Skip to Content

Cannot Delete Reference to Account PRIV for Deprovisioning

Got a super odd one and I'm hoping my fellow experts can help with an answer.

I just created a new ADS repository and did an initial load. Very stripped down initial load as this is just a DEV environment. All I did was create the account attribute, create the system & account privileges, and add all the triggers. Super simple.

Then I use a To Identity Store pass to give the MXREF_MX_PRIVILEGE of my account PRIV to a test user. Worked fine; user was created in LDAP with all the right attributes; all good.

Now I use the same job with the To Identity Store pass to delete the reference to the account PRIV so that will trigger deprovisioning and it fails with the following error:

How is this even possible? I *JUST* added this privilege. How can it not exist?

I have checked the IDMV_VALLINK_EXT table and I can confirm that my test user does indeed have this reference attribute. I have checked the link tables and I can confirm that the execState and execStateHierarchy are correct for a link in an, "OK" status. Everything should be fine. Why does this fail?

capture.png (119.9 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Oct 20, 2017 at 08:20 AM

    Turns out that we're using Provisioning Framework v2, which I knew, but what I didn't know was that our client's environment had two versions of it, the standard, unaltered version and a copy that they set aside specifically for us to customize. I had my repository plugged into the standard version and someone disabled the Pending Operation Succeeded tasks to finalize the creation of the user account.

    Once I hooked my repository up to the other framework with these task enabled, everything worked fine. Thank you Former Member!

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 18, 2017 at 08:59 AM

    Hello Brandon,

    it says "Entry does not exist". That means it can't find the user/identity. If it were talking about the privilege, normally the error message is "Referenced value does not exist". :)

    I have this issue sometimes, too, when the source statement is not delivering "mskey", but something else. Can you share screenshots of the source and destination tab of that job?

    .

    Regards,

    Steffi.

    Add comment
    10|10000 characters needed characters exceeded

    • It's still added. And I tried the {e} operator too in case there was a PVO or something gumming up the works. It's been suggested I do a trace on the user when trying to remove to see a more specific error. Going to do that next.

  • Oct 20, 2017 at 04:02 AM

    Will it work if you try mskey of the privilege instead of the mskeyvalue?

    Add comment
    10|10000 characters needed characters exceeded