)
Solution
Support requested a reference user and performed targeted account discovery (including alternate names and emails) to locate any existing EPOS/Care account for the colleague. When an existing account was found, support reconciled and adjusted that account's project-level roles and permissions to match the supplied reference user's permissions. For EPOS Service Desk access issues, support confirmed that entitlement to the Service Portal Overview correlated with visibility of the EPOS Service Desk portal and ensured EPOS Project access/roles were granted where missing. The work addressed cases with multiple existing accounts and varying roles (several roles per account), handled batch provisioning for multiple employees, and users were then asked to verify portal visibility once changes were applied.
194. SSO login succeeded but workspace/space access remained owner‑controlled (Storyblok)
Solution
SSO authentication was confirmed in all incidents, but access failures were traced to application-level authorization rather than SSO. Incidents were resolved by one or more of the following actions as appropriate to the application: completing outstanding application-request approvals in the Jira automation; assigning the application or entitlement to the user account (Storyblok assignments were performed via the Atlassian API in documented cases); and administrators or content owners granting required permissions or space membership directly within the application (examples: Storyblok spaces, Lucid spaces). For integrated services surfaced through a parent app (example: Cloudinary via Storyblok), access was restored by granting the appropriate permissions inside the parent application. Confluence page and workspace access was controlled by Confluence site owners rather than central IT, so affected users required site-owner page/workspace grants even when they held valid Confluence licenses. In several incidents granted permissions only became visible after propagation delays; after approvals, assignments, or owner/site‑level membership grants and any propagation completed, users regained visibility of the requested spaces or pages. Technicians sometimes escalated to subject-matter teams when they lacked permission to modify space membership; in at least one case the affected account was deprovisioned as a final action recorded in the ticket.
195. GitLab account provisioning and Okta-backed GitLab Pages authorization
Solution
Users were given GitLab accounts and the GitLab application was assigned to their Okta profiles when account or app assignment was missing, restoring repository and collaboration access. For the iu.tech GitLab Pages site, Okta SSO was integrated with GitLab so site authorization was fulfilled via GitLab (backed by Okta). In cases where requesters already had GitLab accounts but still could not view site content or handbooks, DevOps granted the required repository/Page permissions. Support also advised users to link their Okta accounts if access issues persisted. Access was confirmed for the requesters and tickets were closed.
196. Adding SaaS Enterprise apps to a user’s Okta dashboard during onboarding
Solution
Access issues were resolved by enabling or unlocking the product’s Okta Enterprise App for the affected user and confirming any required product license was assigned. In several cases the user’s Okta account entry for the app was unlocked rather than re-provisioned. Users were informed that provisioning or unlock changes typically required a short propagation window (~5–10 minutes) before SSO access became active. It was also noted that granting product-level access via Okta did not modify owner-controlled content permissions inside the target product (for example, Jira board membership remained controlled by app owners/approvers).
197. Confluence access request failed because user lacked a product license at time of request
Solution
Access failures were resolved after a Confluence product license was applied to the affected account and license mapping/assignment issues were corrected. In cases where the original access request had been made before the license existed, users either retried access after license propagation (changes took effect after approximately one hour) or re-submitted the access request so the space owner could manually approve it; once the license was present and the request was approved, permissions propagated and access became active. Incidents also noted approver-side delivery/availability problems (for example, mailbox visibility) that had delayed manual approval prior to license assignment.
198. Access request where the user already had an account
Solution
Support confirmed the user’s account and the required permissions already existed in the target system (for example, Jira) and in the organization’s SSO/IdP (for example, Okta). The user was advised to sign in through the IdP/Okta dashboard and then successfully logged in; no additional provisioning or entitlement changes were required and the ticket was closed. This pattern frequently appeared during onboarding requests where access had been pre-provisioned.
199. GitLab access restored by assigning application entitlements
Solution
Support identified the affected accounts and re‑granted the GitLab Enterprise application/permissions in the identity/access management system. After the GitLab application was assigned to the users' IAM accounts, support verified successful sign‑in and repository access.
200. Automated provisioning blocked by incorrect or missing approver in entitlement workflow
Solution
Support changed the approver configured for the application's approval workflow and granted the requested entitlement. After the approver setting was adjusted and the application access was assigned, the affected users could sign in and access the application.
201. Corporate ChatGPT setup failures resolved by reissuing invitation
Solution
Support verified that no active account or organisation membership record existed in the corporate provisioning/provisioning directory (either because the original invitation had expired or because the user’s membership had been removed). Support reissued a fresh corporate OpenAI/ChatGPT invitation via the organisation’s invite/SharePoint process; in observed cases a new invitation (sometimes issued more than once) produced a working link. The user accepted the latest invitation and completed registration or regained organisation membership; tickets were closed after successful signup.
202. Onboarding and staging/dev environment access provisioning for multiple tooling
Solution
Support verified the user’s profile and provisioned application access for available tools, and offered password‑reset links where applicable. CARE and EPOS (production and staging) access were granted. Monitoring access was aligned to Datadog (Logz.io had been discontinued) and Datadog entitlements were issued where appropriate. For centrally managed or team‑owned services (Okta‑provisioned apps, GitLab repo access, DevOps portal items, Egencia, Conduktor, MyWorkday, Miro, Lucidchart) requests were routed to the owning teams or processed through the normal onboarding provisioning channels. The OpenAI Team account was identified as managed by the ALM team and the request was forwarded to ALM for assignment. JetBrains IDE access (DataGrip, PyCharm) was located in the Service&support 1Password vault but had not been officially handed over; this was recorded and escalated so the vault handover or credential transfer could be completed. Remaining tool entitlements followed the standard onboarding provisioning process.
203. Requested access for an unsupported/alternate vendor (Cloudya) closed after confirming team uses different telephony
Solution
Support reviewed the request, confirmed the Studienberatung team used Twillio for telephony, and therefore did not provision a Cloudya account. The Cloudya request was closed with that explanation.
204. Stalled Automation-for-Jira application requests resolved by manual app assignment
Solution
Pending application requests in the Automation-for-Jira approval workflow were resolved by completing the Application Request and assigning the SSO Enterprise Application to affected users through the Atlassian application-assignment flow (Atlassian API / Application Request). Where the Automation-for-Jira approver notification had been sent but not acted on, administrators performed a manual assignment after prompting or reminders. Once the assignment was confirmed by Atlassian/Okta, users regained access and the application tile became available on their Okta dashboard. Affected examples included Storyblok, Datadog, and Salesforce Marketing Cloud.
205. Existing Salesforce account access restored via password reset and Okta/portal sign‑in guidance
Solution
Support confirmed that a Salesforce account already existed for the user, triggered a password-reset email, and advised that Salesforce is also accessible through the Okta dashboard and the company intranet. Access was restored after the user completed the password reset and used the recommended sign-in paths.
206. EPOS role/permission discrepancy resolved by backend role propagation
Solution
Support inspected affected accounts' EPOS role attributes and group memberships and compared them to reference accounts to confirm discrepancies. Resolution outcomes varied: in some incidents missing roles later appeared when backend role propagation completed even though no explicit configuration change was recorded; in others an administrator directly added or adjusted EPOS groups/permissions. In a subset of requests support did not implement changes (requests were closed as declined/'Won't Do') and access remained unchanged. After any backend or administrative changes, access typically returned once roles propagated and the client picked them up — changes usually became visible after users signed out and signed back in (commonly after ~5–10 minutes). Client-side browser caching sometimes caused the UI to continue showing the old permission state or produced transient unspecified errors immediately after group assignment; retesting in a different browser or in private/incognito mode or clearing browser cache/cookies made permission changes visible.
207. Vendor‑managed delayed account creation for Egencia (onboarding latency)
Solution
Incidents were traced to four recurring causes and resolved as follows. Vendor-side onboarding latency: Egencia sometimes created accounts but completed activation only after the vendor’s provisioning window (typically 2–4 days); access was confirmed once the account appeared in Egencia or the vendor activation email was received. Okta provisioning-group issues: support restored access by adding users to the required Okta SSO group and coordinating with procurement so the vendor activation/instruction email was issued; access was confirmed after users completed the vendor’s activation steps and launched Egencia via Okta Dashboard SSO. Workday entitlement problems: Egencia provisioning and SSO access were blocked when a user’s Workday entitlement or access was missing or incorrect; restoring the Workday entitlement allowed Egencia to provision the account and restored access. Provisioning-source / bulk-upload domain mismatches: some bulk-uploaded accounts were created with the wrong corporate email domain (for example LIBF vs Walbrook), which prevented vendor-side matching and caused authentication/authorization failures; access was restored after the account email/domain was reconciled with the provisioning source or vendor records and the vendor issued the activation. Tickets also showed that Workday could list a user as eligible before Egencia provisioned the account, and that vendor-side staff availability sometimes delayed issuance of the activation email; in those cases admins followed up with the vendor contact and applied the vendor-provided fix, after which user access was restored.
208. Immediate access granted by manual app assignment or admin unlock (Atlassian API / Okta)
Solution
Support resolved access by performing a direct assignment or unlock through the platform admin interfaces: the Atlassian API system account assigned Atlassian apps to users where Automation-for-Jira approval was pending, and Okta administrators unlocked or provisioned Monday/Deskbird via the Okta app assignment. The assignments propagated to the user’s Okta dashboard (access typically visible within ~5–10 minutes) and Automation-for-Jira indicated the user as assigned before the tickets were closed.
209. Atlassian account and content-permission gaps for users and contractors
Solution
Provisioning and permission fixes were applied per case: an Atlassian user account was created for the external configurator using the provided external email and the account was provisioned; the account was configured to send the password-reset email to the user’s private address on the scheduled start date. For an inability to view Confluence content, the Confluence access permission was added to the user’s account and the user was instructed to re-login. For a Mondayboard/Jira access request, Jira permissions were granted for the specific user, and the requester was advised that access to particular boards/spaces remained under the board owner’s control.
210. Expired one-time access links for bot/service accounts
Solution
The support team identified that the original one-time access link had expired (the environment used two-week validity for one-time links). A new one-time access link and password were generated and sent for the bot account (CPG-UiPath-BC9@sv.iu-it.org), and access was confirmed after the new credentials were used.
211. Salesforce in‑app feature permission (Callout Builder) granted by admin
Solution
Requests for Salesforce UI or object access were resolved in two ways depending on support privileges. When support staff had the required Salesforce administration rights, the necessary permission(s) were added to the user’s Salesforce profile (examples confirmed: Callout Builder access, contract-creation permissions) or read access was assigned to dashboards, reports, and report folders. When support lacked the required privileges, users were directed to submit the request through the SalesTech Service Portal and existing approved users were cited as precedents. Multiple tickets noted an Automation-for-Jira approval entry remained marked 'awaiting approval' even after the permission had been applied and the user confirmed access.
212. Okta-linked GitLab account locked — admin unlock restored group access
Solution
Access failures were resolved by actions on the GitLab account associated with the user’s Okta identity. When a GitLab account was locked, administrators unlocked the GitLab account linked to the Okta user; group and project access typically returned after a short propagation delay (~5–10 minutes). When Okta-launched GitLab redirected users to unexpected 404 pages, unlocking or correction of GitLab provisioning/permissions was performed and access restored after propagation; in several cases administrators could only perform the initial unlock and advised users to open a DevOps ticket because the GitLab application and deeper provisioning/permission fixes were managed by the DevOps team. When GitLab two‑factor authentication stopped working (commonly after a machine change), DevOps reset the user’s GitLab 2FA credentials and adjusted account permissions as needed, which restored access. Some tickets included unrelated access requests (for example AWS) in the title but no AWS-specific symptoms were recorded.
213. Okta SaaS application provisioning requests: assignments applied or deemed unnecessary
Solution
Outcomes varied by request: the Freshdesk Okta application was assigned/enabled for the named user and access was confirmed; multiple new CST Nord employees were added to Calendly by the platform owner/admin and accounts were provisioned; a request to add Salesforce/Salesforce UAT for an API test account was reviewed and the account was already present in Salesforce, so no Okta change was required and the request was closed as Won't Do.
214. Developer tool not configured for corporate SSO (invitation-only access)
Solution
The request was declined because the Cypress instance did not support corporate SSO. Support clarified that the product was invitation‑based and access had to be granted from within the Cypress tenant (an existing teammate needed to send an invite). No Okta/SSO assignment could be applied.
215. Missing Okta application entitlement or provisioning causing login failures
Solution
Access was restored after the application entitlements were applied in Okta and account permissions were updated. For GitLab an administrator granted the requested access/permissions to the user account. For Miro the application was enabled on the user's Okta assignment and access returned after a short propagation delay (5–10 minutes).
216. SSO login succeeds but specific in-app features require product-owner role assignment
Solution
Support confirmed affected users could authenticate via SSO and access Okta/application tiles, then traced the failures to application-side entitlements rather than to SSO. Missing field or UI element access in Salesforce was enforced by Salesforce permissions and field‑level security; those requests were routed to the SalesTech Service Portal and, when the responding team lacked permission to change Salesforce settings, tracked via Automation for Jira. A Marketing Cloud case showed that users could log into Salesforce but received application-side errors when opening the Marketing Cloud tile; local admins revoked and re-granted basic Marketing Cloud permissions without resolving the error because additional product-owner/entitlements were required and the user was directed to SalesTech. In the IU Shop example a cost-center payment permission had not been assigned by the product/application owner at account creation. In a Vonage case the account was created with a Supervisor role instead of Admin and recorded calls were hidden until account-specific toggles under Accounts → Interaction Content were adjusted by the application owner; support recorded the assigned role in Salesforce and the user confirmed recordings after the owner changed the toggles. Across these incidents no changes to Okta/SSO were required when authentication and tile access were functioning; resolution involved application-owner or product-owner permission changes or requests handled by the application teams (SalesTech or equivalent).
217. GitLab SSO access denied due to missing Okta app assignment or OAuth email-visibility
Solution
Access was restored by provisioning the GitLab Okta application to the affected user accounts so the SSO-linked GitLab account was created/linked. In the case where OAuth failed because the GitLab email address was not publicly visible, an administrator re‑authorised the user in GitLab (after correcting the account visibility/state), which reinstated the user’s permissions. After the app assignment or re‑authorization, users regained access to their GitLab groups and projects.
218. Internal tool access provisioned by platform owners with environment scope and reference-user permission mapping
Solution
Access issues were resolved by engaging the owning platform/DevOps teams and providing the specific scope and mapping details the owners required. For Metabase, requesters were asked which environment(s) and a reference user; DevOps granted the requester the same groups/permissions as the reference user (Anton) limited to the prod environment and asked whether additional environments were needed. For Conduktor, the owning contact enabled the user’s account (enabled 2024-05-27) and the user confirmed access two days later. For GitLab repository permissions, support confirmed repository-level and group-role management was owned by DevOps and advised the requester to submit the group-addition request through the DevOps Core Service Desk / Jira Service Management so DevOps could add the “IU Group / DWH” group with Developer role to the specified repositories.
219. Application visibility restricted to a specific corporate account/tenant
Solution
Support confirmed the Engage app was only available to the LIBF/libf account identity. The user signed in with their LIBF account and reported the Engage app was then visible and usable, after which the ticket was closed.
220. Invitation-based SaaS account provisioning for vendor-hosted services (no existing account/invite)
Solution
Where the root cause was missing vendor-side provisioning, an administrator issued the vendor invitation to the user's corporate email; the user followed the vendor-provided signup link, completed account setup, and subsequently verified successful login to the service. In an additional matched case involving a SSO-integrated training app (Cascade) and Okta, support logged troubleshooting and recommended verification steps around SSO/account provisioning and invite delivery, but no confirmed resolution was documented in the ticket.
