cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issue in Removing inconsistent privileges from user in IDM

Go to solution
Former Member

on ‎05-19-2014 6:41 AM

0 Kudos

Hello Experts,

SAP IDM 7.1 , SP7.

Database: Oracle (3.0.04.34)

I am struggling to remove inconsistent privileges from a particular user in IDM.

There are two different privilege inconsistencies:

Inconsistency 1:

MXREF_MX_PRIVILEGE attribute for a user has one privilege which is in pending status and now need to be cleared from IDM UI.

This privilege for this user does not exist in  MXI_VALUES, MXIV_SENTRIES, MXIV_ALL_ENTRIES, MXI_PRIV_ROOT .

But in IDM UI, I see that this User is having this privilege in pending status and so does not get removed from UI.

Inconsistency 2:

MX_AUTOPRIVILEGE attribute for a user has 11 privileges assigned and is dirty data and need to be cleaned up.

These privileges for this user does not exist in  MXI_VALUES, MXIV_SENTRIES, MXIV_ALL_ENTRIES, MXI_PRIV_ROOT .

But in IDM UI, I see that this User is having these privileges assigned and so does not get removed from UI.

Kindly assist me in resolve this issue.

I had removed such inconsistencies for other users in the past and it worked fine by cleaning up it from MXI_VALUES and MXI_PRIV_ROOT but for this user it does not work.

Due to this I am not able to assign privileges via new roles assignments as it does not create CUP request for the user.

Regards,

Pradeep


Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-19-2014 3:26 PM
0 Kudos

Have you checked for stuck pending value object(s) for the user/assignment? These show up as MX_PENDING_VALUE objects with MX_ENTRY_REFERENCE pointing to the user and MX_ATTRIBUTE_VALUE pointing to the role/privilege.

Br,

Chris

Show replies
Show replies
Former Member
‎05-20-2014 11:41 AM
0 Kudos

Hi Chris,

Thank you very much for your assistance.

I ran below query and found pending privileges.

I set the status of MX_ATTR_STATE to 3 for pending values and then executed  uApplyPending() for pending values. Afterwards, I all such inconsistent privileges where removed from the user.

select mskey, attrname, avalue from mxiv_sentries where attrname = 'MSKEYVALUE' and mskey in ( select searchvalue from mxiv_sentries where

attrname = 'MX_ATTRIBUTE_VALUE' and  mskey in ( select mskey  from mxiv_sentries where searchvalue = '<mskey>' and 

attrname = 'MX_ENTRY_REFERENCE' and  mskey in ( select mskey from mxiv_sentries where

attrname = 'MX_ENTRYTYPE' and searchvalue = 'MX_PENDING_VALUE')))

Regards,

Pradeep

former_member297605
Active Participant
‎05-21-2014 2:35 AM
0 Kudos

Hi Pradeep

I'm pretty new to Idm. Please could you provide some screenshots of how to run this query and clear the inconsistent privileges from a user.

Thanks

Ranjit

Former Member
‎05-22-2014 5:41 AM
0 Kudos

HI Ranjit,

Sorry for the delay.

Above query u need to run in your IDM DB.

You need to take MSKEYVALUE of pending values for the user  and run change the status of attribute MX_ATTR_STATE to 3 (Decline) and then run uApplyPending().

screenshot below.

Regards,

Pradeep

former_member297605
Active Participant
‎05-22-2014 6:23 AM
0 Kudos

Thanks Pradeep, much appreciated. So, I  have to create a job with this pass and run it right in the identity center? Also what type of pass should be created?

Thanks

Ranjit

Former Member
‎05-22-2014 9:46 AM
0 Kudos

Hi Ranjit,

Job in identity can be used.

you can use To Identity store pass and To generic pass.

Regards,

Pradeep

former_member297605
Active Participant
‎05-22-2014 1:09 PM
0 Kudos

thanks Pradeep

Answers (1)

Answers (1)

former_member2987
Active Contributor
‎05-19-2014 2:03 PM
0 Kudos

Hi Pradeep,

If you can reproduce this, please do so with the TRACE turned on.

As far as the dirty entries go, take a look at this thread .  This information might also prove helpful as well New Internal Functions for Reconciliation (New) - SAP NetWeaver Identity Management Library - SAP Li...

Matt

Show replies
Show replies
Former Member
‎05-20-2014 11:47 AM
0 Kudos

Hi Matt,

I think trace option is in IDM 7.2 (MX_TRACE_ENTRY).

I cleared pending values and afterwards, all these privileges got removed from the user.

Thanks for you help.

Regards,
Pradeep

Ask a Question