cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cannot Delete Reference to Account PRIV for Deprovisioning

Go to solution
brandonbollin
Active Participant

on ‎10-18-2017 9:25 AM

0 Kudos

Got a super odd one and I'm hoping my fellow experts can help with an answer.

I just created a new ADS repository and did an initial load. Very stripped down initial load as this is just a DEV environment. All I did was create the account attribute, create the system & account privileges, and add all the triggers. Super simple.

Then I use a To Identity Store pass to give the MXREF_MX_PRIVILEGE of my account PRIV to a test user. Worked fine; user was created in LDAP with all the right attributes; all good.

Now I use the same job with the To Identity Store pass to delete the reference to the account PRIV so that will trigger deprovisioning and it fails with the following error:

How is this even possible? I *JUST* added this privilege. How can it not exist?

I have checked the IDMV_VALLINK_EXT table and I can confirm that my test user does indeed have this reference attribute. I have checked the link tables and I can confirm that the execState and execStateHierarchy are correct for a link in an, "OK" status. Everything should be fine. Why does this fail?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

brandonbollin
Active Participant
‎10-20-2017 9:20 AM

Turns out that we're using Provisioning Framework v2, which I knew, but what I didn't know was that our client's environment had two versions of it, the standard, unaltered version and a copy that they set aside specifically for us to customize. I had my repository plugged into the standard version and someone disabled the Pending Operation Succeeded tasks to finalize the creation of the user account.

Once I hooked my repository up to the other framework with these task enabled, everything worked fine. Thank you julien.garagnon!

Show replies
Show replies

Answers (2)

Answers (2)

Chenyang
Contributor
‎10-20-2017 5:02 AM
0 Kudos

Will it work if you try mskey of the privilege instead of the mskeyvalue?

Show replies
Show replies
brandonbollin
Active Participant
‎10-20-2017 9:01 AM
0 Kudos

I tried that... No go. A co-worker actually discovered the answer. I'll post it.

Steffi_Warnecke
Active Contributor
‎10-18-2017 9:59 AM
0 Kudos

Hello Brandon,

it says "Entry does not exist". That means it can't find the user/identity. If it were talking about the privilege, normally the error message is "Referenced value does not exist". 🙂

I have this issue sometimes, too, when the source statement is not delivering "mskey", but something else. Can you share screenshots of the source and destination tab of that job?

.

Regards,

Steffi.

Show replies
Show replies
brandonbollin
Active Participant
‎10-18-2017 10:47 AM
0 Kudos

Ya know... I noticed that too but like I said, I'm using the same pass to do both the adding of the privilege and removal. Why would the, "add" operation be successful but the, "delete" operation fail? Here's those screenshots you requested:

Steffi_Warnecke
Active Contributor
‎10-18-2017 11:58 AM
0 Kudos

I'm guessing "sap master" is indeed the correct identity store. 😉 Other than that this looks pretty normal to me. My help jobs look the same.

.

It's a bit frustrating, I just checked my system and had the same issue a month ago, but I don't know what I did to fix it. *sigh*

Is the privilege still added to the identity or is it pending deletion?

brandonbollin
Active Participant
‎10-18-2017 12:08 PM

It's still added. And I tried the {e} operator too in case there was a PVO or something gumming up the works. It's been suggested I do a trace on the user when trying to remove to see a more specific error. Going to do that next.

Ask a Question