on 07-15-2015 5:17 AM
Hi Experts
When trying to assign a role to a user via the IDM UI I get the above indicated error. The role has the required privilege for the repository i.e. PRIV:SAPXXX300_ONLY. So not sure why I get the above error.
Please could you let me know how to fix the above issue.
Thanks
Ranjit
Hi,
This means the user has the account privilege but the attribute ACCOUNT<REPNAME> is empty.
This attribute is used when performing assignments, de-assignments and delete.
Could you check on database level the above attribute?
select MSKEY from idmv_value_basic_active where attrname = 'MSKEYVALUE' and searchvalue = %mskeyValue% (mskeyValue is the UniqueID) then select * from idmv_value_basic_active where mskey = %MSKEY%
Best Regards,
Ridouan Taibi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Ranjit,
we store the username of the repository in the ACCOUNT<repositoryname> attribute. Is it empty for this user and this system in IDM?
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'd say yes. If the user has no account in the backend, why do you want to give him/her a role in that system anyway?
IDM tries to provision the role to the backend and can't, because it can't find a username to check for in the backend. And if there was a username, but no account, then you'd get another error stating that.
So you need to either create the user first and then assign roles for that system or don't assign roles at all (like I said: it doesn't make much sense to do it anyway, if the user has no account in the backend).
Regards,
Steffi.
Username = login-id for the account
Account in backend = the account in the SAP system
If something went wrong with the account creation through IDM, it can happen that the ACCOUNT<rep.name> attribute in IDM is already filled (the username), but the account is not created in the backend. Then you' get a different error message, when IDM tries to provision the role to the backend (something like "User xxx does not exist").
Ranjit Daniel wrote:
I'm trying to create the user in the backend and provision the roles from idm. I thought idm should be able to take care of this.
If I remember correctly, there is a setting in the IDM configuration for every repository for that: If you assign a SAP role to a user and he/she has not yet an account created in that system, IDM will first create the account and then assign the role.
Just look through the documentation and the IDM space here and you should find guidance for this, if you want to implement it.
Don't create the user directly in the backend! IDM still won't know it's there. You need to create it via IDM!
Regards,
Steffi.
Hi Ranjit,
We have few open questions before we can help.
What is the status of <PRIV:SAPXXXX:ONLY> for the user?
What is the status of the role?
Whether the user has ACCOUNTSAPXXXX with empty value or the attribute is not there at all? You can confirm by (select mcattrname, mcsearchvalue from idmv_vallink_basic with(nolock) where mcmskey = <mskey of the user>)
Kind regards,
Jai
User | Count |
---|---|
85 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.