cancel
Showing results for 
Search instead for 
Did you mean: 

Priv in ID Store, not UI

brandonbollin
Active Participant
0 Kudos

I've recently come across a situation where a fellow IDM tech pulled the record of a given user via SQL query. The results show that this user has a number of AD group memberships. However, when you list that same user's privileges via the UI, these AD groups don't show up. What would cause the UI to not reflect the actual record that's clearly present in the ID store?

Accepted Solutions (1)

Accepted Solutions (1)

brandonbollin
Active Participant
0 Kudos

Sorry to keep this thread hanging everyone. Once I get access to all the necessary systems, I'll check everyone's suggestions then mark helpfuls / correct answer as needed!

brandonbollin
Active Participant
0 Kudos

I have found the answer! Apparently, the UI, when deciding what to show in search results, looks at the mcAssignedInheratedCount and mcAssignedDirect columns on the idmv_link_ext view. If those values are equal to or less than 0, the UI won't show them. Interesting!

normann
Advisor
Advisor
0 Kudos

Hi Brandon,

I think that makes sense, if you dont have it assigned directly and also not inheriting it, you dont have it assigned. What is the link state though? Is it orphan? Might that be an inconsistency? Orphan assignments are inherited assignments that should have been removed but the removal failed.

Regards

Norman

brandonbollin
Active Participant
0 Kudos

That's what they are, orphan assignments. I just figured that, even though they're in this state, they should still show up on the UI. I was wrong! Live and learn, right? 

former_member2987
Active Contributor
0 Kudos

Write it up!

brandonbollin
Active Participant
0 Kudos

You really feel this is worthy of a blog entry?

former_member201064
Active Participant
0 Kudos

Absolutely.

If this would happen in my company I would do a newsletter aka tutorial about it. My way of documenting and dispatching the most relevant information.

Hm, maybe I should drop some of them here, too. Could come in handy for some of you.

former_member2987
Active Contributor
0 Kudos

Sharing is caring as they say. All knowledge is good.

brandonbollin
Active Participant
0 Kudos

Heck ya. Blog away. Share that knowledge! I just figured this might not qualify as a blog entry since the whole thing is already laid out in this question thread. Blogging feels redundant but, if Matt P. says it's blog worthy, I trust that. 

Answers (1)

Answers (1)

former_member2987
Active Contributor
0 Kudos

Hi Brandon,

Check the access controls on the object in the MMC console, might be admin  or member only. Something like that.

Good luck!

Matt

brandonbollin
Active Participant
0 Kudos

Good first thought but, nope. The visibility of the PRIV in question is set to "All".

former_member2987
Active Contributor
0 Kudos

Interesting.  Can you look into the link view and see if there are any differences?  Is it possible to drop and re add the entry?

former_member201064
Active Participant
0 Kudos

Adding this to Matts post:

Is the mcExecState and mcLinkState 0 / 1 for all of the privs or are there different values? (I keep on forgetting which one has which number set but the assigned privs have a pair of 0 and 1)

normann
Advisor
Advisor
0 Kudos

Hi Brandon,

can you see the privileges themselves? Might they be inactive and thus not appear as links?

Cheers