221. Software provisioning via application Self‑Service / Service Desk portal
Solution
The user was directed to request the application through the organisation's application Self‑Service portal (service desk submission). The service‑desk request was processed via the provided Service Desk link and the application access/provisioning was completed through that workflow. Ticket was marked Done after confirmation.
222. Access owned by People Projects / HR or non‑IT teams requiring request redirection
Solution
Support confirmed that the requested course access was owned and provisioned by People Projects / HR (sometimes managed under the People Products team). The user was directed to the owning team's contact channel (people-projects@iu.org or people-products@iu.org) to request enrollment or obtain access credentials for HR-controlled learning platforms, including external providers such as Haufe Akademie. In cases where onboarding automations appeared stalled, Automation for Jira showed an 'approval pending' state that indicated the request was awaiting the owning team's action. The ticket was closed after the user was advised to contact the owning team for provisioning.
223. Internal portal or project visibility missing due to entitlement mismatch with reference users
Solution
Support compared the affected account to reference user(s) and identified missing entitlements and/or group memberships. Where entitlement parity differed, the user's account entitlements were aligned to match the reference user, portal visibility settings were reapplied, and the user was added to the required project/role; dashboard tiles and project access then appeared. For cases where automation failed, diagnostics revealed a missing Azure AD/Entra permission group that should have been granted by Workday; support corrected the provisioning mapping or triggered a reprovision/sync and/or directly added the user to the Azure AD group, which removed the 'Access Denied' errors and restored intranet access.
224. Confluence environment access vs. page‑level restrictions
Solution
General Confluence access to the environment was enabled for the requested users. It was noted that most pages are available to all users, but pages protected with page‑level restrictions remained controlled by the page owner/creator; those restricted pages required the page owner to add users directly. No further action was taken after confirmation period.
225. Salesforce direct-login blocked by missing Salesforce-specific security answer
Solution
An administrator initiated and sent a Salesforce password‑reset email to the user. The user completed the reset, configured the required Salesforce authentication (security question/answer), and regained access. Support also clarified that Salesforce direct-login depended on the Salesforce password/authentication setup independent of Okta SSO.
226. Product-level entitlements and account upgrades applied by specialist teams (Figma, Adobe Creative Cloud)
Solution
Support routed these requests to product/application specialist teams, and the specialists applied backend entitlements or account-level permission changes. For Figma, specialists either upgraded the user account to enable plugins and team-sharing or granted admin-equivalent workspace permissions so the user could create and edit teams/orgs; affected users confirmed the restored functionality. For Adobe Creative Cloud, specialists granted the backend license/entitlement and users then installed the Creative Cloud entry from the Company Portal and signed in with their corporate credentials; the suite and individual apps became available.
227. GitLab SSO access denied due to missing Okta app assignment or non‑public GitLab email
Solution
Support assigned the GitLab enterprise application to the affected Okta user account which immediately restored SSO access. In one case the incident record also noted the user's GitLab profile email was not set to public, which was identified as an additional factor preventing SSO account mapping. After the Okta application assignment was applied users regained access.
228. M365 Copilot license/access request pending enterprise rollout
Solution
The ticket was closed after communicating that Copilot for M365 was scheduled for rollout the following week and that an intranet announcement would publish the process for obtaining licenses once the service went live. No immediate provisioning was possible prior to the official rollout communication.
229. Okta dashboard tile missing despite existing service account (SSO app not assigned)
Solution
The Okta Enterprise Application was located in the Okta Admin Console and explicitly assigned/activated for the affected user accounts. Approver mapping for the Marketing Cloud request was adjusted where it prevented assignment. After the app entitlements were saved, Okta dashboard visibility and SSO launch were confirmed with the users.
230. 1Password account unrecognized after long inactivity or email/name change
Solution
The 1Password access was re-provisioned for the user: the 1Password application/access was reassigned and a new automated account email (with access details) was sent to the user. The reassignment restored the user's ability to sign in.
231. Miro access blocked by deactivated account or missing team invitation
Solution
Account-assignment and visibility issues were resolved by administrative or automated provisioning actions. Deactivated or unassignable Miro accounts were reactivated/unblocked by administrators, which restored sign-in access and returned the Miro app to the user’s Okta application listing. In one case the application assignment was completed through the organization’s Application Self Service automation (approval routed to the designated approver), and that assignment restored access. Where users had no paid seat, reassigning a free Miro license restored limited access (view/comment/edit existing boards but not create new boards). Team membership problems were resolved when an existing team member or board creator sent a team invitation; after receiving the invite the user gained access to the team. Requests for paid/full licenses were handled via separate software/license request workflows.
232. Figma Developer Mode access gated by product expert enablement
Solution
Two resolution paths were observed depending on the root cause. When the symptom was a missing Developer Mode entitlement in the Figma instance, a Figma specialist enabled/granted Developer Mode for the affected users; those users then confirmed Developer Mode and related integrations (fonts/features) worked. When the symptom was an unprovisioned development account or when provisioning required organizational approval and budget clearance, the request was moved into the account-provisioning/approval workflow and an approval/budget ticket was created; no direct provisioning was performed in the original ticket and the original ticket was closed/marked Won't Do while the provisioning approval proceeded.
233. Access requests closed when required approver was missing in Automation-for-Jira workflow
Solution
Approver fields and request metadata were reviewed and an approver entry was adjusted in the system. Automation for Jira had flagged the request as waiting; because no approval was received, the ticket was closed without granting access. The requester was informed that a new access request specifying the correct approvers (team leads or cost‑center managers) and routed to the responsible fulfillment team would be required.
234. Missing SSO tile, vendor invitation or product license blocking SaaS sign‑in
Solution
Access was restored by addressing the specific entitlement, invitation, or vendor-side gaps observed: the Salesforce Marketing Cloud application tile was added and assigned on the user's Okta dashboard so SSO could launch; a replacement OpenAI/ChatGPT invitation link was generated and sent after the initial invite failed; a Jira product license/entitlement was enabled on the user's Okta account and access normalized after a ~5–10 minute propagation; an expired Cloudinary account‑setup/invitation link was reissued. StoryBlok access failures were attributed to document‑level permissions or an inactive/paid subscription (login prompted for a payment plan); the StoryBlok ticket recorded that the issue was resolved but lacked documented remediation steps.
235. Intermittent redirect to IT Service Center when opening Jira Service Management link
Solution
The user retried accessing the Jira Service Management link and confirmed that access then worked; the intermittent redirect did not recur and the ticket was closed after user confirmation.
236. Automating Azure AD security‑group membership from LMS365 course completion (Power Automate)
Solution
The flow was activated after the Fabric Copilot course was published and the course ID/container URL was obtained from People Experience. The existing Power Automate draft used the LMS365 CourseCompleted webhook trigger and the trigger condition was updated to target the specific course ID. The flow was connected to Azure AD to add learners to the designated security group (iug‑aad‑ass‑fabriccopilottestgroup) and the mail-template decision was clarified with the course owners before enabling the flow.
237. Miro access problems: Okta app assignment vs board‑level permissions
Solution
For users missing the Miro tile, access was resolved by assigning the Miro Enterprise application to the user's Okta account so the SSO tile and provisioning became available. For board‑level access, the board owner granted full access to the requester (the Research Team board owner applied the permission change), after which the user confirmed access was working.
238. GitHub access provisioned via DevOps Service Desk (Jira Service Management)
Solution
Access was granted after a formal GitHub access request was submitted through the DevOps Service Desk (Jira Service Management at atlassian.net) and processed by the DevOps team. The ticket noted that creating and submitting the service‑desk request, followed by the service desk’s approval/provisioning action, resulted in the user receiving GitHub access.
239. Vendor/brand‑platform managed shop access and cost‑center billing permissions
Solution
Support verified SSO identity and role provisioning and then worked with product/brand teams and the external shop/service provider. Two distinct resolutions were observed: where a user already had the shop's manager/ordering permission but the checkout cost‑center field was hidden, the issue was escalated to the external shop/service provider who restored cost‑center visibility in the shop UI; where a user lacked SSO access or the required ordering permission (for example alumni cost‑center billing), support granted the required ordering permission and provisioned/enabled the Merch Shop portal tile so the user could place orders. Requests for elevated ordering or direct cost‑center billing permissions were routed to brand-platforms@iu.org because those permissions were managed by the brand/product team rather than central IT.
240. Miro access blocked by private account or missing enterprise provisioning / Okta link
Solution
An administrator restored access by unlocking and re‑linking the user’s Okta-backed Miro account to the IU enterprise provisioning; after a short propagation period (reported ~5–10 minutes) the user could see and edit enterprise boards. A separate request to enable board creation remained unaddressed in the ticket; the request record contained recommended next steps (assign a full/enterprise license or have the product owner approve creation rights) but no change had been applied before the ticket was closed.
241. Jira board and service-account access requiring product entitlement or area-owner approvals
Solution
Access was restored by granting the missing Jira product/board entitlements and by obtaining the required area‑owner approvals. In one case a user gained access immediately after launching Jira via the Okta Dashboard. The service account regained board visibility after product access was explicitly granted. For an area scoped to 'DS QS Turnitin Verwaltung', the approver entry was adjusted and the area owners provided the required approvals; support noted that central IT could only grant general Jira access while specific sub‑area approvals remained the owners' responsibility.
242. Confluence space access restored by space/admin permission grant
Solution
Access failures were resolved by granting the required Confluence-level permission to the user account or by space/page owners explicitly granting access for the listed users. When approvals appeared pending in Automation for Jira, completion of the owner’s approval cleared the blockage. Initial local troubleshooting (clearing browser cache/cookies and testing in a different browser or Incognito mode) was attempted in some incidents but did not restore access. In at least one case access was restored only after specialist/admin teams adjusted backend provisioning or re-applied the Confluence license even though Okta SSO and license assignment appeared correct. Records noted that individual spaces or pages sometimes still required explicit owner approval even after Confluence-level permissions were applied.
243. Turnitin iPad app blocked by institutional Apple ID domain restriction
Solution
Support confirmed that Apple IDs using the iu.org domain could not be created on the device. The ticket recorded that the support team presented alternative options and documented that using a personal/private Apple ID on the iPad was a viable option for installing the app; the restriction on creating iu.org Apple IDs on the device was the cause noted in the ticket.
244. Azure AD group membership missing or slow propagation blocking Microsoft Teams login
Solution
The user was added to the required Azure AD access group and the team waited for directory membership propagation. After approximately 30 minutes the group membership had propagated and the user confirmed Teams access was restored.
245. New SaaS account requests and approver routing requiring Self‑Service or approver reassignment
Solution
Requesters were directed to the Application Self‑Service Portal to create formal software/account requests. In cases where the approver configuration blocked provisioning, the approver entry was adjusted and the application owner created the account. After the portal submission and approver correction the platform owners completed provisioning and the tickets were closed.
246. Login or in‑app permission gaps resolved by credential reset or explicit permission assignment
Solution
For login failures the support team issued a password reset delivered to the user's corporate IU email address, which restored access to MyCampus and Jira. For the Confluence case the user was explicitly granted edit permissions on the instance, after which the edit option became available and the issue was resolved.
247. Confluence product access granted; space-level permissions remain owner-controlled
Solution
Confluence product access was granted to the user. The user was informed that access to individual Confluence spaces/pages is controlled by the respective space/board owners and must be requested from them separately.
248. EPOS: missing 'recognitions' role prevented entering recognitions
Solution
The required EPOS role 'recognitions-department-employee' was identified and assigned to the affected user accounts. Access to the recognitions functionality was verified after the role assignment.
249. Workday inaccessible via direct link; Okta app launch required for SSO
Solution
Access was restored by launching the affected application from the Okta (okta.iu.org) app dashboard so the Okta SSO flow completed. Attempts to sign in directly — including from Outlook add-ins — produced generic username/password errors or prompts that failed because SSO was required. Some users also experienced failed forgot-password flows where reset emails were not received and changing browsers did not help. IT support confirmed this behavior and resolved incidents by verifying successful Okta sign-in and opening the app from the Okta dashboard; users subsequently confirmed access was restored.
250. Cross‑system access changes after position change (Care, Vonage, Salesforce)
Solution
The user's approver role was adjusted and Vonage account permissions were configured for the new role. Care permissions were updated to add the ability to delete bookings and the change was tested successfully. Salesforce role changes were routed to the Salesforce specialist team for their provisioning. A Top Level Admin role was intentionally not granted.
251. Replicating AD group memberships and assigning Office license to match a reference user
Solution
Active Directory group entitlements and Azure AD access were restored or provisioned as requested. For accounts missing expected groups, AD memberships were updated to match the provided reference user (Marie Häusgen). New AD groups were created for the business unit when requested (examples: AzureAIADeveloper, AzureAIAAdmin, AzureAIAReadOnly). An Azure AD Office A5 license was assigned to accounts lacking the license, and Okta application entitlements were applied via the appropriate group assignments. Azure AD Entitlement Management access packages were created and made available for assignment.
252. Request for PMS access redirected to product owner service portal (non‑IT managed)
Solution
Support clarified that PMS account management was not handled by IT and directed users to submit access requests in the Media Production / CareerPartner Jira Service Desk portal (https://careerpartner.atlassian.net/servicedesk/customer/portal/24/group/110). Access requests submitted through the portal were processed by the portal’s Automation for Jira application-request workflow, which routed approvals (including cases where the usual approver was unavailable). In several cases a Product Data Manager submitted the portal request on the requester’s behalf, and IT closed its ticket after the user opened the portal request; access was assumed provisioned once the portal completed its approval workflow.
253. Okta OIDC client registration for backend web app (Authorization Code + client secret)
Solution
An OIDC client was provisioned in Okta for the PIM application using the Authorization Code flow with a client secret. The provided test and production callback/redirect URIs were configured on the Okta client, and the client secret was generated and associated with the application. IdP-initiated login and logout/backchannel endpoints were left unused per the application design so the client settings matched the app's integration model.
254. Jira access redirected to home due to missing extended product license/permission
Solution
The user was granted the required extended Jira permission/license by IT. After the additional Jira entitlement was applied the user was able to open the intended ticket and project links successfully and confirmed access restoration. Cost information about the extended license was not provided in the resolution record.
255. Turnitin account inaccessible after email migration and persistent password-change loop
Solution
An email alias was added to the user's primary Exchange mailbox so Turnitin password‑reset messages were delivered to the user's mailbox (the message landed in the 'Other' focused inbox folder). The user changed the password after receiving the reset email, but a subsequent persistent password-change/login loop remained and prevented full access to the Turnitin account. Password-complexity and leaked-password checks were discussed with the user; the user abandoned further attempts and the ticket was closed without a final successful login.
256. Missing SaaS Admin Center profile — vendor re-invite restored Calendly access and calendar sync
Solution
The Calendly administrator resent an invitation to the user's email from the Calendly Admin Center. The user accepted the new invitation and confirmed that access to Calendly and Outlook calendar synchronization were restored.
257. Okta application assignment missing prevented Lucidchart access
Solution
Most incidents were resolved by locating the user account in the Okta admin console and assigning/authorizing the Lucid (Lucidchart) application to the Okta user; authorization was confirmed and the user subsequently regained access. At least one incident differed: assigning/approving the application did not restore access to specific Lucidchart document links (users saw 'no access' / access denied after signing in). That ticket recorded no definitive technical fix and referenced license-assignment, invitation-link behavior, and interactions with Atlassian provisioning (Confluence/Jira) as areas investigated, requiring further vendor or product-side follow-up.
258. myCampus course access granted by matching Care reference-user permissions
Solution
A reference user with the required staff/media-production rights was identified and the affected user's Care/myCampus permissions were adjusted to match the reference account. After the permission alignment the user was able to open courses and upload materials and confirmed that access was restored.
