Skip to Content

Cannot Delete Reference to Account PRIV for Deprovisioning

Oct 18, 2017 at 08:25 AM


avatar image

Got a super odd one and I'm hoping my fellow experts can help with an answer.

I just created a new ADS repository and did an initial load. Very stripped down initial load as this is just a DEV environment. All I did was create the account attribute, create the system & account privileges, and add all the triggers. Super simple.

Then I use a To Identity Store pass to give the MXREF_MX_PRIVILEGE of my account PRIV to a test user. Worked fine; user was created in LDAP with all the right attributes; all good.

Now I use the same job with the To Identity Store pass to delete the reference to the account PRIV so that will trigger deprovisioning and it fails with the following error:

How is this even possible? I *JUST* added this privilege. How can it not exist?

I have checked the IDMV_VALLINK_EXT table and I can confirm that my test user does indeed have this reference attribute. I have checked the link tables and I can confirm that the execState and execStateHierarchy are correct for a link in an, "OK" status. Everything should be fine. Why does this fail?

capture.png (119.9 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Brandon Bollin Oct 20, 2017 at 08:20 AM

Turns out that we're using Provisioning Framework v2, which I knew, but what I didn't know was that our client's environment had two versions of it, the standard, unaltered version and a copy that they set aside specifically for us to customize. I had my repository plugged into the standard version and someone disabled the Pending Operation Succeeded tasks to finalize the creation of the user account.

Once I hooked my repository up to the other framework with these task enabled, everything worked fine. Thank you Former Member!

capture.png (30.5 kB)
10 |10000 characters needed characters left characters exceeded
Steffi Warnecke
Oct 18, 2017 at 08:59 AM

Hello Brandon,

it says "Entry does not exist". That means it can't find the user/identity. If it were talking about the privilege, normally the error message is "Referenced value does not exist". :)

I have this issue sometimes, too, when the source statement is not delivering "mskey", but something else. Can you share screenshots of the source and destination tab of that job?




Show 3 Share
10 |10000 characters needed characters left characters exceeded

Ya know... I noticed that too but like I said, I'm using the same pass to do both the adding of the privilege and removal. Why would the, "add" operation be successful but the, "delete" operation fail? Here's those screenshots you requested:

capture.png (23.1 kB)
capture2.png (80.0 kB)

I'm guessing "sap master" is indeed the correct identity store. ;) Other than that this looks pretty normal to me. My help jobs look the same.


It's a bit frustrating, I just checked my system and had the same issue a month ago, but I don't know what I did to fix it. *sigh*

Is the privilege still added to the identity or is it pending deletion?


It's still added. And I tried the {e} operator too in case there was a PVO or something gumming up the works. It's been suggested I do a trace on the user when trying to remove to see a more specific error. Going to do that next.

Chenyang Xiong Oct 20, 2017 at 04:02 AM

Will it work if you try mskey of the privilege instead of the mskeyvalue?

Show 1 Share
10 |10000 characters needed characters left characters exceeded

I tried that... No go. A co-worker actually discovered the answer. I'll post it.