Skip to Content
avatar image
Former Member

How to remove role\privileges assignment from identity

How to remove role\privileges assignment from indentity

.
I checked already similar topic but no solution.
In IdM UI I found an inactief identity but still with an assigned (role)privilege.
Status is in progress (see enclosed image)
I tried to remove role/privilege assignment on IdM UI. This option was not the solution.


So i made a job to delete role\privilege assignment of identity. See enclsoed image.
Nothing happend. What do i wrong or what possiblities do i have.

I also changed MX_PRIVILEGE to MX_ROLE. No result
I also changes {e} to {d}. No result

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Oct 27, 2017 at 06:50 AM

    Hi Vorstenbosch,

    As per the screenshot, it seems to be that wrong attribute is maintained in the destination tab. It should be MXREF_MX_PRIVILEGE.

    And also you need to provide the mskeyvalue/uniqueid of the privilege inside the angular braces like below

    MXREF_MX_PRIVILEGE - {e}<PRIV:ROLE:*>

    try to remove the privilege using the above syntax.

    as per the UI screenshot, it seems to be the status of the privilege might be not allowed. so can you share the status of the privilege from the data base table.

    select mcuniqueid,mcthismskeyvalue,mcothermskeyvalue,mcexecstate,mcexecstatehierarchy,mcassigneddirect,mcorphan from idmv_link_ext2 where mcthismskeyvalue = 'provide the mskeyvalue/uniqueid of the user inside single quotes'

    Regards,

    DP

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 08, 2017 at 08:24 PM

    On the third line of your Destination tab, it should read as follows:

    MXREF_MX_PRIVILEGE {e}<PRIV:ROLE:xxxxxx>

    The MSKEYVALUE of the privilege you're trying to remove must be encapsulated in the greater than / less than characters, <>. This way IDM knows your referring to the privilege by MSKEYVALUE. If you don't use the <> on either side of the value, IDM assumes your passing in an MSKEY. That's why the error message you're getting says, "Entry reference value is not numeric", as MSKEYs are only numbers.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 08, 2017 at 10:14 AM

    mcExecState = 1536

    I changed job:
    MSKEYVALUE <mskeyvalue>
    changeType modify
    MXREF_MX_PRIVILEGE {e}PRIV:ROLE:OGPCLNT100:C:GTW:0000:INZET_VERANTWOORDEL


    Job run details
    putNextEntry failed storing <mskeyvalue>
    Exception from Modify operation:com.sap.idm.ic.ToPassException: ToIDStore.modEntry failed modifying entry '<mskeyvalue>'. IDStore returned error message: " Entry reference value is not numeric:Attribute: MXREF_MX_PRIVILEGE" when storing attribute ={e}PRIV:ROLE:OGPCLNT100:C:GTW:0000:INZET_VERANTWOORDEL'


    Add comment
    10|10000 characters needed characters exceeded

    • Hello Vorstenbosch,

      Although the approach shared by Deva is correct, please note that SAP doesn't recommend to update the SAP IDM Database unless until issue can not be solved other way.

      If any case you are planning to run the Update query, please don't forget to take the database bafore.

      Regards,

      C Kumar

  • avatar image
    Former Member
    Nov 09, 2017 at 06:54 AM

    I add < > and now job is not running in error. But i still got mcExecState = 1536.
    We are using as database MS SQL 2012.

    Deva Prakash B

    select * from idmv_link_ext where mcthismskey = usermskey and mcothermskeyvalue = 'PRIV:ROLE:OGPCLNT100:C:GTW:0000:INZET_VERANTWOORDEL' --> mcMasterPrivLinkid

    Same statement for MS SQL 2012???

    update MXI_LINK set mclinkstate =2 ,mcexecstate =1025,mcexecstatehierarchy =1025,

    mcaddaudit = NULL ,MCLINKTYPE =0, MCLASTAUDIT =0 ,MCAUDITID = 0

    C Kumar

    I do not understand you comment --> If any case you are planning to run the Update query, please don't forget to take the database bafore.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Deva Prakash B

      Deva, Brandon and C Kumar,

      I followed the instructions of Deva and issue is solved.

      Thanks for the info and support.

      Regards,

      Jan Vorstenbosch

  • avatar image
    Former Member
    Nov 10, 2017 at 07:45 AM

    Deva, Brandon and C Kumar,

    I followed the instructions of Deva and issue is solved.

    Thanks for the info and support.

    Regards,

    Jan Vorstenbosch

    Add comment
    10|10000 characters needed characters exceeded