on 07-21-2015 1:32 PM
Hi Experts,
On IDM User Interface we are having privilege assignments to users which are showing status "Not Allowed". Is there any way to fix it ? Role Assignment has not been completed so it was showing 'Pending' status.
I have tried to fix the issue at database level using below SQL query to make assignment 'Rejected'.
UPDATE mxi_link SET mcexecstate = 1026 WHERE
mcThismskey = <usermskey> and mcOthermskey = <privmskey> AND mcOrphan=0 AND
mcLinkType = 2 AND mcLinkState < 2
but the assignment is showing 'Not Allowed' status, also i have deleted the assignment link in the database.
Delete from mxi_link where
mcThismskey = <usermskey> and mcOthermskey = <privmskey> AND mcOrphan=0 AND
mcLinkType = 2 AND mcLinkState < 2
and tried role assignment again but still assignment status showing 'Pending' and then 'Not Allowed', i have also used re-consile/repair entry functions to fix this issue but not any luck.
We have implemented 'Context Based Assignment provisioning', this is the reason if any issue with context based assignment.
Experts, Please suggest the solutions.
Hello Kishor/IDM Experts,
Could you please share whether you were able to fix the Not allowed issue for the privileges. We are getting the same issue in our IDM 7.2 SP10.
I ran the below query for such entries
select mcThisMSKEYVALUE,mcOtherMSKEYVALUE,mcLinkState,mcAssignedDirect,
mcAssignedInheritCount,mcAssignedMasterPrivilege,mcOrphan,mcExecState,
mcExecStateHierarchy,mcLastAudit,mcMasterPrivMSKEY
from idmv_link_ext where MCOTHERMSKEY =%PRIV_MSKEY% and MCTHISMSKEY=%USER_MSKEY%
and got this output
I knew the value of mcExecState 1024 means Remove (Views for reference attributes) but I wanted to know why its mcExecState value has been changed to 1024 and how to fix it.
I also wanted to know if mcExecState value is 1024 then is it show Not allowed in SAP IDM UI always or it is showing in just my case.
Regards,
C Kumar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Ranjit,
Retry option was disabled for these privileges in the SAP IDM UI.
Yes, we have SAP IDM-GRC integration too and strangely today all these privileges status has been changed to Failed.
Didn't get time to check whether they complete final provisioning through GRC. I will check and post.
Regards,
C Kumar
Hi Kumar
Since the assignment status is "failed" now you should be able to click it and complete a retry. After you do a retry and save the record check the job log in the IDM MC to see if there are any errors and if the assignment status goes back to "failed".
If GRC AC is completing the final provisioning check the GRC Access Requests for the affected user to see if there any requests in "Pending" status for the privileges that are failing. This may be one of the reasons why it is failing in the IdM end.
Regards
Ranjit
Hi Kumar,
I too have come across of this issue many times. Whenever i try to remove and privilege with 512 status it changes to not allowed. Please update the mcexectate to 1025 and then re assign the privileges.
update MXI_LINK set mclinkstate =2 ,mcexecstate =1025,mcexecstatehierarchy =1025,mcaddaudit = NULL, mcdelaudit = NULL, MCLINKTYPE ,MCLASTAUDIT = 0, MCAUDITID = 0
where mcthismskey = <usermskey> and mcuniqueid = <linkid>;
Regards,
DP
Thanks DP!
I believe it should be 1024 instead of 1025. Could you please check and confirm.
I too have come across of this issue many times. Whenever I try to remove and privilege with 512 status it changes to not allowed. Please update the mcexectate to 1025 and then re-assign the privileges.
As per my knowledge, mcExecState 1024 means Remove and here Privileges status is automatically changing to Failed next days so I believe this is not required.
I am investigating my work-flow that why system is trying to remove these privileges even their mcexecstate is 512 and will update soon.
Regards,
C Kumar
Hi Kishore,
Can you share the value of mclinkstate, mcexecstate, mcassigneddirect, mcexecstatehierarchy,mcorphan using mxi_link or idmv_link_ext for such entries ?
Regards,
Pradeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kishor,
Seems like this is happening quite few times in 7.2.. I have seen this in my last project as well (no context based provisioning used) but never really got chance to investigate in detail.
Above blog is unresolved too but if you can check Per Krabsetsve's comment and post the SQL results here, we can try to decode further.
Kind regards,
Jai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.