259. CARE / myCampus access blocked by missing CARE Community membership or account-name mismatch
Solution
Incidents were resolved by correcting user identity records, account mappings and provisioning state across CARE, EPOS and connected services. Where users lacked CARE Community membership or had incorrect DS location attributes, adding the community membership and assigning the correct DS location restored attendance/timetable actions and the Info‑Center Lehrende DS view. Duplicate or mismatched accounts (including differing AC‑5 IDs or email addresses) were reconciled by locating and consolidating the canonical account or using the canonical username/password; after account/name reconciliation access returned. Accounts incorrectly typed as students were reclassified and outdated email addresses were updated to the iu.org address, which restored Betreuerboard and global-role enrolment in affected cases. When global-role provisioning did not complete automatically, role assignments were applied and, in several cases, required escalation to the specialist provisioning team. In cases where provisioning depended on EPOS state, creating or restoring missing EPOS employee accounts and correcting CARE/EPOS group assignments allowed myCampus admin roles to provision successfully. Password-reset failures that presented a login code but errored when choosing a new password were resolved after the account linkage was corrected (for example by resolving duplicate AC‑5 profiles or resetting the password on the canonical account). After these corrections the myCampus attendance/timetable functions, Info‑Center views and Betreuerboard/global-role access were restored.
260. Calendly account activation and invitation re‑send for team admins
Solution
Support verified the Calendly account and group membership, re-sent the Calendly invitation and re-activated the account through the admin UI (clicked the activation control). After the invitation was reissued the user was asked to sign in to complete activation and the ticket was closed following confirmation that the activation path had been triggered.
261. Salesforce access when invitation email not delivered but Okta SSO available
Solution
An administrator provisioned the user by copying permissions from a reference user and configured the Salesforce provisioning accordingly. The user then accessed Salesforce successfully via the Okta dashboard instead of relying on the missing invitation email.
262. IU Shop access audit: verifying Okta/Extra‑Account provisioning for suspected users
Solution
Support searched Okta and found no account for the named user, concluding there was no Okta/SSO access. The team confirmed that Extra‑Accounts were managed by an initial XLS import and subsequent additions by the ITOPS contact (Markus); sample Extra‑Accounts were present in the IU Shop Okta group, validating the group‑based provisioning workflow and indicating the queried user did not have SSO access.
263. Applicant portal access blocked by incorrect registration email address
Solution
The erroneous email address in the applicant's record was corrected to the proper domain (changed from souhaila.bou2003@gmail.con to souhaila.bou2003@gmail.com). After the correction the applicant could access the portal and initiate a password reset.
264. Approval workflow approver reassignment during approver absence
Solution
Approval blocking was resolved by reassigning the approver on the organization’s approval-routing or ticketing record to an alternate approver and saving the change. In each case the approver field was updated in the relevant ticket/approval record (for example in the ITOPS request), the change was recorded in ticket comments, and the request/approval step was marked as updated/completed, which allowed downstream access provisioning (such as VPN requests) to proceed.
265. Onboarding gaps when apps omitted from employee initial-equipment form
Solution
Support advised the hiring/requesting manager to include all required applications on the employee initial-equipment/access request form so provisioning ran before the start date. As a practical mitigation a prepared template of required apps was provided for pasting into the form's description field to ensure all typical MarTech/dev tools were listed; exceptions (e.g., GitLab) were noted where a different provisioning path applied.
266. Freshdesk access provisioned via Workday-controlled group membership
Solution
The user account was added to the Workday-managed group IU-ZZ-OK-ASS-Freshworks. Group membership granted the required Freshdesk access, and requestors were informed that Freshdesk access should be requested via the designated Workday HCM contact (Florian Achatz) going forward.
267. Data Warehouse (DWH) access for shared mailboxes required platform-owner provisioning
Solution
IT Operations clarified that DWH access was owned by the DWH platform team and provided the dwh-team contact. The requester then contacted the DWH team and the DWH team granted read-access to the specified shared mailbox (syntea-trainex@iu.org), restoring the mailbox's ability to access the warehouse.
268. Claude API CLI access blocked by insufficient Claude role assignment
Solution
The issue was resolved by changing the user's Claude role from the generic 'Users' assignment to a role that included API/CLI access privileges so the account could authenticate from Terminal. After the role was updated the developer was able to login to the Claude API from the CLI.
269. Claude team membership/approval stuck on pending invitation
Solution
Requests were routed through the Automation for Jira approval workflow and remained in a pending/"awaiting approval" state until the designated approver acted (examples observed: ida.busemann@iu.org, anja.zimmermann@iu.org, kai.becker@iu.org). Approval via the workflow did not itself provision access; after approver approval a workspace administrator manually sent a direct team invitation and confirmed delivery. Once the invitation was sent the awaiting‑approval notifications ceased and the requester received Claude/Anthropic team membership and the requested default Cloud license allocation. Where the Claude team had reached capacity, administrators were unable to provision immediately and offered alternative options (for example waitlisting or different license allocations); if the requester did not respond the ticket was placed on hold or auto‑closed without provisioning. Affected systems included Claude/Anthropic team membership and invite delivery, Cloud license allocation, Automation for Jira approvals, IU AI Chat access, and Microsoft (iu.org) credentialed access.
270. Service/system account requests for non‑Okta-managed apps and databases
Solution
Requests for credentials or API keys for applications and databases not managed through Okta were routed to the owning application or specialist teams; owners completed provisioning via their own service processes. EPOS requests were approved by the EPOS owner and fulfilled through the EPOS service-account process (an invite issued for the zpa-service account and the 'exam-admin' permission applied). Where cloud access was required, owners granted access by creating appropriate AWS IAM roles or enabling cross-account role assumption and by issuing database credentials as needed. Network, firewall, or platform teams updated connectivity to allow ingestion from Kubernetes-hosted tools (for example, Airbyte) when required. Requests needing replication-level access were resolved by granting read access to the CDC stream (for example, MySQL binlog) or providing replication-capable credentials. Secrets or service-account passwords were delivered using the SAFE Portal (with at least one recorded case of delivery via email). Ticket notes commonly recorded authorization/ownership checks, account creation/configuration details, notification of the requester, and documentation of the change. Tickets involving cloud-to-corporate VPNs or running VPN clients in cloud VMs were handled by network/platform or application-owner teams rather than central identity.
271. Okta user profile update requested to match upstream Salesforce role
Solution
Okta profile and assignment records were edited in the Okta admin console to match the users' updated Salesforce roles. Changes were saved and confirmed so Okta records matched the Salesforce profile and downstream tiles/entitlements aligned. Examples in this corpus included updating a user to FS Studienberatung (change saved 2025-11-03) and updating viktoria.dick@iu.org to DS Studienberatung (change saved 2025-11-03 07:34 by Jan Winter). No login or authentication errors were reported in these incidents.
272. Perceived revoked SaaS access when user had an active account but hadn’t used Okta SSO
Solution
Support verified the Salesforce account remained active and the access issue was caused by the user not launching Salesforce through the corporate Okta SSO tile. The user was instructed to sign in to Okta and open Salesforce via the Okta dashboard (SSO). No confirmation of successful sign-in was received and the ticket was auto-closed after 14 days of no response.
273. Mixed SSO application assignment and separate environment/role requests (jfrog + multi‑environment AWS roles)
Solution
Support assigned the Okta SSO applications for jfrog to the user, which resolved the jfrog SSO access. It was confirmed that the user already had Okta permission for AWS DEV/Sandbox; the outstanding requests for AWS preprod and prod were routed to the platform/team that manages AWS environment role assignments for further provisioning.
274. Missing Case access in Salesforce despite shown group membership
Solution
Support reviewed the user’s Salesforce account, compared the user’s group/role/profile mappings to the reference colleague, and corrected the missing Case-specific permissions and list-view assignments. After the required Case permission and group assignments were applied to the user (mirroring the reference colleague), the user verified she could access and work on the Cases and the ticket was closed.
275. Blank/white page after SAML login due to vendor-side redirect issue
Solution
Support investigated and resolved failures originating from intermediary launch points, browser state, vendor misconfiguration, and IdP/App assignment issues. Vendor-hosted application failures were resolved after vendors corrected incorrect or missing post-authentication redirect URLs so that launches from intermediary pages (for example, SharePoint) completed and the application loaded. OpenAthens incidents were resolved in two ways: some resources avoided redirect loops or browser errors when users launched them via the resource’s dedicated OpenAthens redirector URL (for example, go.openathens.net/redirector), and other cases were traced to browser state where clearing Chrome’s cache and cookies restored access (affected resources sometimes loaded normally in other browsers such as Safari). When clearing cache/cookies did not resolve OpenAthens “Bad Request” errors, support escalated to OpenAthens or the organisation’s administrators for further investigation; IP address restrictions were not relevant in the documented OpenAthens case. Directly accessing the application’s URL bypassed intermediary redirectors and allowed normal sign-in in several incidents while vendor or redirector fixes were applied. In Okta-specific incidents, initial account recovery steps (for example, a password reset) restored general Okta access, but launching an SSO app (for example AWS via Okta) still looped back to the Okta landing page in some cases; clearing browser history/cookies did not always fix this. In at least one Okta case the user’s access was restored after support added/assigned the user to the Okta MFA group, which resolved the SSO launch loop. Cookies being disabled or rejected was noted as a contributing symptom in multiple incidents. Support worked with vendors, OpenAthens, or the organisation’s administrators when fixes required changes beyond browser-state remedies.
276. Corporate ChatGPT account forced daily password resets resolved by platform update
Solution
The platform vendor deployed an application update that removed the condition causing repeated forced-password resets. Following the update rollout, the affected user confirmed the daily password‑reset requirement stopped and normal login sessions were restored.
277. Subscription/procurement stalled by incorrect cost center and missing approvers
Solution
Access was restored after the required procurement metadata and approver information were provided or corrected. When the request record could be edited (for example in Automation-for-Jira), the cost center was changed to the correct organizational unit and the approver list was set to the cost-center manager and designated approvers; after these corrections the subscription request completed and the requester received paid access. In cases where the original ticket or workflow could not be modified, IT instructed the user to submit a new software request containing the cost center and manager approval (a link to the 'Request new Software' form was provided) and then proceeded with provisioning once the new request included the required procurement details.
278. Request for Atlassian Jira admin rights granted for board and team management
Solution
Global Jira admin requests were handled per policy; when global admin privileges were granted, assignments were recorded. When global admin privileges were declined, support provisioned company-managed Jira Software or Jira Service Management projects and created the requested boards/portals, then added the requester as Project Admin (support collected project name, key, and preferred template). For Jira Service Management requests, support clarified licensing and account scope: agents were counted as licensed users, while customers (request reporters) did not require a paid agent license but had to be invited or permitted by the portal settings; support confirmed and configured whether external (non-organization) customer accounts were allowed for the instance. Okta/SSO questions were resolved by either provisioning internal accounts through Okta or confirming existing SSO mappings for the requester. When requesters wanted to isolate long-running work that affected sprint velocity, separate projects/boards (portals) were created to keep that work out of teammates' sprints. Jira Premium Advanced Roadmaps was recommended and enabled when cross-project planning or consolidated views were required. When Automation for Jira was relevant, support documented the automation scope and either implemented the required rules or recorded the automation requirements alongside the project provisioning. All actions and license/SSO clarifications were documented in the ticket.
279. Missing 1Password invitation prevented account setup
Solution
An administrator sent a 1Password invitation to the user's corporate email address. After the invitation email was issued, the user received it and was able to complete the 1Password account setup; the ticket was closed.
280. CMS domain/team permissions blocked content creation in Storyblok
Solution
The Storyblok domain/team permissions for the two domains were updated to include the requester. After the domain-entry access was granted, the requester could create the required landing pages and the ticket was closed.
281. Missing Okta dashboard tile due to absent application assignment (user could not SSO)
Solution
Support resolved incidents by addressing account-level access in Okta and the SaaS product. In cases where the Enterprise SSO (Okta) application was not assigned, support assigned or reassigned the missing application to the affected accounts; the Okta dashboard tile appeared and SSO launches succeeded. In cases where the application record existed but the user still lacked access, an administrator granted the required product license/entitlement (for example, a Pro License) to the user; access was then available and confirmed by the requester. Tickets were closed after requesters verified entitlements and successful sign-on.
282. Access pending approver/specialist invite for vendor-hosted cloud apps (invite required outside Okta)
Solution
The approver or specialist processed the outstanding approvals and issued vendor-side invitations. For n8n the approver confirmed the invite was sent; for dbt Cloud the specialist team invited the user and assigned the requested developer/admin role. Access was confirmed after the invite-based provisioning completed and tickets were closed.
283. Vendor account not recognized by organization due to username/email mismatch (Figma, 1Password)
Solution
When vendor accounts were not recognized by the organization, the underlying cause was a mismatch between the account identity in the vendor system and the organization’s corporate email. Resolution outcomes recorded included provisioning vendor access to the user’s corporate IU email through the Application Self Service workflow; the application was processed and access was provisioned to the corporate account, which restored org-linked access. In other instances, remediation required ensuring the vendor-side username/email matched the organization identity (for example by re-provisioning or reissuing an invite so the account was bound to the corporate email). One prior ticket contained no recorded resolution steps.
284. Datadog access blocked by missing Okta app assignment or pending approver workflow
Solution
Access was restored by assigning or re‑provisioning the Datadog Enterprise application to the affected users in Okta and completing any pending Automation‑for‑Jira approvals. When users had already received an assignment but still saw an Okta error page or could not reach Datadog, the Datadog assignment was removed and re‑provisioned in Okta and technicians allowed ~5–10 minutes for Okta-to‑Datadog provisioning/synchronization to complete. After the Okta app assignment/provisioning and approval finished, users launched Datadog from the Okta UserHome and confirmed access.
285. OpenAI / ChatGPT access issues caused by invitation flow and SSO confusion
Solution
Support resent the OpenAI invitation to the user's IU email and clarified that the account had been provisioned via an OpenAI invitation (native OpenAI sign‑in) rather than Microsoft SSO. After the resend and guidance not to use the 'Continue with Microsoft' path for that invitation type, the user was able to proceed with account setup.
286. SaaS workspace ownership transfer when owner is a service mailbox or departed user
Solution
Ownership issues were resolved by two patterns depending on the ownership type and app. When the owner account was a service mailbox, support escalated to the named internal contact who managed that mailbox; that contact reassigned workspace ownership or granted admin rights to the appropriate team members (no billing transfer was performed), which restored ability to create teams, add members, and organize the workspace. When a specific item (for example a Miro board) was owned by a departed user and in-situ permission changes were not possible, support and the requester duplicated the board so the requester became the owner; the duplicated board restored sharing and edit capabilities. Both approaches removed the collaboration block and returned administrative control of the affected resources.
287. Metabase account provisioning handled by DevOps Service Desk
Solution
Access requests submitted in the general IT queue were not provisioned; DevOps handled all Metabase account and license provisioning through its Jira Service Management/Service Desk. Support directed requesters to create access requests via the DevOps Service Desk portal (example: https://careerpartner.atlassian.net/servicedesk/customer/portal/31) or to contact the DevOps team by email (one documented contact: John Rottmair). When requests were submitted through the DevOps Service Desk portal, DevOps created the Metabase account/license and closed the access request. Tickets left in the general IT queue were often marked “Done” and auto-closed after approximately 14 days of no reply; support responses sometimes informed users that replying within 7 days would reopen the ticket, otherwise they were asked to open a new access request and reference the original.
