Skip to Content
0

Priv only not triggering account creation

Sep 11, 2017 at 03:10 PM

67

avatar image

Hello experts,

I have an IDM 8 up and running almost just fine.

For now, we didn't implement any approval workflow so when we give a business role, idm automaticall gives the priv only through the no master task, the account is created and then the inherited privileges are given.

It works 99% of the time, but we found users on which provisioning won't trigger.

Those users have in common that they have been "cleaned" by one of our custom jobs : at some point, a toIdstore pass cleaned their privileges and accounts. (MXREF_MX_PRIVILEGE {R} / MXREF_MX_BUSINESS_ROLE {R}).

And now, it is impossible to trigger any provisioning on them. Note that by deleting the users and recreating them, it works.

So, if i give a BR, the priv only is given and set to OK as well as the BR. If i remove the BR, it triggers the deprov, fails because no account exists but the BR disappear from IDM web UI. If i then remove the priv only, it triggers deprov, fails because no account exists, the priv only remains. The only way to remove it is doing a delete in the mxi_link table.

Did any of you ever encounter this behavior? I tried to do a trace, i don't see anything particular, I also try comparing those users to other one functioning as expected but nothing is coming up.

Any idea would be greatly appreciated :)

Regards,

Clotilde

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Steffi Warnecke
Sep 12, 2017 at 08:41 AM
0

Hello Clotilde,

we had something similar on 7.2.

There the issue was, that for some identities when backend accounts were deleted, the data in IDM was not cleaned up completely. We found those by looking for identities, that had the "only" privilege of the repository but not the "system" privilege and the other way around. Because for a backend account to be complete and "provisionable" (is that a word? ^^), both privileges need to be present. And after an account is deleted for a repository, both privileges for that repository should be gone.

So just create two sql statements to check for those identities.

.

Regards,

Steffi.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hello Steffi,

So yes, when i put back the BR then the priv only, the priv system is not given back. But if i clean the assignments in the DB, there is no only or system anymore so by giving a BR again, it should trigger the provisioning.

I'm going to see if i can do kind of a reconciliation,

Regards,

Clotilde

0
C Kumar Sep 11, 2017 at 04:16 PM
0

Hello Clotilde,

If i remember correctly then this is a product bug. If somehow SAP IDM deprovisioning job fails then also SAP IDM roles get removed from the user in SAP IDM.

Regards,

C Kumar

Share
10 |10000 characters needed characters left characters exceeded