Skip to Content

provisioning issues in IDM

Hi all,

recently more often provisioning tasks are not executed in our IDM system.

When I check the assignments via SQL developer, IDM says the corresponding ABAP roles are correctly assigned to the mskeyvalue. Also there are no open/failed assignments. But the provisioning task is not executed - I cannot find any job logs. In the result also the user in the SAP backend is not updated.

Therefore, I need to fix these assignments manually.. first I need to delete the assignments via IDM Job (MXREF_MX_PRIVILEGE with {D}<roleA>|<roleB>|...), afterwards I asssign the roles again (also with an IDM job). Then, I can see in job/execution log that the provisioning is running as expected.

Any Ideas why it's not working?

Regards, Richard

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • May 03, 2016 at 09:23 AM

    Hi Richard,

    sounds familiar to me. Had that once when there was a problem with the update job. New privileges got created with all event tasks set to -1 (disabled) but not enabled in the last step.

    Can you take one of the privileges that did not get provisioned and check their attributes in idmv_value_basic - there should only be one task set to -1 (the MX_MODIFYTASK), all others should not be set on the privilege.

    To fix that you have to delete all other tasks from all privileges of that repoistory (except the system privilege). Furthermore you should check your update job.

    Regards

    Norman

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Norman,

      thanks for your reply... I did as you wrote but there's only attribute MX_MODIFYTASK set to -1. Beside, there are just the regular attributes such as MSKEYVALUE, DESCRIPTION, MX_ENTRYTYPE etc.

      Regards, Richard

  • May 03, 2016 at 02:19 PM

    The first thing I would do in this case is, go to the repository in question and look at the Event tasks tab. In there, you'll find which tasks are your Provisioning, Deprovisioning and Modify tasks. From there, you'll know where to go to find error logs. In this case, your Modify task will be the one in question.

    Open the Modify task and check the job log there. It should show you what's happening differently between when you run the job manually versus the normal process. If you're seeing nothing there, you can always check the main job log under Management. Setup a test to assign an ABAP role and have the job log auto-refresh every 2 seconds. Something should show up, be it success or failure. At least then, you'll have some kind of hint.

    Add comment
    10|10000 characters needed characters exceeded

    • Whenever you modify an existing entry, like an MX_PERSON for example, by adding or modifying an attribute, it's considered a modification and the Modify task handles that. The Provisioning and Deprovisioning tasks only add or remove, respectively, an identity from the target repository.

      Is there nothing in the main job log under the Management branch of your Identity Center tree? Everything job log entry to every job in your environment should be there.