288. Cloudinary access limited by account identity (IU vs external partner)
Solution
Support confirmed Cloudinary access could be granted through Okta for the user's IU corporate account but could not be provisioned for the external Careerpartner account from the same support channel. The support response offered Okta-based access for the IU identity; no additional provisioning was completed in this ticket and it was closed after no further reply from the requester.
289. Access controlled by application/product owners or vendor teams (owner‑managed access)
Solution
Support did not provision in‑app permissions and instead routed each request to the owning application or product team and their service portals. Salesforce dashboard/edit requests were forwarded to the SalesTech Service Desk (SalesTech - Service - Jira Service Management / SalesTech Service Portal). SiteFusion/Teaq access was routed to the SiteFusion/Teaq access team via cfe-teaq@iu.org. Flywire access issues were handled by the Flywire account owner (thomas.heinz@iu.org). Supabase MCP authorization failures (reported when authorizing via Claude Code with an error about insufficient privileges and organization‑level access controls) were forwarded to the specialist/product team per the support comment. Tickets were closed after advising requesters to engage the product owners or portals; some tickets were auto‑closed for inactivity but could be reopened within the configured timeframe.
290. Access requests auto-declined by Automation for Jira due to missing/incorrect approver
Solution
Automation for Jira approval workflows auto‑declined requests when the workflow's approver routing was incorrect or when the approver did not act before the 14‑day timeout. In the incidents reviewed the approver field had been misassigned (an approval notification was routed to a CC recipient instead of the requester's manager) or the required manager/CostCenter approver never approved; in one case the approver field was corrected after the automation had already recorded 'Declined' and the request remained closed. No additional permissions were granted as a result of the automated declines. The affected systems included Application Self Service, Automation for Jira, Confluence, Miro, and the LCC Marketplace; the matched ticket did not document further remediation or configuration changes.
291. OpenAI/ChatGPT account limited‑access flag removed by admin
Solution
Support removed account-level 'limited access' flags when present; after the flag was cleared the in-product 'Limited access' indicator disappeared and full ChatGPT access was restored. For team/workspace issues, support re-enabled the disabled ChatGPT Team workspace, ensured the user had a valid team invite (sent or re-sent invites as needed), and performed a final workspace reactivation/cleanup. After workspace reactivation and confirming the invite, the team workspace became selectable and organizational ChatGPT access was restored.
292. Broad Azure/Intune access requests required scope clarification and constrained approval
Solution
Approvers discussed narrowing the requested scope and the request was completed with constraints. The recommended outcome was to grant global viewer on the normal subscription but not on the new Sentinel Space and to use an administrative account managed via Azure AD Privileged Identity Management (PIM) for sensitive areas. The request was closed after scope clarification and applying constrained privileges.
293. Application and software access requests pending Automation-for-Jira approval
Solution
Requests were resolved after the Automation-for-Jira approval workflow completed or the correct approver was assigned. For the PDF24 request the exact product was clarified as PDF24 Creator and the corporate software-portal link was provided; an approver change was applied and the software request was approved so the user could download the installer. The GitLab request was approved and a GitLab license/entitlement was granted. A Miro board write/edit request was closed after the board owner granted the requester edit rights (support had instructed the user to contact the board owner).
294. Miro access lost after corporate email change or account-email mismatch
Solution
An administrator re-enabled and unlocked the user's Miro account and restored access under the updated corporate email address. Access was explicitly enabled by the Miro administrator so the user's license and workspace access continued under the new email identity.
295. Application-specific SSO/login failure reported as 'user not found' with vendor-side bug
Solution
IT confirmed the user's Okta account showed no issues and escalated the incident to the PMS application team. The PMS team identified the behaviour as a broader application bug; no further local remediation was performed and the ticket was closed after escalation to the PMS vendor/system owners.
296. Okta tile visible but in‑app access blocked by application owner / license or account provisioning
Solution
Support verified that the Okta tile or SSO integration was present but that application-level access was controlled outside central IT. For the FS‑Klausurkorrektursystem support confirmed the tool was managed exclusively by the Prüfungsamt and referred the user to akad-pruefungsamt@iu.org. For Qualtrics Customer Experience support confirmed the SSO integration and that central IT handled license assignment/configuration, but the user's in‑app account had been disabled or lacked the required in‑app license; these incidents were resolved when the application owner/team reactivated the account or assigned the correct in‑app license. Support advised users to contact the application owner teams (people-products@iu.org or the Qualtrics research owners) for reactivation, provisioning, or license issues. Some tickets recorded no further details about who performed the reactivation.
297. CARE (academy5) SSO login failures due to account state or Okta-side configuration
Solution
Support restored CARE/academy5 (AcademyFIVE) access by investigating both the Okta and CARE account states and correcting whatever prevented the SSO assertion from mapping to an active CARE account. Resolutions included reinstating/reactivating the CARE account in the provisioning system, assigning or entitling the user's Okta account to the CARE/academy5 application, and applying fixes to Okta-side SSO configuration or attribute mappings that prevented successful authentication. In several cases administrators re-enabled or restored the user account and then confirmed that the user signed in via Okta SSO; where users reported "invalid credentials" after remediation, the issue was attributable to credential/flow confusion (SSO versus local credentials) and was resolved once the account state and Okta app assignment were corrected and users signed in through Okta. In each case the user confirmed that SSO sign-in to CARE/academy5 was successfully restored.
298. Internal invoicing app access blocked by missing user-profile permission
Solution
Support restored access by granting app-level sharing/permissions or accepting the pending access request so the Freelancer Invoicing App became visible. Where the app was role- or group-gated, support assigned the required application role or added the user to the access/provisioning group and reprovisioned the account when group membership issues were found. In cases that surfaced an access/error dialog on app load, support performed backend adjustments (reprovisioning/permission updates) and recommended clearing browser state; after the permission/group changes and browser-state refresh the user could open the app. Support confirmed access after changes. Support did not provide a direct download link and directed users to the Dozierendenguides/manager for installation or procedural details.
299. Application approval workflow auto-declined AI license requests when approver was missing
Solution
Automation-for-Jira approval automation auto-declined and closed corporate ChatGPT/OpenAI license and team-invitation requests whenever the approval step lacked a valid approver. This occurred both when the approver field was empty and when a named approver indicated they were not the correct contact or was otherwise unavailable. The workflow produced automated decline/closure messages (examples observed: 'missing the approver' and '14 not approved or approver no longer available') and left the tickets closed, preventing any ChatGPT Business / GPT‑4 licenses or team invitations from being provisioned; no further provisioning activity was recorded.
300. ChatGPT SSO sign-in loop with Microsoft/Okta resolved by direct company‑email sign-in
Solution
Support instructed the user to sign in to ChatGPT on the provider's sign‑in page using their company email address. The user followed that method and access to the corporate ChatGPT account was restored.
301. External contractor onboarding with staged/activation-timed Atlassian account and unclear downstream access
Solution
An Atlassian user account for the contractor was created and configured so that a password‑reset link would be sent to the contractor's private email on the employee start date. Azure and other system accesses were left unspecified in the record pending clarification; no further cross‑platform provisioning was recorded in the ticket.
302. Ambiguous Claude (Anthropic) access requests lacking chat vs API scope and distribution-rights clarity
Solution
The ticket recorded the need to add the user to the Syntea/IU team pro account but also noted uncertainty about distribution rights and whether chat or API access was required. No definitive provisioning action was recorded; the request required product‑owner clarification before access could be granted.
303. Provisioning social‑media editor access via third‑party management (Agorapulse)
Solution
Access was restored by coordinating ownership with the communications team and onboarding requested users into the organisation's Agorapulse workspace. Specific users and roles (examples: Gianna Barabasch, Nida Ahmad, Samuel Willson, and an Online Reputation Manager) were added to the Agorapulse account and assigned to the INT unit resources, which provided the required editor‑level access to the social channels (YouTube, Facebook, Instagram, LinkedIn). Tickets showed that native platform credentials were not held by IT; a 1Password vault was suggested to centralise those credentials going forward. Some tickets were nevertheless closed with a 'Won't Do' resolution despite access being provisioned, indicating occasional resolution‑status misclassification in the ticketing process.
304. Salesforce queue visibility blocked by preset list-view filters
Solution
The issue was resolved by identifying and contacting the queue owners/administrators who adjusted or removed the restrictive preset list-view filters and updated the user's queue access. After the owners changed the filters and/or access, the incoming Cases in the 'PA ...' queues became visible to the user.
305. CampusManagement Service Portal access missing due to absent role assignment
Solution
Permissions were reviewed and the user's account was updated. The role 'IU-ZZ-OK-ASS-IT' was assigned to the user in the CampusManagement Service Portal, which restored the required access and allowed the subtask to be closed.
306. Confluence access denied due to identity-provider / account mismatch
Solution
The investigation confirmed the group membership targeted an EntraID guest account instead of the user's LIBF Okta account. It was determined that Okta-based LIBF accounts would become available on the scheduled date, and access required reassignment of the Confluence group membership to the user's Okta identity once the Okta accounts were enabled.
307. Salesforce mobile app sign‑in failed when Okta SSO did not complete and no native password was available
Solution
No final remediation was documented in the ticket. The record noted that the mobile app did not complete the Okta SSO flow and that the user lacked native Salesforce credentials; a previously requested password‑reset link had expired. IT Operations did not perform any backend changes or complete a password reissue in the ticket notes, and no confirmed fix/outcome was recorded.
308. Internalized vs external account mapping causing permission denial in IT Service Portal
Solution
The internal user mapping was corrected so the portal and Jira referenced the same internal identity. The agent updated the account mapping for the internal email/profile in the Atlassian/Jira user records and aligned the group/membership state with the Okta/Entra ID source-of-truth; after the mapping change the internal account regained the ability to create tickets in the IT Service Portal. The ticket noted stale automatic group rules and Okta cache as the likely root cause but the remediating action was the account-mapping update and membership synchronization.
309. No Okta and MyCampus access resolved by account resets
Solution
An administrator performed an Okta account reset and a myCampus account reset on 2024-07-29. After those resets the user's Okta and myCampus access was restored and the issue was closed.
310. SAML response status 'not Success' (Responder/Unauthorized) blocking LinkedIn Learning SSO
Solution
The user was advised to access LinkedIn Learning via the Okta portal as a workaround. LinkedIn Support reported that the SAML response status was not Success and indicated the tenant Learning administrator would need to escalate to LinkedIn if the SAML error persisted. The ticket recorded guidance to sign in via Okta and vendor escalation instructions; no tenant-side configuration change was recorded in the ticket.
311. Third‑party SharePoint destination requiring tenant‑level app grant and security approval (Hightouch)
Solution
No final technical change was applied in the ticket. The investigation recorded a planned approach: obtain explicit approval in the referenced Teams chat and then have the SharePoint administration team perform the Hightouch application grant so it could write to the required site collections. The ticket noted the permission grant would be performed by SharePoint admins after the documented approval to limit scope and address the security concerns.
312. n8n webhook creation prevented by insufficient permissions in connected Jira instance
Solution
Investigation concluded the denial was most likely caused by insufficient permissions in the connected Jira project/instance rather than an n8n product bug. The incident was escalated to the Jira specialist/approver for the required permission changes; no webhook creation fix was applied in n8n during the ticket and the request was ultimately closed as "Won't Do."
313. Jira Advanced Roadmaps/plan access still denied unless the plan/page owner granted explicit permission
Solution
Support granted the user general Jira access and verified product‑level entitlement, then advised that access to the specific plan remained controlled by the plan/page owner. The ticket noted the creator/owner must explicitly grant the user permission to the plan; no further changes were applied and the ticket was auto‑closed after inactivity.
314. Application Self Service: vendor‑specific pre‑request required before Okta assignment (Salesforce Marketing Cloud)
Solution
Incidents were resolved by completing the vendor‑specific provisioning workflow for Salesforce Marketing Cloud. A Marketing Cloud user account request was created and processed through SalesTech; those SalesTech requests required details such as planned Marketing Cloud usage, communications to be sent, and a provided reference user before the vendor account was created. After the SalesTech request was processed and the Marketing Cloud user existed, the approver released/approved the Application Self Service request in Okta and assigned the Marketing Cloud application to the user. Access provisioned only after both the vendor account and the Okta assignment were present; simply adding the Marketing Cloud link on the Okta dashboard without a processed SalesTech account did not enable sign‑in. Tickets commonly showed Automation for Jira approver notifications indicating pending approval but did not include explicit system error codes.
315. Oasis / Special Considerations: screen‑level permissions and targeted access controls
Solution
Access was restored by granting the user the required permission to amend Reasonable Adjustments in Oasis and by correcting the Special Considerations permission target (the Contact Search screen) before granting the appropriate permission there. The change was confirmed to take effect once the Contact Search screen permission was applied.
316. VPN access request via Microsoft My Access Access Package and Company Portal installation
Solution
The support guidance directed the user to request the VPN entitlement by applying for the appropriate Microsoft My Access Access Package (including justification and optional time period). After the Access Package approval the user received the approval email and then installed the VPN client via the Company Portal and connected using the installed VPN. The ticket noted the Access Package was time‑limited and may require reapplication.
317. Application Self‑Service and Automation-for-Jira approval/routing delays
Solution
Issues were resolved by ensuring requests completed in the portal and approval workflow expected by Automation-for-Jira so the provisioning automation could route and finish. Where approvers asked for more justification, requesters supplied additional context (for example: study-support justification) and approvers then approved; where tickets had been opened under the wrong Jira portal category, tickets were reopened in the correct Software-Request portal, the required approver and reference user were confirmed, and the request was resubmitted. In all cases Automation-for-Jira recorded the application assignment and the Atlassian API applied the assignment; in several incidents the Atlassian API recorded/applied the assignment even while approvals remained pending or after the requester later indicated they no longer needed access. Tickets were then marked Done and access was recorded as granted.
318. SSO access blocked by missing Okta dynamic/group membership for account type
Solution
The support team identified the product-specific Okta groups used for the application (separate dynamic group for WB employees and a distinct IU group for IU accounts) and manually assigned the user to the appropriate Okta group/application for Cascade. After the manual group/app assignment the user regained SSO access to the Cascade application.
319. Vendor app login failure resolved by applying application update
Solution
The application was updated to the latest build on the user's environment. After the app update completed the user was able to access the Freelancer invoicing tool again and the previous inability to reset the password was resolved without further administrative password resets.
320. Zoom–HubSpot integration blocked by requiring Zoom admin install/organization-wide consent
Solution
IT/specialists reviewed the integration and confirmed the HubSpot app requested organization‑wide scopes and therefore required a Zoom administrator to install or approve it in the Zoom tenant. The requester was advised that installing via the Company Portal client was not applicable for this OAuth integration and that a Zoom admin (tenant owner) must perform the install/consent in the Zoom admin console. No tenant‑level install was performed by IT in the ticket; the request was documented and routed accordingly.
321. CharlyApp showing empty student lists resolved by application-team fix
Solution
IT support escalated the visibility problem to the CharlyApp development team. The application developer applied a code/configuration fix to restore student data visibility in the affected course. The developer confirmed that data would now be visible and the requester verified that all students were displayed again.
322. Metabase inaccessible when Okta app and AWS ClientVPN group membership or VPN config were missing
Solution
Support identified missing Okta application/group assignments for both Metabase and the AWS ClientVPN and attempted to provide the AWS VPN client. The case was escalated to DevOps when Metabase access still failed after the user obtained the client, because VPN configuration details and backend access checks required platform‑owner investigation. The ticket recorded group/membership gaps and an escalation to DevOps for final connectivity and application‑side troubleshooting.
