Skip to Content
0

How to remove role\privileges assignment from identity

Oct 26, 2017 at 12:34 PM

279

avatar image
Former Member

How to remove role\privileges assignment from indentity

.
I checked already similar topic but no solution.
In IdM UI I found an inactief identity but still with an assigned (role)privilege.
Status is in progress (see enclosed image)
I tried to remove role/privilege assignment on IdM UI. This option was not the solution.


So i made a job to delete role\privilege assignment of identity. See enclsoed image.
Nothing happend. What do i wrong or what possiblities do i have.

I also changed MX_PRIVILEGE to MX_ROLE. No result
I also changes {e} to {d}. No result

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

5 Answers

Deva Prakash B Oct 27, 2017 at 06:50 AM
1

Hi Vorstenbosch,

As per the screenshot, it seems to be that wrong attribute is maintained in the destination tab. It should be MXREF_MX_PRIVILEGE.

And also you need to provide the mskeyvalue/uniqueid of the privilege inside the angular braces like below

MXREF_MX_PRIVILEGE - {e}<PRIV:ROLE:*>

try to remove the privilege using the above syntax.

as per the UI screenshot, it seems to be the status of the privilege might be not allowed. so can you share the status of the privilege from the data base table.

select mcuniqueid,mcthismskeyvalue,mcothermskeyvalue,mcexecstate,mcexecstatehierarchy,mcassigneddirect,mcorphan from idmv_link_ext2 where mcthismskeyvalue = 'provide the mskeyvalue/uniqueid of the user inside single quotes'

Regards,

DP

Share
10 |10000 characters needed characters left characters exceeded
Brandon Bollin Nov 08, 2017 at 08:24 PM
1

On the third line of your Destination tab, it should read as follows:

MXREF_MX_PRIVILEGE {e}<PRIV:ROLE:xxxxxx>

The MSKEYVALUE of the privilege you're trying to remove must be encapsulated in the greater than / less than characters, <>. This way IDM knows your referring to the privilege by MSKEYVALUE. If you don't use the <> on either side of the value, IDM assumes your passing in an MSKEY. That's why the error message you're getting says, "Entry reference value is not numeric", as MSKEYs are only numbers.

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Nov 08, 2017 at 10:14 AM
0

mcExecState = 1536

I changed job:
MSKEYVALUE <mskeyvalue>
changeType modify
MXREF_MX_PRIVILEGE {e}PRIV:ROLE:OGPCLNT100:C:GTW:0000:INZET_VERANTWOORDEL


Job run details
putNextEntry failed storing <mskeyvalue>
Exception from Modify operation:com.sap.idm.ic.ToPassException: ToIDStore.modEntry failed modifying entry '<mskeyvalue>'. IDStore returned error message: " Entry reference value is not numeric:Attribute: MXREF_MX_PRIVILEGE" when storing attribute ={e}PRIV:ROLE:OGPCLNT100:C:GTW:0000:INZET_VERANTWOORDEL'


Show 2 Share
10 |10000 characters needed characters left characters exceeded

Hi Vorstenbosch,

can you please try to edit job as below

Attribute Value

MSKEYVALUE AP00715

changetype modify

MXREF_MX_PRIVILEGE {e}<PRIV:ROLE:OGPCLNT100:C:GTW:0000:INZET_VERANTWOORDEL>

if still it didnt resolve can you try to reconcile the user. if still it didnt remove, then we need to change the 1536 status manually to 1025 in the mxi_link . Please run the below query only when the above mentioned solutions doesn't work.

for Oracle DB:

update MXI_LINK set mclinkstate =2 ,mcexecstate =1025,mcexecstatehierarchy =1025,

mcaddaudit = NULL ,MCLINKTYPE =0, MCLASTAUDIT =0 ,MCAUDITID = 0

where mcthismskey = provide user mskey here AND mcexecstate = 1536 AND mcuniqueid = provide the linkid for that assignment

how to get link id - select * from idmv_link_ext where mcthismskey = usermskey and mcothermskeyvalue = 'PRIV:ROLE:OGPCLNT100:C:GTW:0000:INZET_VERANTWOORDEL'

Regards,

Deva

1

Hello Vorstenbosch,

Although the approach shared by Deva is correct, please note that SAP doesn't recommend to update the SAP IDM Database unless until issue can not be solved other way.

If any case you are planning to run the Update query, please don't forget to take the database bafore.

Regards,

C Kumar

0
avatar image
Former Member Nov 09, 2017 at 06:54 AM
0

I add < > and now job is not running in error. But i still got mcExecState = 1536.
We are using as database MS SQL 2012.

Deva Prakash B

select * from idmv_link_ext where mcthismskey = usermskey and mcothermskeyvalue = 'PRIV:ROLE:OGPCLNT100:C:GTW:0000:INZET_VERANTWOORDEL' --> mcMasterPrivLinkid

Same statement for MS SQL 2012???

update MXI_LINK set mclinkstate =2 ,mcexecstate =1025,mcexecstatehierarchy =1025,

mcaddaudit = NULL ,MCLINKTYPE =0, MCLASTAUDIT =0 ,MCAUDITID = 0

C Kumar

I do not understand you comment --> If any case you are planning to run the Update query, please don't forget to take the database bafore.

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Hi Vorstenbosch,

For mssql use this query and it should work. What C Kumar mentioned, is to take database backup.

before updating the table, make sure that you are executing below select query to see how many records you are going to update.

select count(*) from mxi_link with (nolock) where mcthismskey = user mskey AND mcexecstate = 1536 AND mcuniqueid in (select mcuniqueid from idmv_link_ext2 with (nolock) where mcthismskey = usermskey and mcothermskeyvalue = 'PRIV:ROLE:OGPCLNT100:C:GTW:0000:INZET_VERANTWOORDEL' AND mcexecstate = 1536 )

if the no.of records is one , then try to execute the below query

update query:

update MXI_LINK set mclinkstate =2 ,mcexecstate =1025,mcexecstatehierarchy =1025,

mcaddaudit = NULL ,MCLINKTYPE =0, MCLASTAUDIT =0 ,MCAUDITID = 0

where mcthismskey = user mskey AND mcexecstate = 1536 AND mcuniqueid in (select mcuniqueid from idmv_link_ext2 with (nolock) where mcthismskey = usermskey and mcothermskeyvalue = 'PRIV:ROLE:OGPCLNT100:C:GTW:0000:INZET_VERANTWOORDEL' AND mcexecstate = 1536 )

Regards,

Deva

0
Former Member
Deva Prakash B

Deva, Brandon and C Kumar,

I followed the instructions of Deva and issue is solved.

Thanks for the info and support.

Regards,

Jan Vorstenbosch

0
avatar image
Former Member Nov 10, 2017 at 07:45 AM
0

Deva, Brandon and C Kumar,

I followed the instructions of Deva and issue is solved.

Thanks for the info and support.

Regards,

Jan Vorstenbosch

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hello Jan,

you forgot to accept his reply as answer then. ;)

.

Regards,

Steffi.

0