We’ve set up an automated DevOps pipeline for deploying intercompany transaction configurations across our environments. The pipeline worked fine in DEV and TEST, but now it’s failing in production with “Legal entity not found” errors during the Data Management import step.
The error occurs specifically when importing intercompany trading partner relationships. Our pipeline environment variables include the legal entity mappings, but something seems to be missing in the entity permission context. The batch job starts, processes about 30% of records, then fails.
Error: Legal entity 'USMF-PROD' not accessible
Data entity: IntercompanyTradingPartnerEntity
Import step: TradingPartnerRelationships
Has anyone encountered legal entity mapping issues in automated deployments? The same configuration files work perfectly when imported manually through the UI.
Yes, batch jobs have their own security context. Even if the service account has legal entity access, the batch job user (configured in System administration > Users > Batch job users) needs explicit permissions too. Check the batch job configuration in your Data Management import project - it might be defaulting to a different user context than expected.
I think we need to look at all three focus areas systematically to solve this.
Legal Entity Mapping Permissions:
First, verify your service account has both Security role access AND Legal entity access. The key is that the account needs the “Organization administration” privilege set. Add this to your pipeline setup script:
// Grant legal entity access via API
LegalEntityAccessHelper.grantAccess(
serviceAccountId: "pipeline-svc-account",
legalEntity: "USMF-PROD",
effectiveDate: DateTime.Now
);
Data Management Import Step:
The import definition needs explicit legal entity context. Modify your Data Management project XML before deployment:
<DataProject>
<ExecutionContext>
<DefaultLegalEntity>$(PROD_LEGAL_ENTITY)</DefaultLegalEntity>
<BatchExecutionUser>$(PIPELINE_SERVICE_ACCOUNT)</BatchExecutionUser>
</ExecutionContext>
</DataProject>
Replace $(PROD_LEGAL_ENTITY) with your pipeline variable that resolves to ‘USMF-PROD’.
Pipeline Environment Variables:
Your Azure DevOps pipeline needs these variables properly scoped:
- PROD_LEGAL_ENTITY: ‘USMF-PROD’
- PIPELINE_SERVICE_ACCOUNT: The actual user ID (not just name)
- DMF_EXECUTION_MODE: ‘BatchWithLegalEntityContext’
The critical fix is ensuring your Data Management import project explicitly sets the legal entity context BEFORE the batch job starts. The framework won’t inherit it from the service account alone - it needs to be declared in the import definition. This is why manual imports work (UI forces you to select legal entity) but automated ones fail.
Also add a pre-deployment validation step in your pipeline that checks if the target legal entity exists and is accessible:
# Validate legal entity access before import
$apiEndpoint = "$($OrgUrl)/data/LegalEntities?$filter=DataAreaId eq '$($ProdLegalEntity)'"
$response = Invoke-RestMethod -Uri $apiEndpoint -Headers $authHeaders
if ($response.value.Count -eq 0) {
throw "Legal entity $ProdLegalEntity not found or not accessible"
}
This validation will catch mapping issues before the actual import starts, saving you troubleshooting time.
That’s a good point. I checked and the service account does have legal entity access configured. However, I noticed the pipeline is using a batch job execution context. Could there be a difference between interactive user permissions and batch execution permissions for legal entities?