Skip to Content
avatar image
Former Member

Assignment status showing 'Not Allowed' on IDM UI

Hi Experts,

On IDM User Interface we are having privilege assignments to users which are showing status "Not Allowed". Is there any way to fix it ? Role Assignment has not been completed so it was showing 'Pending' status.


I have tried to fix the issue at database level using below SQL query to make assignment 'Rejected'.


UPDATE mxi_link SET mcexecstate = 1026 WHERE

mcThismskey = <usermskey> and mcOthermskey = <privmskey> AND mcOrphan=0 AND

mcLinkType = 2 AND mcLinkState < 2

but the assignment is showing 'Not Allowed' status, also i have deleted the assignment link in the database.

Delete from mxi_link where

mcThismskey = <usermskey> and mcOthermskey = <privmskey> AND mcOrphan=0 AND

mcLinkType = 2 AND mcLinkState < 2

and tried role assignment again but still assignment status showing 'Pending' and then 'Not Allowed', i have also used re-consile/repair entry functions to fix this issue but not any luck.

We have implemented 'Context Based Assignment provisioning', this is the reason if any issue with context based assignment.

Experts, Please suggest the solutions.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Jul 21, 2015 at 12:49 PM

    Hi Kishor,

    Seems like this is happening quite few times in 7.2.. I have seen this in my last project as well (no context based provisioning used) but never really got chance to investigate in detail.

    Above blog is unresolved too but if you can check Per Krabsetsve's comment and post the SQL results here, we can try to decode further.

    Kind regards,

    Jai

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 24, 2015 at 06:47 AM

    Hi Kishore,

    Can you share the value of mclinkstate, mcexecstate, mcassigneddirect, mcexecstatehierarchy,mcorphan using mxi_link or idmv_link_ext for such entries ?

    Regards,

    Pradeep

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 27, 2016 at 10:53 PM

    Hello Kishor/IDM Experts,

    Could you please share whether you were able to fix the Not allowed issue for the privileges. We are getting the same issue in our IDM 7.2 SP10.

    I ran the below query for such entries

    select mcThisMSKEYVALUE,mcOtherMSKEYVALUE,mcLinkState,mcAssignedDirect,

    mcAssignedInheritCount,mcAssignedMasterPrivilege,mcOrphan,mcExecState,

    mcExecStateHierarchy,mcLastAudit,mcMasterPrivMSKEY

    from idmv_link_ext  where MCOTHERMSKEY =%PRIV_MSKEY%  and MCTHISMSKEY=%USER_MSKEY%

    and got this output

    I knew the value of mcExecState 1024 means Remove (Views for reference attributes) but I wanted to know why its mcExecState value has been changed to 1024 and how to fix it.

    I also wanted to know if mcExecState value is 1024 then is it show Not allowed in SAP IDM UI always or it is showing in just my case.

    Regards,

    C Kumar


    Add comment
    10|10000 characters needed characters exceeded

    • Thanks DP!

      I believe it should be 1024 instead of 1025. Could you please check and  confirm.

      I too have come across of this issue many times. Whenever I try to remove and privilege with 512 status it changes to not allowed. Please update the mcexectate to 1025 and then re-assign the privileges.


      As per my knowledge, mcExecState 1024 means Remove and here Privileges status is automatically changing to Failed next days so I believe this is not required.


      I am investigating my work-flow that why system is trying to remove these privileges even their mcexecstate is 512 and will update soon.


      Regards,

      C Kumar