cancel
Showing results for 
Search instead for 
Did you mean: 

provisioning issues in IDM

richard_pietsch
Active Contributor
0 Kudos

Hi all,

recently more often provisioning tasks are not executed in our IDM system.

When I check the assignments via SQL developer, IDM says the corresponding ABAP roles are correctly assigned to the mskeyvalue. Also there are no open/failed assignments. But the provisioning task is not executed - I cannot find any job logs. In the result also the user in the SAP backend is not updated.

Therefore, I need to fix these assignments manually.. first I need to delete the assignments via IDM Job (MXREF_MX_PRIVILEGE with {D}<roleA>|<roleB>|...), afterwards I asssign the roles again (also with an IDM job). Then, I can see in job/execution log that the provisioning is running as expected.

Any Ideas why it's not working?

Regards, Richard

Accepted Solutions (0)

Answers (2)

Answers (2)

brandonbollin
Active Participant
0 Kudos

The first thing I would do in this case is, go to the repository in question and look at the Event tasks tab. In there, you'll find which tasks are your Provisioning, Deprovisioning and Modify tasks. From there, you'll know where to go to find error logs. In this case, your Modify task will be the one in question.

Open the Modify task and check the job log there. It should show you what's happening differently between when you run the job manually versus the normal process. If you're seeing nothing there, you can always check the main job log under Management. Setup a test to assign an ABAP role and have the job log auto-refresh every 2 seconds. Something should show up, be it success or failure. At least then, you'll have some kind of hint.

richard_pietsch
Active Contributor
0 Kudos

Hi Brandon,

doesn't the provisioning task take care of the new assignments?

Within the jobs logs I can only find the one that I triggered during the correction of the assignment. The provisioning that should be processed automatically was obviously not executed.. at least I cannot find a corresponding job log.

Within the modify task logs I also cannot find any log within the corresponding time frame.

Regards, Richard

brandonbollin
Active Participant
0 Kudos

Whenever you modify an existing entry, like an MX_PERSON for example, by adding or modifying an attribute, it's considered a modification and the Modify task handles that. The Provisioning and Deprovisioning tasks only add or remove, respectively, an identity from the target repository.

Is there nothing in the main job log under the Management branch of your Identity Center tree? Everything job log entry to every job in your environment should be there.

normann
Advisor
Advisor
0 Kudos

Hi Richard,

sounds familiar to me. Had that once when there was a problem with the update job. New privileges got created with all event tasks set to -1 (disabled) but not enabled in the last step.

Can you take one of the privileges that did not get provisioned and check their attributes in idmv_value_basic - there should only be one task set to -1 (the MX_MODIFYTASK), all others should not be set on the privilege.

To fix that you have to delete all other tasks from all privileges of that repoistory (except the system privilege). Furthermore you should check your update job.

Regards

Norman

richard_pietsch
Active Contributor
0 Kudos

Hi Norman,

thanks for your reply... I did as you wrote but there's only attribute MX_MODIFYTASK set to -1. Beside, there are just the regular attributes such as MSKEYVALUE, DESCRIPTION, MX_ENTRYTYPE etc.

Regards, Richard