323. Storyblok access required Okta authentication and explicit space assignment
Solution
Support added the user to the Storyblok Okta group and asked the requester to perform an initial Okta sign‑in so the Storyblok user account would be created. Support also requested that the user specify the exact Storyblok spaces/environments needed so the product owners could assign the appropriate space access. The ticket remained awaiting the user's response and was auto‑closed after inactivity.
324. External vendor (Simovative) CARE database read access requiring specialist provisioning
Solution
The access request was forwarded to the specialist/DevOps team responsible for CARE database provisioning. Support documented the external requester and the reference user and routed the escalation so the specialist team could apply the appropriate external‑vendor read permissions or onboarding process for CARE.
325. Deskbird provisioning failed with SCIM error in Okta; reactivating SCIM fixed assignment
Solution
Two provisioning failure patterns were addressed. In cases where Okta reported SCIM errors and the Deskbird assignment failed, the Deskbird–Okta SCIM provisioning integration was reactivated and the application assignment was reapplied; this cleared the SCIM error and restored the booking-program assignment. The change was tested by the designated owner via the Okta dashboard and the requester was asked to confirm access. Separately, where users’ company affiliation or group membership from Workday was not reaching Deskbird (preventing office-level access), the identity provisioning pipeline (Workday → Okta/Entra → Deskbird) was corrected so the company attribute/group sync propagated over SCIM and Deskbird received the correct company membership. The ticket for the company-affiliation case recorded the issue as resolved but did not include a detailed change log of the exact mapping adjustments.
326. EPOS 'Buchung beenden' (End booking) permission missing for IT Student Support and then granted
Solution
Support requested the 'Buchung beenden' permission for the named IT Student Support users. The permission was granted for the specified users (Aysu Hancer, Birte Gundel, Michael Weier, Axel Posselt) and the ability to end bookings was confirmed; the expired Exma bookings could then be deactivated and the issue was resolved.
327. Jira permission requests stalled by insufficient requester detail and approval timeout
Solution
Support did not apply any permission changes because the request lacked project and permission details and the requester did not respond to follow-up. The ticket was closed as no‑response; support advised that project owners are the authority for project-level access and that a new request specifying the exact Jira project and required permission/role would be needed to proceed.
328. OpenAI / Corporate ChatGPT onboarding: approval and invite inconsistencies
Solution
Provisioning actions were tracked in the approval workflow and manual invitations were issued by the platform owner. In one case an approval notification was routed to the configured approver and a direct invitation/link was sent by the platform admin; no subsequent user confirmation was recorded and the ticket was auto‑closed. In a separate case the user reported the 'invite already accepted' error after an invitation had been processed; support logged suggested troubleshooting steps but no confirmed follow‑up or final remediation was recorded in the ticket.
329. Site‑managed digital‑signage (Vineow/ViewNeo) account access held by local site owner
Solution
Support verified the affected location and directed the user to the local account holder; the site owner provided the credentials. After the user contacted the local owner (Marco Tenuta) and regained the account credentials, the displays were confirmed working and the ticket was closed as resolved.
330. HQ intranet (SharePoint) access requests for Walbrook/LIBF area
Solution
SharePoint site access was granted to the requesting user for the HQ intranet area (Walbrook/LIBF). The ticket was completed after the permissions were applied and the requester was to be notified that access had been granted.
331. myLIBF login failure via OASIS showing 'Missing Data' for student accounts
Solution
Support restored the learner's myLIBF account access and confirmed that both the requester and the learner were then able to access the myLIBF account. The ticket notes a successful restoration by support (Sean Parker) but contains no recorded technical changes or steps.
332. MyCampus course participant list mismatch blocking grade publication
Solution
Ticket investigation recorded two co-occurring problems but no confirmed remediation. The MyCampus participant-list mismatch remained unresolved in the ticket and required escalation to the MyCampus/course-management owners. The account-access symptom (instructor unable to reach Charly and Okta while Microsoft Office still worked) also remained open with no documented fix in the record; the incident was left for product-owner/identity-team follow-up.
333. OpenAI / ChatGPT account showing 'Limited Access' and missing Playground after invite
Solution
Support sent vendor invitations and advised a short propagation wait for role/invite propagation; in those cases the OpenAI console 'Limited Access' state and missing Playground UI cleared after invitation/role propagation. Separate incidents where group ChatGPT/ChatGPT+ workspaces were deactivated were resolved by the vendor's internal ChatGPT support/engineering team, after which support asked users to retry access and confirmed workspace reactivation. Requests for Microsoft Copilot were routed to the organisation's Copilot/M365 provisioning workflow when raised in the same tickets. Some tickets were closed after confirmation from users; a small number were auto-closed without recorded confirmation of the UI/state change.
334. Anthropic / Claude invite failed with 'email is already in use' due to duplicate/deleted account
Solution
The ticket captured the invite/acceptance failure and the vendor-side error message but did not record an in-ticket remediation. The incident indicated an account/email conflict on the Anthropic side and required Anthropic account-recovery or vendor support intervention; no fix was recorded in the support ticket.
335. Okta dynamic group created from Workday roles (Spendmanager_DYN_Group)
Solution
A dynamic Okta group named 'Spendmanager' (Spendmanager_DYN_Group) was created and configured so membership included users with Workday role 'Cost Center Manager' OR 'Cost Center Approver' OR 'Project Manager'. The change required coordination with the WCC Team to ensure Workday roles were exposed to Okta for the dynamic membership rules to function.
336. Adobe Lightroom mobile/browser SSO failure for single user despite desktop working
Solution
The ticket documented that desktop Lightroom installs and launches successfully while mobile/browser SSO produced an error after successful Okta authentication. No corrective action was recorded; the case was noted as likely requiring Adobe↔Okta integration investigation or per-client troubleshooting and was left for escalation to Adobe or identity/integration owners.
337. Company portal missing student record due to Salesforce non-assignment
Solution
Support recommended browser cache clearing and, when that did not resolve the missing student mapping, escalated the issue to the Applicant/Company‑Portal support team because the agent lacked access to portal settings and student-assignment controls. The ticket supplied the applicant-portal support contact for Salesforce-side assignment; no in-ticket data correction was applied.
338. Personal vendor subscription inaccessible when signing in via corporate SSO (identity mapping mismatch)
Solution
Support adjusted the user’s Adobe/SSO account mapping and internal access settings for the Microsoft‑linked identity. After the administrator change the user re‑tried and confirmed Adobe Sign was accessible and signature requests completed successfully.
339. Temporary external contractors needing multi-system developer access and secrets for data migration
Solution
The request was routed to the respective platform and product owners rather than being granted by IT Ops. Owners/teams were identified as responsible for provisioning GitLab, Logz, JFrog, EPOS development permissions and for providing secure access to the AWS secret and job‑queue credentials. Guidance and the required action items were recorded and escalated to those owning each service.
340. SSO login broken after account rename/surname change (identity mapping correction fixed access)
Solution
The identity/specialist team corrected the backend account/identity mapping related to the surname change. After the rename correction the user retried Okta SSO and confirmed successful login to Miro.
341. Manual provisioning and shared‑group/vault assignment requests for small SaaS tools and demo/test accounts
Solution
Support processed access requests for small or standalone SaaS tools and shared or demo/test accounts by creating accounts or directly assigning access when an owner or administrator was identified. For 1Password shared vaults, administrators created invitations when required, awaited user acceptance, verified users’ 1Password accounts and current permissions, and added users to the requested vaults or groups once access was accepted. When a vault owner could be determined, admins granted requested access; when the self‑service portal did not surface the owner, support performed troubleshooting and advised how to identify or escalate to the owner or IT. If a requested SaaS tool was not known or not listed in the internal software catalog, IT could not provision access and notified requesters that the tool was not in the catalog. Calendly accounts were created on request. Actionbound requests were handled by sharing the campus onboarding reference and directing requesters to Portal Service On Campus for provisioning. Requests for shared IU Learn/myCampus demo accounts were routed to Immatriculation/Enrollment and learn-app@iu.org to obtain appropriately formatted student test accounts. Tickets were closed after the account was created, access was assigned, guidance was provided, or when resolution was not possible due to missing owner/administrative information or because the tool was not in the software catalog.
342. Salesforce user provisioning, profile changes and permission-set assignment gaps
Solution
Provisioning and profile-change actions resolved the access incidents. New Salesforce user accounts were created where requested and affected product sign-in (Marketing Cloud / Sales Cloud) was restored after the Salesforce team applied the correct entitlements. A user’s profile was changed to the required “INT Management” profile to enable management-level access. Several permission-set assignment tasks required involvement of the Salesforce specialist team because administrators lacked the necessary overview to map and apply permission sets from reference users. In some cases provisioning was delayed until a formal manager request or approval that specified required permissions and access areas was received; once that approval was submitted, IT provisioned the account accordingly.
343. Service‑Portal and provisioning workflow gaps for SaaS access (Google Analytics, Miro)
Solution
The service‑portal content and access workflow were reviewed and updated. For Google Analytics, the Service Portal article was revised and the onboarding point at which GA access can be requested was clarified. For Miro, users were instructed to decide whether a free plan sufficed or licensed access was needed and to complete the provisioning form including cost center and written approval (screenshot accepted); the ticket guidance closed after providing the corrected process and required approval documentation details.
344. Team-admin role missing prevented 1Password team invitations
Solution
Access issues were resolved by granting the appropriate 1Password roles or vault-level permissions. Where requesters lacked the team-admin role they were given the same team roles and rights as their peer managers; where they lacked vault-level admin or read/write rights (for example, in a DevOps Vault) an existing 1Password administrator granted the specified permissions. Requests were forwarded to technical/IT operations and an administrator completed the role or vault-permission changes, after which users regained the ability to invite team members or manage vault access.
345. Missing vendor Org‑Admin identity blocked Adobe Support ticket access
Solution
Support confirmed that Adobe’s ticket tracker and certain vendor-side actions required the specific Adobe Org‑Admin identity that was registered in Adobe’s system. The ticket documented that a named Org‑Admin had left and that normal in‑house admin accounts lacked the vendor-side Org‑Admin association; this clarification established why existing local admin privileges were insufficient and identified the Org‑Admin identity as the required account to regain vendor-support access.
346. Miro board sharing blocked by instructor account permission state
Solution
Support staff scheduled a live session with the instructor, inspected the affected Miro board sharing settings and the instructor's institutional account/permission state together, applied targeted permission/configuration adjustments in the instructor's account and board sharing settings, and confirmed with the instructor that board sharing to students now worked.
347. Cross-department collaboration blocked by missing Confluence licenses and cost‑centre charge approval request
Solution
An exchange meeting was scheduled and held with the requester and representatives of the Regional Coaches to discuss the collaboration requirements and the available licensing/guest-access options. The session clarified the collaboration goals and the licensing gap to be addressed (Confluence/Jira access for the coaches) and documented the next steps for procuring or approving licenses and charging the appropriate cost centre.
348. Content and accounts bound to a personal Adobe ID preventing Enterprise migration
Solution
Adobe Support and IT confirmed that migrations from a personal Adobe ID to an Enterprise (federated) Adobe ID were not permitted. Attempts to assign the content to newly created Enterprise-managed or alternate personal accounts did not move the Portfolio content, and IT lacked the ability to delete or convert the original IU-ARCH-HH personal Adobe account. No automated migration was achieved and the ticket recorded the failed transfer attempts and the vendor's migration policy as the blocking factor.
349. Workspace or content access blocked by single-owner/service-account model despite license allocation
Solution
Outcomes varied by system: Metabase access was granted after direct contact with the responsible product owner (the owner provisioned the account via chat). For Cloudinary no access change was implemented during the ticket; a service-account approach (employerbranding@iu.org) and SSO-enabled account creation were documented as the proposed remedy but not executed. For Miro a license was allocated to the user by the platform admin, but workspace membership in the 'data platform' space remained owner-controlled and the manager could not add the user; the ticket was closed with the allocation recorded and the remaining workspace membership issue left for the product owner to resolve if refiled.
350. Limited-test-seat SaaS access for data‑platform tools (DBT Cloud)
Solution
Investigators checked the platform account inventory and confirmed that only five DBT Cloud test accounts had been issued and all were already assigned. No internal onboarding or provisioning path existed to grant additional seats, so no account changes were made; the requester was informed that no extra test accounts were available and the ticket was closed as not actionable.
351. 1Password vault ownership model prevents removing built-in owners group
Solution
Support examined the 1Password tenant configuration and confirmed that the platform enforces a non‑removable 'owners' group that retains access to created vaults. The current membership of that owners group was identified (including a named owner). Because this behaviour was a product design limitation, no vault configuration change was possible and the request was closed after documenting the restriction.
352. Okta-managed dynamic groups lacked assignable Owner attribute, breaking PowerApp owner-dependent access
Solution
Troubleshooting confirmed the four LMS groups were Okta-managed dynamic groups which do not support the assignable 'Owner' attribute required by the PowerApp. The cause was documented as an identity-source compatibility issue and the support record recommended using Entra/Azure AD groups or another identity source that exposes group ownership so the PowerApp and service account could access and manage those groups. The investigation was closed after documenting the root cause and recommendation.
353. Access to apps via a company‑managed/shared account (company-managed assignment)
Solution
The request was forwarded to the owning specialist team and the specialist added the user to the organisation‑managed Lovable account. Access became available after the specialist completed the account assignment and the ticket was closed as Done.
354. Programmatic SharePoint access blocked for Azure AD client_id (service principal permissions and broken approver workflow)
Solution
No technical access change was applied; the service request was declined and closed automatically after the approval window elapsed because manager/CostCenter approval and a valid approver were not provided. The ticket record noted that the client_id did not possess the necessary API permissions and that the programmatic endpoint differed from the browser view link, so programmatic access remained ungranted when the approval workflow timed out.
355. Okta provisioning conflict when user already has vendor account in another instance (SSO account collision)
Solution
Support verified that a Lucid license had been assigned but confirmed the Okta provisioning flow failed due to an existing Lucid account in another instance ('Okta can't create an account if the user already has one in another instance'). The conflict prevented Okta from creating or linking the SSO account and the request remained unresolved in the ticket (user-side invite/owner action was required); no automated provisioning fix was recorded in the ticket.
356. SaaS provisioning blocked by missing workspace or group (Juro onboarding)
Solution
Support verified the Juro instance and confirmed no matching workspace/group existed for the requested onboarding. Support offered to create the email user (e.g., CanadaPOD@iu.org) but did not complete provisioning because the account had to be assigned to an existing Juro workspace; the requester was asked to provide the target workspace or a workspace owner to proceed. No workspace/owner was supplied and the request was closed without completing the account creation.
357. Marketing Cloud Child Business Unit changes require SalesTech/SalesOps team action
Solution
Support confirmed the requested Business Unit change required SalesTech/SalesOps team privileges and could not be performed by the central IT support team. The requester was redirected to the SalesTech service portal for the specialized change; the SalesTech team handled the access/Business Unit move and the request was closed after that handover.
358. EPOS exam-area UI visibility vs assigned roles (exam centers, slots, student data)
Solution
Support compared the affected accounts to working reference users and in cases where role/permission mismatches were found they synchronized the affected user's role assignments to match the reference user; access was restored after the change and a browser relog or cache/cookie refresh. In other cases where accounts showed identical rights but the UI still differed, the issue was escalated to the EPOS application/product team for deeper investigation (developer-level entitlement/feature-visibility inconsistency).
359. Metabase access requests owned by DevOps (ticket handoff and routing)
Solution
Support determined that Metabase user provisioning and dataset/query-level permission management were owned by the DevOps/Platform team and that support did not have authority to grant those permissions. Support routed requests to the DevOps/Platform team and instructed users to submit permission requests via the DevOps Service Portal (or the DevOps intake channel). In resolved cases DevOps updated the user's Metabase permissions to include query rights for the specified database (for example, granting query access to the Care database) and the user regained query capability; support tickets were marked Done after the requester acknowledged the guidance. Some handoffs were not acted on and were auto-closed when requesters became inactive.
