on 10-18-2017 9:25 AM
Got a super odd one and I'm hoping my fellow experts can help with an answer.
I just created a new ADS repository and did an initial load. Very stripped down initial load as this is just a DEV environment. All I did was create the account attribute, create the system & account privileges, and add all the triggers. Super simple.
Then I use a To Identity Store pass to give the MXREF_MX_PRIVILEGE of my account PRIV to a test user. Worked fine; user was created in LDAP with all the right attributes; all good.
Now I use the same job with the To Identity Store pass to delete the reference to the account PRIV so that will trigger deprovisioning and it fails with the following error:
How is this even possible? I *JUST* added this privilege. How can it not exist?
I have checked the IDMV_VALLINK_EXT table and I can confirm that my test user does indeed have this reference attribute. I have checked the link tables and I can confirm that the execState and execStateHierarchy are correct for a link in an, "OK" status. Everything should be fine. Why does this fail?
Turns out that we're using Provisioning Framework v2, which I knew, but what I didn't know was that our client's environment had two versions of it, the standard, unaltered version and a copy that they set aside specifically for us to customize. I had my repository plugged into the standard version and someone disabled the Pending Operation Succeeded tasks to finalize the creation of the user account.
Once I hooked my repository up to the other framework with these task enabled, everything worked fine. Thank you julien.garagnon!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Will it work if you try mskey of the privilege instead of the mskeyvalue?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Brandon,
it says "Entry does not exist". That means it can't find the user/identity. If it were talking about the privilege, normally the error message is "Referenced value does not exist". 🙂
I have this issue sometimes, too, when the source statement is not delivering "mskey", but something else. Can you share screenshots of the source and destination tab of that job?
.
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm guessing "sap master" is indeed the correct identity store. 😉 Other than that this looks pretty normal to me. My help jobs look the same.
.
It's a bit frustrating, I just checked my system and had the same issue a month ago, but I don't know what I did to fix it. *sigh*
Is the privilege still added to the identity or is it pending deletion?
It's still added. And I tried the {e} operator too in case there was a PVO or something gumming up the works. It's been suggested I do a trace on the user when trying to remove to see a more specific error. Going to do that next.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.