Skip to Content

AD provisioning - stuck for a user

Hello Experts,

SAP IDM 8.0 sp6: Currently I'm encountering an issue for one user for which provisioning of certain groups in AD is stuck. These specific group memberships were not in line with what was being shown in IDM, as it was showing OK in IDM but in AD, user is not member of those groups. So I removed the group privileges using direct_reference=1 from IDM and retried the assignment through UI but the provisioning task declared as ADD member task, under assignment is not getting triggered whatsoever and shows assignment link in OK status without triggering provision. However the deprovisioning task under delete member task gets triggered promptly every-time when privilege is removed unfortunately as the user is not available in those groups , it throws an error ldap error 53. Same group privileges work fine with other users, it is only this specific user for which provisioning task does not gets triggered. Any leads in this regard is highly appreciated.

Regards

Rimesh

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Posted on Nov 04, 2019 at 01:25 PM

    Hi Rimesh,

    please provide more details about this user and its settings on the link table. I would like to know linkstate and execstate especially of the system- and only-privilege.

    select * from idmv_link_ext
    where mcthismskeyvalue = '<mskeyvalue of user>'
    and mcotherocname = 'MX_PRIVILEGE'

    You could also use mcthismskey = <mskey of user> if this is easier.

    Depending on the result you should adjust the states according to the state the user has in AD.

    Regards,

    Alex

    Add a comment
    10|10000 characters needed characters exceeded

    • Can you compare two users and find differences apart from privilege assignments? Is ACCOUNT<AD> set correct? Any strange characters (IDN or similar?) in username or DN?

      Please post data! Assignment IDMV_LINK_EXT, attributes IDMV_VALUE_BASIC,... Just black-out the stuff you don't want us to see or get it sorted out using SQL or whatever, but it would be helpful to see something here.

      Regards,

      Alex

  • Posted on Nov 06, 2019 at 06:07 PM

    Hi

    Set mclinkstate = 2 in mxi_link table for this assignment. It will remove it and you'll be able to add it again with UI

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.