cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Priv only not triggering account creation

clotilde_martinez
Participant

on ‎09-11-2017 4:10 PM

0 Kudos

Hello experts,

I have an IDM 8 up and running almost just fine.

For now, we didn't implement any approval workflow so when we give a business role, idm automaticall gives the priv only through the no master task, the account is created and then the inherited privileges are given.

It works 99% of the time, but we found users on which provisioning won't trigger.

Those users have in common that they have been "cleaned" by one of our custom jobs : at some point, a toIdstore pass cleaned their privileges and accounts. (MXREF_MX_PRIVILEGE {R} / MXREF_MX_BUSINESS_ROLE {R}).

And now, it is impossible to trigger any provisioning on them. Note that by deleting the users and recreating them, it works.

So, if i give a BR, the priv only is given and set to OK as well as the BR. If i remove the BR, it triggers the deprov, fails because no account exists but the BR disappear from IDM web UI. If i then remove the priv only, it triggers deprov, fails because no account exists, the priv only remains. The only way to remove it is doing a delete in the mxi_link table.

Did any of you ever encounter this behavior? I tried to do a trace, i don't see anything particular, I also try comparing those users to other one functioning as expected but nothing is coming up.

Any idea would be greatly appreciated 🙂

Regards,

Clotilde

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Steffi_Warnecke
Active Contributor
‎09-12-2017 9:41 AM
0 Kudos

Hello Clotilde,

we had something similar on 7.2.

There the issue was, that for some identities when backend accounts were deleted, the data in IDM was not cleaned up completely. We found those by looking for identities, that had the "only" privilege of the repository but not the "system" privilege and the other way around. Because for a backend account to be complete and "provisionable" (is that a word? ^^), both privileges need to be present. And after an account is deleted for a repository, both privileges for that repository should be gone.

So just create two sql statements to check for those identities.

.

Regards,

Steffi.

Show replies
Show replies
clotilde_martinez
Participant
‎09-12-2017 3:54 PM
0 Kudos

Hello Steffi,

So yes, when i put back the BR then the priv only, the priv system is not given back. But if i clean the assignments in the DB, there is no only or system anymore so by giving a BR again, it should trigger the provisioning.

I'm going to see if i can do kind of a reconciliation,

Regards,

Clotilde

Ckumar
Contributor
‎09-11-2017 5:16 PM
0 Kudos

Hello Clotilde,

If i remember correctly then this is a product bug. If somehow SAP IDM deprovisioning job fails then also SAP IDM roles get removed from the user in SAP IDM.

Regards,

C Kumar

Show replies
Show replies
Ask a Question