Skip to Content

Assigning New Privilege/Role issue

Hi All,

I have few users in IDM who has direct privileges(even though they have Coresponding roles) while rest all users have Automatic privileges based on the roles assigned to them, because few users have been pushed from the AD to IDM.
Now when i am assigning a new role to the user who has automatic privileges, system is assigning the corresponding privileges as automatic privileges. its working fine but when i am assigning a new role for those users who has direct privileges, for some users it assinging the privileges as Automatic privileges while for some its assigning the privileges as direct privileges.
I have investigated the issue and i found that uIS_PrivReconcile script is responsible for assigning the privileges. this is an inbuilt Identity Centre Script.

Could you please help me how it actually works. I found the description for this script as perform a reconciliation of the Roles/Privileges assigned to the users in the identity store after the Role and/or Privileges are modified.

Please help me out to solve my issue.

Regards,
C Kumar

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Feb 12, 2014 at 10:03 AM

    If you're using a 7.2 version (please also mention service pack level in requests) where the dispatchers have housekeeping options you do not need to care about the uPrivReconcile function. In addition the uPrivReconcile call should only be required when you do hierarchy changes in earlier versions, such as linking role to role, or privilege to role. There's a template job provided with the product that used to be scheduled to run every X minutes to do this.

    If you have this, don't worry about uPrivReconcile:

    You can also check your database to see if there's any entries that require privilege reconciliation using

    select count(*) from MXIV_DIRTY_MSKEYS

    Note that in some older SP releases this view that returns inactive entries that can't be reconciled until they're activated again.

    Where do you see this "conflicting" status btw? Is it in the Workflow UI?

    Br,

    Chris


    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member C Kumar

      7.2 is the version number, and you tagged your message with product version 7.2 as well so this is clear. I was asking for the Service Pack level and perhaps even patch number if you have it.

      You can find this in the management console, both in the startup splash screen, and in help about where it will say Version 7.20.XX <year>-<month>-<day>

      Its also listed on the Database tab of the management console where it will say 7.20.9.0-SQL-2013-12-15 or something similar, above the schema update number. The reason I'm asking is that there's been any updates to the hiearchy calculations in later SP/patches.

      You still haven't anwered where this problem is seen, so I'll just assume its the Workflow Web UI.

      Please the query below after replacing username and privilegename with the user-mskeyvalue and privilege-mskeyvalue so that we can see what the actual state of the user/assignment is since you say the UI is displaying it wrong. It will list the state and inheritance (if any) of the assignment:

      select mcThisMskey, mcOtherMskey,mcExecState,mcExecStateHierarchy,mcLinkState,mcAssignedDirect,mcAssignedInheritCount,mcAssignedDynamicGroup,mcOrphan from idmv_link_ext

      where mcThisMskeyValue='username' and mcOtherMskeyValue='privilegename'

      Br,

      Chris

  • author's profile photo Former Member
    Former Member
    Posted on Feb 12, 2014 at 09:14 AM

    Hi Kumar,

    For the few users who has the direct privileges (even though they have Corresponding roles), are the privileges displayed under automatic privileges also ?

    can you try removing the direct privileges assignments for the users(even though who have Corresponding roles) and see what happens.

    I mean, where the privileges are added back again by uIS_PrivReconcile ? Under direct assignment/automatic assignments ?

    ~ Krishna.

    Add a comment
    10|10000 characters needed characters exceeded

    • If you have direct privilege linkages and assign a business role which as the same privileges the direct linkage still exists. When you take the business role off from the user the direct link exists. This is standard functionality.

      Do you really mean that if you have two users without any AD access and you assign a business role with AD privileges, the other user may get the privilege assignments displayed as inherited and the other may get the displayed as direct linkages?

      regards, Tero

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.