authZInit  bool
	)

	stsTLSConfig, err := xtls.Lookup(s[config.IdentityTLSSubSys][config.Default])
	if err != nil {
		iamLogIf(ctx, fmt.Errorf("Unable to initialize X.509/TLS STS API: %w", err), logger.WarningKind)
	} else {
		if stsTLSConfig.InsecureSkipVerify {
			iamLogIf(ctx, fmt.Errorf("Enabling %s is not recommended in a production environment", xtls.EnvIdentityTLSSkipVerify), logger.WarningKind)
		}
		sys.Lock()

	logger.LogOnceIf(ctx, "replication", err, id, errKind...)
}

func iamLogOnceIf(ctx context.Context, err error, id string, errKind ...any) {
	logger.LogOnceIf(ctx, "iam", err, id, errKind...)
}

func iamLogIf(ctx context.Context, err error, errKind ...any) {
	if !errors.Is(err, grid.ErrDisconnected) {
		logger.LogIf(ctx, "iam", err, errKind...)
	}
}

func iamLogEvent(ctx context.Context, msg string, args ...any) {

		userName := path.Dir(item)
		// loadUser() will delete expired user during the load.
		err := iamOS.loadUser(ctx, userName, stsUser, stsAccountsFromStore)
		if err != nil && !errors.Is(err, errNoSuchUser) {
			iamLogIf(ctx, err)
		}
		// No need to return errors for failed expiration of STS users
	}

	// Loading the STS policy mappings from disk ensures that stale entries

					if !ok {
						time.Sleep(1 * time.Second)
						// Upon an error on watch channel
						// re-init the watch channel.
						goto outerLoop
					}
					if err := watchResp.Err(); err != nil {
						iamLogIf(ctx, err)
						// log and retry.
						time.Sleep(1 * time.Second)
						// Upon an error on watch channel
						// re-init the watch channel.
						goto outerLoop
					}

				iamLogIf(ctx, err)
			} else if foundGroupDN == nil || !underBaseDN {
				err = errNoSuchGroup
			} else {
				entityName = foundGroupDN.NormDN
			}
		} else {
			var foundUserDN *xldap.DNSearchResult
			if foundUserDN, err = globalIAMSys.LDAPConfig.GetValidatedDNForUsername(entityName); err != nil {
				iamLogIf(ctx, err)
			} else if foundUserDN == nil {

				iamLogIf(ctx, err)
			} else if foundGroupDN == nil || !underBaseDN {
				return wrapSRErr(errNoSuchGroup)
			}
			entityName = foundGroupDN.NormDN
		} else {
			var foundUserDN *xldap.DNSearchResult
			if foundUserDN, err = globalIAMSys.LDAPConfig.GetValidatedDNForUsername(entityName); err != nil {
				iamLogIf(ctx, err)
			} else if foundUserDN == nil {

			store.deleteMappedPolicy(ctx, user, userType, false)
			cache.iamUserPolicyMap.Delete(user)

			// we are only logging errors, not handling them.
			err := store.deleteUserIdentity(ctx, user, userType)
			iamLogIf(GlobalContext, err)
			if userType == stsUser {
				delete(cache.iamSTSAccountsMap, user)
			}
			delete(cache.iamUsersMap, user)
			if store.group != nil {
				store.group.Forget(user)
			}