cancel
Showing results for 
Search instead for 
Did you mean: 

IDM 7.2 error- sap_core_verifyValueExists:: Value for attribute ACCOUNTSAPXXXXXX is empty or null

former_member297605
Active Participant
0 Kudos

Hi Experts

When trying to assign a role to a user via the IDM UI I get the above indicated error. The role has the required privilege for the repository i.e. PRIV:SAPXXX300_ONLY. So not sure why I get the above error.

Please could you let me know how to fix the above issue.

Thanks

Ranjit

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member190695
Participant
0 Kudos

Hi,

This means the user has the account privilege but the attribute ACCOUNT<REPNAME> is empty.

This attribute is used when performing assignments, de-assignments and delete.

Could you check on database level the above attribute?

select MSKEY from idmv_value_basic_active where attrname = 'MSKEYVALUE' and searchvalue = %mskeyValue% (mskeyValue is the UniqueID) then select * from idmv_value_basic_active where mskey = %MSKEY%

Best Regards,

Ridouan Taibi

former_member297605
Active Participant
0 Kudos

Hi Ridouan

I checked at the DB level and the attribute is not there for the identity.

How do I fix this? Will I need to delete and recreate the identity in IdM?

The identity has access to other SAP systems and the attribute is showing for those systems at the DB level.

Please advise.

Steffi_Warnecke
Active Contributor
0 Kudos

Hello Ranjit,

we store the username of the repository in the ACCOUNT<repositoryname> attribute. Is it empty for this user and this system in IDM?

Regards,

Steffi.

former_member297605
Active Participant
0 Kudos

Hi Steffi ...... Thanks. In the entry data tab I cannot see a value populated for this attribute. The user has been deleted in the backend sap system. Could that have anything to do with the issue?

Steffi_Warnecke
Active Contributor
0 Kudos

I'd say yes. If the user has no account in the backend, why do you want to give him/her a role in that system anyway?

IDM tries to provision the role to the backend and can't, because it can't find a username to check for in the backend. And if there was a username, but no account, then you'd get another error stating that.

So you need to either create the user first and then assign roles for that system or don't assign roles at all (like I said: it doesn't make much sense to do it anyway, if the user has no account in the backend).

Regards,

Steffi.

former_member297605
Active Participant
0 Kudos

I'm trying to create the user in the backend and provision the roles from idm. I thought idm should be able to take care of this.

Btw what do you mean by a username and an account in the backend?

Steffi_Warnecke
Active Contributor
0 Kudos

Username = login-id for the account

Account in backend = the account in the SAP system

If something went wrong with the account creation through IDM, it can happen that the ACCOUNT<rep.name> attribute in IDM is already filled (the username), but the account is not created in the backend. Then you' get a different error message, when IDM tries to provision the role to the backend (something like "User xxx does not exist").



Ranjit Daniel wrote:

I'm trying to create the user in the backend and provision the roles from idm. I thought idm should be able to take care of this.

If I remember correctly, there is a setting in the IDM configuration for every repository for that: If you assign a SAP role to a user and he/she has not yet an account created in that system, IDM will first create the account and then assign the role.

Just look through the documentation and the IDM space here and you should find guidance for this, if you want to implement it.

Don't create the user directly in the backend! IDM still won't know it's there. You need to create it via IDM!

Regards,

Steffi.

jaisuryan
Active Contributor
0 Kudos

Hi Ranjit,

We have few open questions before we can help.

What is the status of <PRIV:SAPXXXX:ONLY> for the user?

What is the status of the role?

Whether the user has ACCOUNTSAPXXXX with empty value or the attribute is not there at all? You can confirm by (select mcattrname, mcsearchvalue from idmv_vallink_basic with(nolock) where mcmskey = <mskey of the user>)

Kind regards,

Jai

former_member297605
Active Participant
0 Kudos

Hi Jai

Sorry for my late reply.

The priv is the master privilege for that repository.

Role status is failed.

The attribute is not visible in the entry data of the identity in idm.

Thanks

Ranjit

former_member297605
Active Participant
0 Kudos

What is the status of <PRIV:SAPXXXX:ONLY> for the user?

I'm unable to see this as only business role status can be seen in the UI