Skip to Content

Cannot Delete Reference to Account PRIV for Deprovisioning

Got a super odd one and I'm hoping my fellow experts can help with an answer.

I just created a new ADS repository and did an initial load. Very stripped down initial load as this is just a DEV environment. All I did was create the account attribute, create the system & account privileges, and add all the triggers. Super simple.

Then I use a To Identity Store pass to give the MXREF_MX_PRIVILEGE of my account PRIV to a test user. Worked fine; user was created in LDAP with all the right attributes; all good.

Now I use the same job with the To Identity Store pass to delete the reference to the account PRIV so that will trigger deprovisioning and it fails with the following error:

How is this even possible? I *JUST* added this privilege. How can it not exist?

I have checked the IDMV_VALLINK_EXT table and I can confirm that my test user does indeed have this reference attribute. I have checked the link tables and I can confirm that the execState and execStateHierarchy are correct for a link in an, "OK" status. Everything should be fine. Why does this fail?

capture.png (119.9 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Oct 20, 2017 at 08:20 AM

    Turns out that we're using Provisioning Framework v2, which I knew, but what I didn't know was that our client's environment had two versions of it, the standard, unaltered version and a copy that they set aside specifically for us to customize. I had my repository plugged into the standard version and someone disabled the Pending Operation Succeeded tasks to finalize the creation of the user account.

    Once I hooked my repository up to the other framework with these task enabled, everything worked fine. Thank you Former Member!

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 18, 2017 at 08:59 AM

    Hello Brandon,

    it says "Entry does not exist". That means it can't find the user/identity. If it were talking about the privilege, normally the error message is "Referenced value does not exist". :)

    I have this issue sometimes, too, when the source statement is not delivering "mskey", but something else. Can you share screenshots of the source and destination tab of that job?




    Add comment
    10|10000 characters needed characters exceeded

    • It's still added. And I tried the {e} operator too in case there was a PVO or something gumming up the works. It's been suggested I do a trace on the user when trying to remove to see a more specific error. Going to do that next.

  • Oct 20, 2017 at 04:02 AM

    Will it work if you try mskey of the privilege instead of the mskeyvalue?

    Add comment
    10|10000 characters needed characters exceeded