on 05-19-2014 6:41 AM
Hello Experts,
SAP IDM 7.1 , SP7.
Database: Oracle (3.0.04.34)
I am struggling to remove inconsistent privileges from a particular user in IDM.
There are two different privilege inconsistencies:
Inconsistency 1:
MXREF_MX_PRIVILEGE attribute for a user has one privilege which is in pending status and now need to be cleared from IDM UI.
This privilege for this user does not exist in MXI_VALUES, MXIV_SENTRIES, MXIV_ALL_ENTRIES, MXI_PRIV_ROOT .
But in IDM UI, I see that this User is having this privilege in pending status and so does not get removed from UI.
Inconsistency 2:
MX_AUTOPRIVILEGE attribute for a user has 11 privileges assigned and is dirty data and need to be cleaned up.
These privileges for this user does not exist in MXI_VALUES, MXIV_SENTRIES, MXIV_ALL_ENTRIES, MXI_PRIV_ROOT .
But in IDM UI, I see that this User is having these privileges assigned and so does not get removed from UI.
Kindly assist me in resolve this issue.
I had removed such inconsistencies for other users in the past and it worked fine by cleaning up it from MXI_VALUES and MXI_PRIV_ROOT but for this user it does not work.
Due to this I am not able to assign privileges via new roles assignments as it does not create CUP request for the user.
Regards,
Pradeep
Have you checked for stuck pending value object(s) for the user/assignment? These show up as MX_PENDING_VALUE objects with MX_ENTRY_REFERENCE pointing to the user and MX_ATTRIBUTE_VALUE pointing to the role/privilege.
Br,
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Chris,
Thank you very much for your assistance.
I ran below query and found pending privileges.
I set the status of MX_ATTR_STATE to 3 for pending values and then executed uApplyPending() for pending values. Afterwards, I all such inconsistent privileges where removed from the user.
select mskey, attrname, avalue from mxiv_sentries where attrname = 'MSKEYVALUE' and mskey in ( select searchvalue from mxiv_sentries where
attrname = 'MX_ATTRIBUTE_VALUE' and mskey in ( select mskey from mxiv_sentries where searchvalue = '<mskey>' and
attrname = 'MX_ENTRY_REFERENCE' and mskey in ( select mskey from mxiv_sentries where
attrname = 'MX_ENTRYTYPE' and searchvalue = 'MX_PENDING_VALUE')))
Regards,
Pradeep
Hi Pradeep,
If you can reproduce this, please do so with the TRACE turned on.
As far as the dirty entries go, take a look at this thread . This information might also prove helpful as well New Internal Functions for Reconciliation (New) - SAP NetWeaver Identity Management Library - SAP Li...
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.