Skip to Content
avatar image
Former Member

Deprovision HANA user from SAP IDM 8.0

Hello,

HANA database is connected to SAP IDM 8.0.

I am able to deactivate the user and not able to remove the roles/privileges from deactivated user.

(attribute is privileges and passing value $FUNCTION.sap_core_getNamesOfAssignedPendingPrivileges(%MSKEY%!!%$rep.$NAME%!!PRIVILEGE!!TRUE)$$ )

Getting the below error with sap_core_getNamesOfAssignedPendingPrivileges function.

putNextEntry (Entry 169410) got DSEInternalException

java.lang.Throwable: Failed running function in string "$FUNCTION.sap_core_getNamesOfAssignedPendingPrivileges(169410!!SAPHANA_R3S!!PRIVILEGE!!TRUE)$$". Marking entry as failed. Exception was: org.mozilla.javascript.EvaluatorException: uSelect(SELECT priv_account_name.aValue FROM idmv_value_basic_active pvo_attrvalue WITH (NOLOCK) INNER JOIN idmv_value_basic_active priv_account_name ON priv_account_name.MSKEY = pvo_attrvalue.SearchValue WHERE pvo_attrvalue.AttrName = 'MX_ATTRIBUTE_VALUE' AND priv_account_name.AttrName = '169410' AND pvo_attrvalue.MSKEY IN ( not-existing-mskey ) AND ISNUMERIC(pvo_attrvalue.SearchValue) = 1) got exception com.microsoft.sqlserver.jdbc.SQLServerException: Incorrect syntax near the keyword 'not'.

Can you please advise me on this?

Thanks

Purna

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Mar 16, 2017 at 09:03 AM

    Hi Purnachandrarao,

    normally you should have some MSKEY(s) in the part of the Query where actually "not existing-mskey" is written.

    This message is coming from the script "sap_core_getPendingMsKeysInGroup".

    Part of the Script:

    PendingMSKEY = uGetContextVar("PENDINGMSKEY", "not-existing-mskey");


    IdM can't find the context Varibale for "PendingMSKEY". That's the reason why the error appears.

    Maybe some setting like "Use context variables" on an UI is missing.

    As we don't know where the error actually appears (Jobs / Provisioning Framework) and what is the configuration about - we can't help you.

    My advise is to check why the context variable is missing. Analyze it and enjoy the journey. :)

    Greetings,

    Thomas

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thomas,

      I have connected our HANA DB system from SAP IDM 8.0 for de provision users (removing privileges) and it runs through Job.

      I could not able to find where context variable is missing.

      Created one Passes with the below attributes (hana-passes.jpg) with required scripts and getting errors.

      userName : %WORKFORCEID%

      changetype : modify

      AUDITID : $FUNCTION.getAuditId()$$

      privileges : $FUNCTION.sap_core_getNamesOfAssignedPendingPrivileges(%MSKEY%!!%$rep.$NAME%!!,!!)$$


      hana-passes.jpg

      Thanks

      Purna

      hana-passes.jpg (79.1 kB)
  • Mar 15, 2017 at 11:53 AM

    Hi Purnachandrarao,

    What happens if you paste this query into your SQL tool? Does it work then? Can you debug it from there?

    Is this from the Provisioning Framework or is it from something you wrote?

    Matt

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 15, 2017 at 11:53 AM

    Hi Purnachandrarao,

    What happens if you paste this query into your SQL tool? Does it work then? Can you debug it from there?

    Is this from the Provisioning Framework or is it from something you wrote?

    Matt

    Add comment
    10|10000 characters needed characters exceeded