Skip to Content
avatar image
Former Member

Orphaned Privilege removal in SAP idm 7.2/8.0

Hello Gurus,

i hope, everyone are good and rocking ;),

this time i came here to know something about ORPHANED privileges. as far as i know, orphaned privileges are those entries who doesn't have parent entry / parent may be removed. then, MCORPHAN goes 1 to show its status.

question here is ,

i could not remove them via reconcile/repair entry or any custom jobs and assignment operators. is there any way to tackle this issue guys.

I'm strictly forced not to use SQL update query directly in database. I'm in search of finding a custom job or a script i can write to over come. but i read some blogs saying that we cannot remove them via above mentioned methods..

so, i'm up here to seek your help, could you guys please help me to solve this .

suggestions are much more welcome

regards

Mano...

Add comment
10|10000 characters needed characters exceeded

  • Hi Mano,

    It would be helpful to know which version and database you are using so that we know what options we have to help you with. Can you share some of the things you tried in general? There are quite a few {} operators that can be used.

    In the end, it might only be possible to do this via SQL. If you have restrictions, you'll probably need to open a SAP ticket so that you have some backup.

    Matt

  • Get RSS Feed

4 Answers

  • Best Answer
    Dec 20, 2017 at 11:00 AM

    Hello Manojkumar,

    Below is the process to remove orphan assignments, in any version of SAP IDM,

    1. List down all the orphan assignments where mcorphan = 1
    2. check if the orphan assignments is inherited privilege or not.
    3. If the orphan assignment is inherited, then assign the privilege as direct assignment using {DIRECT_REFERNCE=1}<privilege mskeyvalue>, if it is direct assignment already then do not perform anything (mcassigneddirect = 1 then direct assignment else inherited assignment)
    4. After assigning the orphan privileges as direct assignments, then remove the privileges from users using {e} operator as below in the job

    You can create a custom job and use to identity store as below


    Direct assignment of orphan privilege

    MSKEYVALUE - provide user mskeyvalue

    changetype - modify

    MXREF_MX_PRIVILEGE - {DIRECT_REFERENCE=1}<privilege mskeyvalue>


    Removal of orphan privilege

    MSKEYVALUE - provide user mskeyvalue

    changetype - modify

    MXREF_MX_PRIVILEGE - {e}<privilege mskeyvalue>

    The above steps should work, if not provide the screen shot of the job and steps performed.

    Regards,

    Deva Prakash Budati

    Add comment
    10|10000 characters needed characters exceeded

  • Dec 28, 2017 at 11:33 AM

    Hello Mano,

    there is a stored procedure called mxi_deleteOrphanAssigment which can be used to solve your problem.
    For more details please refer to note 2499697 Introducing new DB stored procedure for orphan assignments revocation.

    Best Regards

    Lennart

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 20, 2017 at 07:55 AM

    Hello Matt,

    thanks for instant response ,

    We are currently using IDM 8.0 and SQL database 2012 . And, i tried using some operators like {e},{d},{D} in the attribute MXREF_MX_PRIVILEGE. since i just want to remove these Orphaned privileges.

    For Example:

    Attribute Name 'MXREF_MX_PRIVILEGE' and its value like {e}<PRIVILEGE NAME>, replacing with {d},{D} respectively. and i have chosen Changetype as Modify as well.

    when i chose Changetype as delete, it deleted entire entry . so i cannot do that .

    SO Matt, do you feel that am i doing anything wrong out here?

    if so, please let me know

    regards

    Mano..

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 28, 2017 at 11:03 AM

    Hello Prakash,

    When i tried your Method i got an error saying that Missing conditional context , so do i need to specify the context value out there?. I tried that as well, but still it says error .

    i have attached the screenshot

    regards

    Manojkumar

    Add comment
    10|10000 characters needed characters exceeded