360. Salesforce product-permission requests owned by SalesTech and approval workflow auto-decline
Solution
Support determined that the requested Salesforce dashboard/view permissions were owned and managed by the SalesTech team and could not be applied by central support. Users were directed to submit access requests through the SalesTech Service Portal; the requests entered the SalesTech approval workflow (Automation-for-Jira) and were logged as awaiting approval. In cases where approvers did not respond within the workflow's configured time window, Automation-for-Jira automatically declined and closed the request. No central-support permission changes were applied during these tickets.
361. Microsoft Clarity / cloud-analytics provisioning requiring security/privacy review and packaging
Solution
The request was routed through the standard supplier/security review chain: Data Protection and IT‑Security reviews were completed without objections, the internal checklist was updated (a Client Management component was removed because Clarity is cloud‑hosted), and the request was forwarded to BOPS and Endpoint Management for further review and packaging work. The ticket progressed through automation routing rather than being provisioned immediately by central support.
362. LCC‑managed Power BI Deputatsplaner access issues
Solution
Support confirmed that Deputatsplaner resources were owned and managed by local teams rather than central IT (examples included the LCC team and Academic Coordination). Responders did not directly grant access but informed users which team owned the resource and instructed them to submit an access request to that team via the organisation’s service portal or Jira Service Management, providing username, requested role/permissions and a business justification. Support noted that the built‑in access‑request links did not grant access and some portal requests were handled as 'Won't Do' by the owning team; at least one user later reported access became available after following the portal request process. In addition, support suggested checking whether the Deputatsplaner access link had changed and whether an extended Power BI license was required. No central technical remediation was performed in the reported cases; one ticket was closed after no response from the user. As a temporary alternative for viewing deputat/Überdeputat information, the internal app 'Einsatzplanung Profs' was suggested.
363. Mentimeter access blocked by SSO/whitelisting restrictions
Solution
Support enabled/whitelisted the user's Mentimeter access on the corporate side so that the SSO/login succeeded. The user was notified to retry and later confirmed the issue was resolved after whitelisting was applied.
364. GitHub Enterprise access requiring group membership and approval
Solution
The pending approval was completed and the user was added to the required GitHub Enterprise user group by the approver/admin (Stephen Odoardi), which granted the requested GitHub access. The ticket was closed after group membership was applied.
365. Vonage telephony account provisioning and Salesforce record entry
Solution
Cases were handled in one of two ways depending on the request: when a new telephony account was required, a Vonage account was provisioned for the named user and the new account details were entered into Salesforce so the CRM record existed. In other cases the requested accounts or application assignments already existed: support verified Salesforce access via the intranet and that the Twilio application was assigned to the user, did not create separate credentials or allocate an outbound number, and closed the request with guidance to open a new ticket if the user later experienced login issues. The outcomes recorded reflected either account creation plus CRM entry or access verification with no change.
366. ChatGPT / OpenAI: corporate group account not visible after SSO sign‑in
Solution
Support confirmed the IU Group ChatGPT account remained active and the missing option was a UI/account‑selection issue rather than a disabled group. The user was advised to sign in via the institution's specific login method/URL and select the "IU Group ChatGPT Access" option in the account selector; after using the provided corporate sign‑in flow the group access option became available and the ticket was closed.
367. SaaS admin role assignment: Monday.com admin privileges granted to requester
Solution
Administrative privileges were created or granted for the requester in the affected SaaS tenant and the user's admin status was confirmed in that tenant. In the Twilio case the ticketing automation showed the request awaiting approval, but an agent confirmed the Twilio admin access had already been provisioned before the approval step completed.
368. Access request approvals stuck in Automation for Jira (CC‑Approver) workflow
Solution
Support tracked the Automation for Jira approval workflow and confirmed the request was awaiting action in the CC‑Approver step. The responsible product team or listed CC‑approvers completed the CC‑Approver approval; once the approval finished, the Automation for Jira workflow (via the Atlassian API/Application Self Service integration) applied the entitlement and assigned the application to the user. After the assignment completed and access was granted, the ticket was closed.
369. Access requests closed when requester failed to provide required details or respond
Solution
Support staff and Automation-for-Jira placed incomplete access and account‑creation requests on hold and recorded the specific missing information (for example target site/SSP link, workspace identifier, reference user, required access level, username, purpose, or timeline). Agents posted repeated clarification requests in ticket comments (for example asking for a reference user to determine the correct permission package); automation sent reminders and auto‑closed tickets after 14 days of no response. No account creation or provisioning was performed when requesters did not reply. Ticket records preserved the requested details and the closure reason so requesters could reopen or resubmit. Requesters were directed to submit a new access request through the IT Service Portal (Jira Service Management) via “I need something” → “Software” and to follow the documented manager‑approval/approval reference process. In some instances incomplete requests were closed with resolution “Won’t Do” and likewise had no provisioning or follow‑up steps recorded.
370. HTTP 400 when opening internal IT Service Portal from intranet after Okta/portal launch
Solution
Support added the user to the IT Service Portal access group and advised the user to sign in to Okta and launch the IT Service Portal from the Okta dashboard ("Meine Anwendungen"). Those changes were applied and documented in the ticket. After group membership was added and Okta launch instructions were provided, the user still reported the HTTP 400 error; the ticket was marked Done but no final confirmation of successful access was recorded in the ticket notes.
371. Access requests must be submitted via product‑specific self‑service portals
Solution
Requests were completed only after they were submitted and approved through the vendor- or product-specific self-service portals rather than via general IT tickets or student-support mailboxes. BIC licences were fulfilled after submission through the Atlassian Service Desk self‑service form. Microsoft Copilot access was processed after the named approver granted approval and a support agent executed the Copilot request through Application Self Service (Jira Service Management). DS Kompetenzcenter and 1Password access were enabled after submission and approval via the LCC portal and the product Self Service Portal respectively. For IU employee/myCampus access, users were routed to the Serviceportal (link provided); where users had no portal access they were directed to email atlassian@iu.org, and lecturers were directed to dozierendenguides@iu.org. It was clarified that student tech support could not process staff-account or employee-data requests.
372. Access requests stalled by missing/incorrect approver, cost‑center or wrong ticket type
Solution
Support identified and corrected the routing/approval gaps or recreated the request with the correct metadata. For the Miro board request the approver and cost center were corrected (likely approver Karl Schoß and cost center CC15500) and a new Application Request was created; the new request completed. For Miro and Mouseflow the original ticket used the wrong request type, a new ticket was created and approval was awaited from the cost‑center owner (Daniel Riemer); Mouseflow was forwarded to the Applications & Requirements team for provisioning. For Salesforce account requests the requester was informed that manager approval (Alice) and a reference user with equivalent rights were required; no approval/response was received and the ticket was closed.
373. Requested Okta dashboard tile missing because sandbox has no Okta integration
Solution
Support confirmed that no Okta application tile existed for the Salesforce Sandbox environment and informed the requester that Okta could not provide the requested dashboard tile. The user was advised to contact the Salesforce department / sandbox owner for sandbox‑specific access and the request was closed.
374. Jira/Atlassian project links redirected to IT Service Portal due to missing project membership or approver workflow
Solution
Access failures were resolved by granting the missing project‑level permissions or completing the approver workflow. For the EPOS/Jira project the support team assigned the required project rights/membership (per the project owner) which restored direct access. For external users and other cases where Automation-for‑Jira required an approver, access was completed after a Self‑Service 'Request Jira (for External)' submission with the manager/cost‑center approver or after the requester provided written manager approval and an admin applied the project membership.
375. SSO launches the main SaaS site but embedded/linkable subcomponents require separate authentication or different owner
Solution
The primary Shop SSO entitlement was enabled and the user could open the IU Shop from their Okta dashboard. The remaining access issue was due to the Factsheets being a separately managed SharePoint component outside the Shop's SSO scope; support confirmed they could not enable SSO for that component and advised contacting the Brand team (brand-platforms@iu.org) who owned the Factsheets/SharePoint integration.
376. SonarCloud access blocked by portal/approval workflow (DevOps Portal) rather than immediate entitlement
Solution
Access was provisioned after the request was submitted through the organisation's DevOps Portal as documented in the internal wiki. The request followed the DevOps Portal approval flow (the Jira automation indicated the CC‑Approver) and once the approver completed the approval the SonarCloud access was granted.
377. Metabase: Okta SSO sign-in failures and missing in‑app export permissions after migration
Solution
Support confirmed Metabase was provisioned via Okta and advised sign‑in through okta.iu.org when credentials were missing. For capability gaps introduced by the migration (exports), requests were routed to the DevOps/Metabase application owner via the DevOps service desk. DevOps processed the ticket and granted the required export permission to the user in both the production and non‑production Metabase instances. In the login case the user opened a follow‑up ticket with DevOps when Okta sign‑in continued to fail.
378. Provisioning SaaS licenses for shared-mailbox addresses (Mentimeter shared accounts)
Solution
No Mentimeter provisioning was performed by IT during the ticket. Automation-for-Jira notified the nominated approver but no approval was received. The requester was advised to reduce the scope to a single shared address (events-akademie@iu.org) and resubmit the request; the workflow then awaited the approver's decision. The ticket remained dependent on approver action after the requester adjusted the submission.
379. Automated approval failures and missing SaaS ownership/inventory blocking requests
Solution
Automation-for-Jira auto-declined or auto-closed the requests when no valid approver action was recorded; in one case the notified approver confirmed they were not the correct approver and the workflow timed out, and in another the CC approver could not see or interact with the approval so no approval was captured. The Visualping request additionally lacked an Inventory entry and an identified product owner, which left the purchase/assignment unresolved. These tickets were closed without license/app provisioning recorded in the ticket history.
380. Access provisioning requests submitted with wrong ticket type for new-hire onboarding
Solution
Support identified the submission as the incorrect ticket type for new-employee provisioning, informed the requester of the mistake, and asked for the correct 'new employee' onboarding ticket to be raised. No licenses or accounts were provisioned from the original ticket and the existing approval-automation entries remained in the ticket comments without applied access changes.
381. Expiring SCIM access token for AWS IAM Identity Center interrupted provisioning
Solution
The expiring SCIM access token (Token Id 4292fd4c-7287-49fe-a7ee-d3bc61293c0d) for the AWS account was rotated and a new token was generated in the AWS account. The new token was placed into use by the corporate IdP/SCIM configuration and the change was logged, restoring the SCIM provisioning connection and preventing interruption of user/group sync.
382. Twilio ↔ Salesforce call-integration failing with Twilio API 400 'pending Conference Instruction'
Solution
The incident was escalated to the Twilio/Salesforce integration specialists. The specialists identified the root 400 response originating from Twilio WorkerActions when rejecting a call reservation caused by a pending conference instruction and took ownership of the vendor-level investigation and remediation work with Twilio/DevOps to restore normal reservation handling and CRM context propagation.
383. Travel bookings lost after user name-change in Egencia (account recreation vs. merge)
Solution
IT confirmed the new name was recorded in Egencia but had no access to booking content because account-level booking data was controlled by Procurement/vendor processes. The case was handed off to Procurement (Einkauf) and the user was directed to contact Einkauf@iu.org for account‑merge, booking transfer, or vendor-side restoration of the missing booking (booking UMWDX2).
384. Specialist tool (Guided Conversation Designer) access requires service-portal request
Solution
The user was directed to submit the access/account request through the Guided Conversation Designer specialist service portal so the GCD team could process it. The requester followed that route and the specialist GCD team completed the account provisioning, restoring access.
385. Exam / e-assessment platform access lost after platform update (owner-managed by Prüfungsamt)
Solution
IT validated that the exam platform is managed by the Prüfungsamt (e-assessment Fachteam) and forwarded the user to the responsible specialist team. The user was instructed to contact e-assessment@iu.org with examiner identity, affected modules/exams and details so the Prüfungsamt team could restore examiner access and handle any platform-update related permission regression.
386. Account provisioning / SSO propagation delays: target-app account creation required
Solution
For each case the missing target‑application accounts were provisioned or enabled (Jira account was created and enabled via Okta portal; Datadog access was provisioned; Confluence access was enabled in Atlassian). Users were advised that account provisioning changes required short propagation time and access was confirmed working after the target application processed the provisioning.
387. Access blocked by missing 2FA (TOTP) on long‑dormant account preventing password reset and app transactions
Solution
Support resolved the case by providing step‑by‑step guidance for re‑enrolling a second factor and linked the product onboarding/documentation for adding a TOTP authenticator (Microsoft Authenticator) to the account. After the user completed MFA enrollment using the provided instructions and QR-code guidance, the account could be recovered and normal app operations resumed.
388. SSO access lost after corporate email change when target SaaS account is managed by HR
Solution
Support identified that Qualtrics account administration and email-to-account mappings were handled by the HR/People‑Projects team rather than central IT. The user was directed to contact the People‑Projects (HR) mailbox to have the Qualtrics account identity reconciled/restored to the new corporate email; IT did not perform the mapping change itself.
389. Shibboleth/SAML school‑login failures with academic vendors (ProQuest / PebblePad)
Solution
Support reviewed the vendor responses and confirmed the vendors did not have a matching provisioned account for the user’s current or legacy email. The issue was caused by vendor-side account provisioning or identity mapping for the institution’s Shibboleth assertions rather than a desktop/browser problem. Support advised the user to contact the school librarian/vendor administrator or the vendor support team so the vendor could: verify the institution (Shibboleth) configuration, map the correct email/identifier to the user record or provision a vendor account. No changes were made by the local support team because the resolution required vendor or institutional‑identity‑provider action.
390. IU Learning Hub (LMS) course resources failing to open due to browser caching or SharePoint permissions
Solution
Support reproduced the symptom and recommended standard client-side troubleshooting: clearing the browser cache and retrying or using a private/incognito browser window. When those steps did not restore access, the issue was escalated or redirected to the course/product owner (people-projects) because the root cause was missing SharePoint/course permissions. In tickets where product‑owner intervention occurred, granting the missing course/SharePoint permissions restored access to videos and files.
391. Viva Goals (goals.cloud.microsoft.com) access entitlement missing
Solution
Support verified the user's Viva Goals application entitlement and provisioned Viva Goals access in the tenant when the entitlement was missing. After the entitlement was granted the affected account regained access to goals.cloud.microsoft.com and the user confirmed functionality was restored. Some incidents presented as sign‑in failures with an authentication/error code and were escalated to Procurement/licensing for a licensing decision; those tickets recorded no additional technical remediation.
392. Owner‑ or creator‑managed SaaS resources where IT cannot reassign access
Solution
Support confirmed these resources were controlled by the object owner (or vault owners) rather than central IT. For the Power Automate flow, support noted that the existing flow owner needed to add the requested users or grant them owner permissions and provided the requester with the owner‑management guidance page. For the Microsoft Forms case, administrators were unable to change form ownership or grant response access themselves; the ticket recorded that only the form owner could transfer ownership or add response access and advised contacting the owner or creating a new owner‑controlled form. For 1Password, IT had no central overview of vault ownership and therefore did not grant access or list vault owners; the requester was advised to ask teammates, the team lead or the vault owner to share the vault. No centralized admin changes were performed by IT in these cases.
393. Automated provisioning or SSO failures resolved by manual vendor/admin actions or vendor support
Solution
When the automated/request workflow failed, manual intervention by an administrator or the vendor resolved or clarified access. For OpenAI, an administrator sent a manual corporate‑account invitation email and the user completed account creation. Miro access was restored after a backend account fix performed by support; the user confirmed login succeeded. Twilio access and the requested Caller ID were configured by a technician during a Teams session with the requester. For vendor‑hosted portals (PMS, WorkFlex) the team confirmed those systems were vendor‑owned or unsupported by central IT and redirected the requester to the vendor support/contact forms or the owning support team rather than performing internal provisioning. Tickets were closed after manual invite/backend fix or after redirecting to vendor support where appropriate.
394. PMS account and permission requests require vendor/product account‑management forms
Solution
Support confirmed IT did not have access to the PMS account-management console and could not directly provision or change in‑app permissions. Users were directed to submit access or permission-change requests through the official PMS account-management/support forms; in one case an approver setting was adjusted before handing the remainder of the request back to PMS account management. The issue was closed after the user was advised to contact PMS via their vendor forms.
395. Salesforce account provisioning by copying a reference user and related SSO permission verification
Solution
A Salesforce account was provisioned by copying a reference user's account and adapting the copied settings for the target user. After the copy operation, the Twilio SSO permission was verified and found to be assigned as part of the replicated configuration. The requester was informed that the account and SSO access were in place.
396. SharePoint file access missing when opening links from a student Salesforce account
Solution
Support verified the user's SharePoint permissions for the referenced files and granted the required access on the SharePoint side. After the permissions were applied, the user was informed that access should now succeed when opening the SharePoint link from Salesforce.
397. GitLab access provisioned by account creation and Okta group assignment
Solution
Access was provided by creating a GitLab account for the requested corporate email and/or assigning the user to the appropriate Okta group (team-specific membership such as 'Prometheus'). After account creation and group assignment the user was notified that GitLab access was available.
398. Legacy ticketing system account absent (OTRS migration)
Solution
Support searched the OTRS user database for the referenced account and confirmed no OTRS account existed for the named user. Based on the absence of any matching account and the team's apparent migration, no new OTRS account was created and the request was closed as Done.
399. SaaS activation expired verification email with vendor/admin-managed account creation (Salesforce Marketing Cloud)
Solution
Support assigned the Salesforce Marketing Cloud application to the user's Okta dashboard so the app was visible in Okta. The user was informed that Salesforce Marketing Cloud account creation and verification were handled by the product owner (jimmy.murphy@iu.org) and was directed to contact that owner to complete account activation and any required verification steps.
400. PowerApps invoicing app allowed invoice creation but not viewing previously submitted invoices
Solution
Support confirmed the user had been granted the PowerApps assignment for the Freelancer Invoicing App and the user was able to upload an invoice through the exposed "create new invoice" form. Support provided the standard informational material about the app and clarified that telephone support was not available; the ticket was closed after the user confirmed they could upload. The ticket did not record any in-app navigation changes or additional role/permission changes to enable a separate "view submitted invoices" interface.
401. Service Portal access failed in a single preferred browser after Fastlane setup
Solution
Fastlane setup was completed and the user temporarily accessed the Service Portal via alternative browsers and the Okta dashboard as a workaround. No further corrective actions were recorded; access through the user's preferred browser returned to normal subsequently and the ticket was closed.
402. Automation-for-Jira approval workflows completed by Atlassian Api User assignment
Solution
The outstanding requests were completed when the Automation-for-Jira process (recorded as an 'Atlassian Api User' action) performed the application assignment to the user's account. The automated assignment entry showed the application had been granted to the user's email, which closed the approval workflow and restored access.
403. Requests routed to IT Service Portal Self‑Service and auto-closed after no requester follow-up
Solution
Support responded with the IT Service Portal Self Service link and instructions to submit the application request there. In one case hardware was ordered and credentials were queued for automatic delivery; in another case the user was given the portal link but did not follow up and the ticket was auto-closed after 14 days with status 'Done'.
404. Invitation-based SaaS provisioning completed by admin invite and user acceptance
Solution
An administrator sent the vendor invitation email to the user’s work address. After the user accepted the vendor invitation, the vendor-hosted account (including ChatGPT Teams / ChatGPT‑4) was provisioned and access was confirmed. These requests typically contained no application error messages and were resolved solely by issuing the vendor invite and confirming the user’s acceptance.
405. Vendor workspace-membership conflict preventing SCIM/Okta provisioning (Mentimeter)
Solution
The provisioning attempt failed and the remote Mentimeter API returned a Bad Request with the message: “Mutability: The target location for the operation is not mutable. The user is already member of another workspace.” The failure and API error were recorded in the ticket; no automated re-provisioning was recorded in the ticket notes.
406. Cost‑centre approval workflow routing only to single approver
Solution
The specialist team reviewed and revised the cost‑centre approval process and approver routing. After the approval‑process revision by the specialist team the ticket was closed (the change to the approval workflow was recorded in the ticket).
407. Application Self Service: automated assignment completed via Atlassian API after pending approval
Solution
Pending Application Self Service requests that appeared stalled in the approval/notification stage were completed by the Atlassian Api User via Automation for Jira. The automation recorded assignment actions (logs sometimes contained localized messages such as "Dem Benutzer
408. CARE application: site-restricted access and missing 'All sites' flag after assignment
Solution
Investigations showed affected CARE accounts had been provisioned via the Atlassian API and approvals were executed through Automation for Jira; automation logs recorded the application-assignment entries and tickets were closed following those recorded assignments. Multiple tickets lacked any explicit recorded change to an 'All campuses'/'All sites' permission or a documented site‑wide student-edit right, and several users reported the cross-site flag remained missing despite the recorded assignment. In at least one incident the loss of CARE/EPOS timetable visibility coincided with an update/migration; common client-side troubleshooting (browser refresh, clearing cache/cookies, incognito mode, trying other browsers) did not restore access and no successful remediation was achieved for that case.
409. Azure access granted by replicating another user's subscription roles
Solution
Role and permission assignments were applied to the requested user for both Production and Non‑Production Azure subscriptions so that the user received access to the required Logic Apps and associated resources. The ticket was closed after confirming the role assignments were applied.
410. Application Self‑Service requests stuck in approval or prerequisite workflows
Solution
Pending Application Self‑Service requests were resolved either by advancing the Automation‑for‑Jira approval workflow or by assigning the application through the Atlassian provisioning/API (including Okta‑backed provisioning). In multiple cases Automation‑for‑Jira notifications named approvers and the provisioning system recorded assignment to the requester, which cleared the 'approval pending' state and restored access. Some requests required approver justification before the approval step completed and assignment occurred. A subset of requests were gated by prerequisites (for example Copilot for M365 was tied to an IU Learning Hub course); enrollment and a recorded course status of 'completed' triggered auto‑assignment (features could take up to 72 hours to appear).
411. Discrepancy between Care/myCampus reporting and Azure AD provisioning preventing AAD group membership
Solution
Investigation identified source-identity mismatches and timing as the root causes: some Care/myCampus entries used personal or non‑IU email addresses and therefore no corresponding Azure AD account existed, and some users were not yet provisioned in Azure because their account activation date was in the future. The ticket documented these findings and recommended aligning the source-system email with the corporate identity and waiting for scheduled provisioning; no automated AAD-group addition was possible until a corporate Azure AD account existed.
412. Confluence licensing requests cannot be bulk-issued via distribution lists
Solution
The investigation confirmed that Confluence licenses at the institution required individual license requests via the IT Portal before users could be added to spaces. No bulk/distribution-list license-issuance mechanism was implemented as part of this request and the ticket recorded that no operational change was applied.
413. Project/component admin and edit permissions missing in Jira/onCampus resolved by direct grants
Solution
Administrators reviewed the relevant project/component membership and permission schemes and granted the required admin/edit rights. For the Canned Response Pro app affected users were granted edit permission and regained functionality after re-login. For the 'Real Estate Services' project the requester was granted project admin access, and the onCampus Service‑Portal admin-rights request was implemented. Tickets were closed after permissions were applied and user access was confirmed.
414. Confluence sharing blocked for Walbrook/UFred users due to tenant-specific Atlassian group mappings
Solution
Administration confirmed that IU-wide Atlassian groups did not provision access to Walbrook/UFred users. The resolution was to use the Walbrook-specific Atlassian group (WB-OK-ASS-Atlassian-Confluence) for space permissions. Once the correct tenant-specific Atlassian group was applied the Walbrook/UFred users became selectable and could access non-public pages as intended.
415. Salesforce profile change required corresponding Okta/Group update
Solution
The Salesforce group mapping was adjusted to reflect the user's updated profile; the ticket noted 'SalesForce Gruppe angepasst' by the specialist. The change closed the request without further documented Okta-side steps in the ticket.
416. Atlassian/Confluence external user blocked from password reset due to missing 2FA and provisioning group
Solution
Support provisioned the user by adding them to the IU-ZZ-OK-ASS-Atlassian-Confluence-Extern Okta group to create the Atlassian entitlement and then sent a support-initiated password reset email. It was recorded that self-service password resets were prevented because the account had no registered second factor (2FA), and the combined group assignment plus the support password-reset action restored access for the user.
417. Application Self‑Service requests resolved by explicit app entitlement or role assignment
Solution
Access problems were resolved by granting the missing application entitlement or in‑app role through the organisation’s provisioning system. The Confluence/Deskbird/EPOS/NordLayer accounts were explicitly assigned via the Atlassian API and the required application role/permission that exposed the missing UI element was applied; approval notifications from Automation for Jira were used where the request had been pending. After those assignments the users regained the missing tab or normal login behaviour and access was confirmed.
418. Third‑party AI services (OpenAI/ChatGPT/CoPilot) account ownership and IU‑Playground invitations
Solution
Support clarified that OpenAI accounts are not centrally managed by the organisation and that internal access is provided by inviting users to the IU‑Playground. The user had already been invited and their account was registered in the IU‑Playground; they were advised to contact OpenAI support directly for discrepancies on the vendor side. The ticket was closed after no further user response.
419. Incorrect product selection in self‑service requests (Marketing Cloud vs Sales Cloud) and integration requests declined
Solution
The provisioning request was declined because the requested product did not match the user’s described need. Support informed the requester that Sales Cloud was the likely correct product and asked them to submit a new request for Sales Cloud; no Vonage integration work was performed as part of the declined Marketing Cloud request.
420. Application Self‑Service role approval routing gaps (Ardoq reader/writer vs contributor)
Solution
The contributor role was enabled for request via the Self Service flow so users could be provisioned after cost‑center approval. It was recorded that reader/writer role requests were not yet routed to the product‑specific approvers and would require adding role‑specific routing rules to the approval workflow.
421. Figma license/seat loss resolved by SSO-triggered SCIM provisioning then admin seat allocation
Solution
The user authenticated once via the corporate SSO so the vendor SCIM provisioning could add them to the managed group; after the SCIM sync completed an administrator allocated the requested paid seats (Full Design, Full Dev Mode and Full FigJam seats). This restored full access to the MarTech/DS portals and the team files.
422. RDP/desktop shortcut for on‑prem server appears only when connected to corporate network or VPN (SFIRM server)
Solution
Server access was provisioned on the back end. After provisioning the RDP connection icon was expected to appear on the user's desktop when they were logged in from inside the cpg‑corp network or connected via the corporate VPN; the ticket noted the separate contact for the SFIRM application when the request concerned the app rather than server access.
423. Granting ChatGPT via Okta group assignment when regular approver unavailable; documentation mismatch
Solution
Access was granted by using an existing reference Okta account to identify the correct Okta group and then assigning that group to the requesting user; the user thereby received ChatGPT access. The ticket recorded that the SWM documentation screenshots were outdated but no documentation update was captured in this record.
424. Application Self Service requests stalled awaiting approver action then completed via Atlassian API assignment
Solution
Requests ultimately completed when the approval workflow progressed and the Atlassian API recorded the provisioning assignment. Automation-for-Jira triggered approval notifications to approvers/CCs; once an approver granted access (or requested and received business justification) the Automation-for-Jira logs contained assignment messages such as “The user
425. SSO tenant/account mismatch caused JotForm sign-in to use wrong Microsoft identity
Solution
Support resent JotForm invites to the users' Walbrook email addresses to surface the correct account and instructed the users to sign into Microsoft with their Walbrook account before attempting the JotForm SSO. After the invites were re-sent and the correct Microsoft account was used for the sign-in attempt, the SSO flow worked as expected.
426. Application assignment plus user cost‑centre attribute update via Application Self Service
Solution
The Atlassian Api User application was assigned to the requester via the Application Self Service provisioning flow. The user's cost‑centre attribute in the identity directory was updated to the requested value "CC24010 CSE Berlin Academic" and the change was confirmed with the user.
427. Bot/service account Confluence space membership provisioning
Solution
The GitLab/Markdown bot account was added as a member of the requested Confluence space. The change was applied at the space level (space membership) and the ticket was closed after confirming the bot had the additional space access.
428. Assigned Jira issues inaccessible due to missing project membership/role
Solution
Project-level access was granted by assigning the user to the appropriate PMOC project role/membership. After the project role assignment the user regained visibility of assigned issues and began receiving notifications as expected.
429. Bulk Okta group membership changes to enable M365 Copilot access
Solution
All 19 specified users were added to the Okta group "IU-ZZ-OK-ASS-M365 Copilot". The group‑membership change was recorded and the users were subsequently able to access M365 Copilot via the group entitlement.
430. Vendor‑managed SaaS SSO failure due to missing vendor account (Egencia)
Solution
IT confirmed the Okta↔Egencia SSO integration was present but that the affected users did not have active accounts in the vendor tenant. Support clarified they only managed the SSO connection and had no administrative rights in Egencia to create or reactivate vendor-side accounts. Cases were escalated back to the internal account owner (procurement/HR) or to Egencia support for account restoration or creation (procurement@iu.org was used as the internal escalation address in one incident). No internal configuration changes were performed; tickets were closed after handing the incident to the vendor/internal owner or after inactivity when users did not respond.
431. Application Self‑Service approvals processed by Automation‑for‑Jira and Atlassian API assignment
Solution
Automation‑for‑Jira produced approver notifications and 'waiting for approval' messages. After approval events the Atlassian API service account executed the requested application and entitlement assignments and the assignment actions were recorded under that Atlassian API user. Affected targets included SaaS apps and internal entitlements (examples: Canva, AWS ClientVPN, Application Self Service, CARE). In each resolved case the Atlassian API assignment completed and the ticket was marked Done; when users returning from leave reported missing Atlassian accounts, the automated assignment restored the requested application access and closed the request.
432. Service/bot account access requiring role mapping in production and staging (EPOS automation bot)
Solution
The EPOS domain specialists verified the request with the product owner and assigned the relevant role/permission set to the service account in both EPOS production and EPOS stage to match a reference bot profile. A reference user (Kleo Bot) URL and a responsible contact (Gina Wagner) were provided to support role mapping. The ticket recorded the permission assignments and environment parity; the separate question about API token/authentication remained outstanding in the record.
433. Application Self‑Service: Atlassian API assignment restored missing app access after Okta changeover or pending approval
Solution
Access was restored by assigning the requested application to the users via the Atlassian API as part of the Application Self‑Service/Automation‑for‑Jira workflow. The API assignment removed the pending approval state and the users regained SSO‑backed access to the application.
434. Vendor account provisioning for JotForm SSO: vendor-side user creation fulfilled SSO request
Solution
Both users were created/added in the JotForm tenant so that their SSO identities were recognisable by the vendor. Adding the accounts in JotForm fulfilled the SSO access request and the users were able to sign in via SSO.
435. Access request stalled by missing/changed approver and auto‑decline of approval workflow
Solution
The approver was changed in the workflow record, but no approval action was recorded before the platform's automatic timeout. The request was auto‑declined/closed after the 14‑day approval window and no access was provisioned prior to closure.
436. Local client hardware/permission issue (webcam privacy slider) coincident with SSO/login and meeting host errors
Solution
IT support advised the user to check the local webcam privacy/enable slider; the user later confirmed the camera and other reported issues were resolved. No additional vendor/system configuration changes for Jira or Zoom were recorded in the ticket.
437. Onboarding: mixed application entitlement confusion and Salesforce password activation
Solution
Support verified that Care, Epos, myCampus and Cloudya/Nfon entitlements were already provisioned (as documented in the welcome-email PDF) and communicated those confirmations to the requester. For Salesforce the issue was resolved by sending an admin-triggered password-reset email to the user; after the user followed the reset link, the account accepted the IU-mail sign-in and Salesforce access succeeded. The ticket was then closed after user confirmation.
438. Application integration action blocked by missing role (Oasis 'Push to Workday')
Solution
The missing application permission was granted to the affected user, restoring the Oasis 'Push to Workday' capability. The permission change was applied on 2025-10-16 by the named administrator (Sean Parker) and access was verified by the requester, who confirmed the ability to push changes.
439. Provisioning error created missing project permissions for Jira/Confluence access
Solution
Support investigated the account provisioning and corrected permission settings that had been misconfigured during creation. The user was re-added to the appropriate Jira project and Confluence access was granted; the requester confirmed that Jira and Confluence access worked after the permission correction.
440. Procurement‑owned SaaS access requests (Viva Goals) routed outside IT
Solution
Support determined that procurement/purchasing owned Viva Goals access decisions and advised the requester to submit the access request to procurement@iu.org. The ticket recorded the Automation-for-Jira approval metadata (CC approver and named waiting approver) but the access decision was routed to procurement for final approval.
441. Okta app assignment or app-state (locked) blocking SSO launch to a known account
Solution
Access was restored by addressing the Okta-side entitlement or app state. In one case the target application (CARE) was administratively assigned to the user's Okta identity which linked the existing account and removed the SSO prompt. In another case the Lucidchart Enterprise application was unlocked on the user's Okta profile; the unlock plus short Okta-propagation time (~5–10 minutes) allowed successful SSO launches.
442. Application feature access denied until role/permission mapping matched a reference user
Solution
The missing in-application permissions were granted by updating the user's roles to match the requested/reference user or by assigning the specific transaction/view permissions. For Conduktor the user's permissions were configured to mirror the referenced user and access was confirmed. For the finance refunds module the user received the required application permissions to view/process the listed refund transactions and confirmed successful access.
443. On-site Viewneo digital‑signage access blocked by missing site‑specific credentials and documentation
Solution
Support acknowledged the incorrect Deskbird guidance, asked the requester to confirm whether a Viewneo box existed at the Dresden site, and explained that each site used its own Viewneo credentials. The ticket did not contain Dresden credentials or the requested usage documentation, so no credential handover or final provisioning occurred within the ticket and the request required the local site owner or Viewneo administrator to supply the site‑specific credentials and documentation.
444. Billing application access lost and escalated to Local Contact Center without technical troubleshooting
Solution
Support escalated the issue by emailing the user and advising them to contact the Local Contact Center (LCC). No technical troubleshooting steps, diagnostics, or remediation were recorded in the ticket and the case was closed after the escalation instruction was issued.
445. Browser Google account sign‑in prompt blocked Salesforce click‑to‑dial setup
Solution
Support reviewed the screenshot, identified the dialog as a Google account sign‑in prompt, and advised launching Salesforce in Chrome via the Okta SSO (sign into okta.iu.org first) so the Salesforce session would be provisioned through Okta. The agent asked the user for the specific CTD setup instructions they were following; no further user response or confirmed fix was recorded and the ticket was closed by inactivity.
446. Care provisioning: 'Community' access not selectable for external worker accounts
Solution
For at least one case the support agent directly enabled and assigned Community access in the Care system and completed the provisioning workflow; a password‑reset email was configured to be sent to the external user's private address on the start date. A related ticket was marked Done without recorded steps, indicating the underlying UI selection issue was handled by an agent manually setting the Community flag in the Care backend rather than a documented UI change.
447. OpenAI Playground access request forwarded to specialist team with no immediate feedback
Solution
Support forwarded the user's access request to the specialist team and informed the requester that the form had been passed on for handling. The ticket was closed and contained no further resolution details or confirmation of provisioning from the specialist team in the ticket record.
448. Trello board invite / membership not granting access (invite link or vendor-side board permission issue)
Solution
Support validated that an invite/link had been generated and then escalated the case to the Trello specialist/product team (Fachabteilung) for deeper investigation. The ticket recorded the escalation and context for the specialist but contained no further remediation detail or final resolution.
449. Case-management (FS English Thesis) limited-record view due to approver/visibility role mapping
Solution
An approver role change was applied (noted in the ticket as 'Approver angepasst' by a specialist) and the incident was forwarded to the application specialist team for in-depth investigation. An admin reproduced the same limited view and requested a reference user to map permissions; the ticket documents role adjustment and escalation but does not record a final remediation step.
450. GrowthBook access provisioning for service account and requester resolved by product owner
Solution
Support identified the GrowthBook license/contact owner and contacted the requester via Teams. Ownership was assigned to a named owner (David Meyer) who provisioned the requested GrowthBook access for the service account and the human requester; access was confirmed and the ticket was closed.
451. Twilio access via Salesforce SSO failed despite password reset and SSO group membership
Solution
Support triggered a system reset email and the user completed a Salesforce password reset. The case was then escalated to the internal/integration team for further investigation; the ticket notes the password reset and escalation and was later marked resolved by the handling team without granular troubleshooting steps recorded in the support ticket.
452. Project-board read-only access: write/visibility controlled by Project Admins (support cannot assign)
Solution
Support advised that project-specific permissions were controlled by the project's Project Admins and could not be granted by service desk staff. The user was instructed to contact one of the Project Admins; the ticket was closed after providing this guidance and contains no confirmation that the Project Admins subsequently changed permissions.
453. Access requests stalled when manual provisioning relied on a named product specialist/owner
Solution
Tickets were handled by contacting or forwarding the request to the product specialist or approver named in the workflow. In one case (Canva) the specialist team provisioned a Canva Pro account for the requester and the ticket was closed as done. For other requests (Datadog, Metabase, Cenva) the ticket notes recorded that the request and required approval were routed to the named owner (Kevin Fischer / Eva Friedrich or the specialist team) but no provisioning confirmation was recorded; one ticket was auto-closed by the Automation-for-Jira workflow after no reply. The documented actions were therefore either a successful specialist provisioning (Canva) or escalation/forwarding to the responsible owner with no recorded completion.
454. Service mailbox cannot authenticate to vendor app because mailbox is not an Okta user
Solution
Investigation confirmed the vendor integration (JungleMail) was configured to authenticate via the organisation's Okta/Microsoft 365 SSO. The service mailbox (evaluationen@iu.org) was not present as an Okta user, so the SSO flow redirected to Okta and could not proceed to authenticate the mailbox. The ticket documented the root cause (Okta-based auth + mailbox not an Okta user) but no corrective action was recorded in the ticket.
455. Power Apps blocked when user lacks HR/role attributes (professor) required by the app
Solution
The investigation noted the Power Apps (WIKO ProfessorInnen and WIKO Präferenzabfrage) evaluated the user's employment/role attributes and presented only an access-request flow because the user was not recognised as a professor. The ticket recorded that the requester recently started employment and suspected the missing appointment certificate or HR-recorded appointment might be the cause. No app-owner change or role-attribute update was performed in the ticket; the actions recorded were diagnosis of the likely cause (missing professor/appointment attribute) and direction that the app owner or HR-sourced attribute needed to be resolved outside the ticket.
456. License‑assignment blocked by UI warning about additional fees when changing agent/dashboard licenses
Solution
The ticket recorded that when the requester tried to change licenses for three new employees the system displayed a warning that additional licensing fees would be incurred; no license changes were completed. The request was escalated to the specialist team for clarification of licensing/fee handling, and no further permission changes were recorded before the ticket was closed. The documented outcome was escalation with no in-ticket resolution of the fee-warning or successful license assignment.
457. Requests for personal Jira instances or service/API accounts stalled by missing context and approval
Solution
The ticket was triaged and forwarded to the specialist team which requested additional context from the requester. The specialist provided informal guidance that the requester could independently create a personal Jira instance if IU-managed provisioning was not required. The specialist also noted that an MCP-related global IU solution for service/API access was in prioritization and expected imminently. No service-account or instance was provisioned before the ticket auto-closed due to no further requester response.
458. Viva Goals access lost when dynamic Azure AD license group was missing due to empty Workday-derived attribute
Solution
Investigation identified an Okta→AD sync failure and confirmed the Viva Goals license group IUG-AAD-ASS-License-IT-VivaGoals was absent for the affected users because extensionAttribute15 (CustomAttribute15) was not populated for non-Workday accounts, preventing them from being included in the dynamic EntraID group and receiving the Viva Goals license. The ticket recorded this root-cause diagnosis; no remediation actions or account-level fixes were documented in the ticket.
459. Okta admin role lacked permission to edit group memberships
Solution
The Okta admin role for the BOPS account was updated to include the permission to edit group memberships. The change was implemented in Okta by Markus Müller and the account regained the ability to manage group membership; the ticket was marked Done.
460. Workday Sandbox login fails despite production credentials
Solution
Support confirmed that production Workday accounts and SSO are managed via Okta but that sandbox‑environment access was controlled separately by the Workday/tenant administrators. The request was forwarded to the Workday support contact (wd-support@careerpartner.eu) and the user was advised to request sandbox access directly from Workday Support. No additional Okta configuration changes were recorded in the ticket.
461. Viva Engage moderator assignment blocked by role/licensing or community membership
Solution
The case was closed as resolved by an internal administrator, but the ticket lacked a step‑by‑step remediation record. The support thread recorded recommended checks and actions: verify the requestor's Viva/tenant permission schema and whether the requestor held moderator/administrator rights; confirm that target staff were licensed/registered for Viva Engage and members of the community; and adjust roles or community membership where appropriate. No further automation or platform configuration change was documented in the ticket.
462. SSO works for some vendor shops but a specific shop fails due to vendor-side account state
Solution
IT confirmed that SSO had been enabled and that the user could sign into the other shops. The unresolved shop appeared to be controlled by the vendor/platform team, so IT advised the requester to have the brand‑platforms team (brand-platforms@iu.org) inspect the failing shop account and user mapping. No further action by IT was documented and the ticket was closed pending vendor-side investigation.
463. Vendor-side SSO/license visibility mismatch causing lost admin privileges
Solution
Support investigated but could not view the vendor-side SSO/license metadata from their admin consoles, so no direct remediation was applied in the ticket. The user was instructed to submit a Self‑Service access modification request to the product provisioning workflow; the user then closed the support ticket and opened a new Self‑Service request to request reinstatement of admin privileges. The ticket was closed without an in-ticket fix because the vendor-side account state and the Okta-visible session were inconsistent and required product-owner/self-service re-provisioning.
464. Vendor account provisioning stalled due to missing reference-user information
Solution
The support agent recorded that Cloudinary account creation required a named reference user to map account settings and permissions; because the requester did not provide the reference-user details, no Cloudinary account was provisioned and the request was left unresolved. The ticket documented the requirement for a reference user but closed without creating an account until the requester supplied the requested reference information.
465. Access requests for non‑IT‑supported apps or missing approver/cost‑center auto‑closed by automation
Solution
Support determined the applications were owned outside central IT and routed requesters to the product owners or specialist teams (for TEAQ support the contact support-teaq@iu.org; for training/Learning Hub access the People Projects team at people-products@iu.org). Where the approval workflow timed out with no approver action, Automation-for-Jira recorded an automatic closure and the ticket state was declined. No in-ticket entitlement changes were applied because the apps required owner-managed provisioning or approver action outside the IT team.
466. Service accounts, app registrations and tenant‑level governance blocking automation integrations
Solution
Support captured guidance and routed the requests to the appropriate specialist and identity teams: SalesTech/Salesforce specialists were notified for Salesforce-integrated flows, requesters were pointed to Microsoft Graph APIs and permission models for Teams chat/message operations, and Identity/Azure AD approval was identified as required for tenant App Registration (Incident.io Teams install guidance and an Identity-owner approval step were recorded). For Copilot built‑in agents, the request was escalated to policy owners because Works Council data/security tolerance needed to be established before enabling service-account access (no Copilot access was granted in the ticket). The tickets remained pending or were closed due to inactivity or awaiting external approvals; no final multi-system service-account provisioning was completed within these tickets.
467. Missing dynamic Azure/AD group membership after account-internalization blocked Service Portal and intranet access
Solution
Support investigated the account state and identified a missing dynamic group assignment as the root cause of the Service Portal and intranet access-denials. The investigation notes recorded the root cause (absent dynamic group membership tied to the internal account state), but no remediation steps or confirmation of a fix were documented in the ticket before it was closed.
468. Okta-backed shared/service mailbox requested for vendor SSO but self-service and policy prevented immediate provisioning
Solution
IT created the requested shared mailbox (team-service-on-campus@iu.org) and investigated Okta provisioning for SSO access. The ticket documented that the Cloudinary self-service form did not list the mailbox as an assignable Okta user and that the request raised security/policy concerns about using shared Okta accounts. No final Okta SSO provisioning or documented policy approval was recorded in the ticket.
469. Okta tile visible but launching Jira/Confluence redirected to service portal or denied due to missing product permissions
Solution
Support restored the users' Jira/Confluence product permissions at the application level (re-granted the missing product entitlements/permissions). After the permission assignment was re-applied, the users tested and confirmed they could open Jira and Confluence from the Okta dashboard and access was verified as restored.
470. HTTP 404 when launching GitLab via Okta/Jira — workspace or instance-level access routed to DevOps
Solution
Support routed the user to the DevOps team via the DevOps Service Desk for investigation of GitLab workspace/project-level access and instance mapping. The ticket was closed after referral to DevOps for the platform-owner investigation and remediation.
471. Miro account exists but password‑reset emails not received; Okta Dashboard SSO used as fallback
Solution
Support advised the user to sign in to Miro via the Okta Dashboard SSO (provided the authenticated Okta launch URL) as a fallback to the vendor password reset. No further troubleshooting or email-delivery remediation was recorded in the ticket.
472. Manual product-owner provisioning for Lucid and Atlassian access
Solution
Access was restored by the product teams via manual provisioning: application entitlements/permissions were granted to the affected user accounts and a notification was sent to try access. Tickets were closed after the app-owner confirmed the required permission/assignment had been applied.
473. GitLab access requests routed to DevOps Service Portal for specialist provisioning
Solution
Support instructed the requester to open a provisioning request in the DevOPS Service Portal because GitLab permissions and account creation were handled by the DevOps team. The DevOps provisioning workflow then processed the request and the issue was closed by the owning team after granting the required GitLab access.
474. Vendor invitation/credential email not received for Twilio access
Solution
The case was escalated to the specialist/owner team for Twilio; the agent noted that accounts are typically pre-created and that the missing step was the vendor invitation or credentials delivery. A callback request was logged and the specialist team was expected to verify account existence and resend the activation/invite email or otherwise complete the vendor-side provisioning; the ticket was subsequently closed without a detailed final confirmation recorded in the ticket.
475. Corporate webshop product missing or broken ordering link (IU Shop business cards)
Solution
Support confirmed the IU Shop Okta tile launched but the business‑card product or ordering URL was unavailable. Troubleshooting notes and screenshots were collected and the user was directed to contact the brand‑platforms team (brand-platforms@iu.org) for product listing or ordering‑link restoration. No final fix was recorded in the ticket — the change/restoration of the shop product or replacement ordering link was left to the brand team.