Skip to Content
0

Orphaned Privilege removal in SAP idm 7.2/8.0

Dec 19, 2017 at 01:49 PM

156

avatar image
Former Member

Hello Gurus,

i hope, everyone are good and rocking ;),

this time i came here to know something about ORPHANED privileges. as far as i know, orphaned privileges are those entries who doesn't have parent entry / parent may be removed. then, MCORPHAN goes 1 to show its status.

question here is ,

i could not remove them via reconcile/repair entry or any custom jobs and assignment operators. is there any way to tackle this issue guys.

I'm strictly forced not to use SQL update query directly in database. I'm in search of finding a custom job or a script i can write to over come. but i read some blogs saying that we cannot remove them via above mentioned methods..

so, i'm up here to seek your help, could you guys please help me to solve this .

suggestions are much more welcome

regards

Mano...

10 |10000 characters needed characters left characters exceeded

Hi Mano,

It would be helpful to know which version and database you are using so that we know what options we have to help you with. Can you share some of the things you tried in general? There are quite a few {} operators that can be used.

In the end, it might only be possible to do this via SQL. If you have restrictions, you'll probably need to open a SAP ticket so that you have some backup.

Matt

0
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Best Answer
Deva Prakash B Dec 20, 2017 at 11:00 AM
0

Hello Manojkumar,

Below is the process to remove orphan assignments, in any version of SAP IDM,

  1. List down all the orphan assignments where mcorphan = 1
  2. check if the orphan assignments is inherited privilege or not.
  3. If the orphan assignment is inherited, then assign the privilege as direct assignment using {DIRECT_REFERNCE=1}<privilege mskeyvalue>, if it is direct assignment already then do not perform anything (mcassigneddirect = 1 then direct assignment else inherited assignment)
  4. After assigning the orphan privileges as direct assignments, then remove the privileges from users using {e} operator as below in the job

You can create a custom job and use to identity store as below


Direct assignment of orphan privilege

MSKEYVALUE - provide user mskeyvalue

changetype - modify

MXREF_MX_PRIVILEGE - {DIRECT_REFERENCE=1}<privilege mskeyvalue>


Removal of orphan privilege

MSKEYVALUE - provide user mskeyvalue

changetype - modify

MXREF_MX_PRIVILEGE - {e}<privilege mskeyvalue>

The above steps should work, if not provide the screen shot of the job and steps performed.

Regards,

Deva Prakash Budati

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thanks Deva, let me try these steps and will post you ,

Regards

Manojkumar Malaiyarasan

0
avatar image
Former Member Dec 28, 2017 at 11:33 AM
2

Hello Mano,

there is a stored procedure called mxi_deleteOrphanAssigment which can be used to solve your problem.
For more details please refer to note 2499697 Introducing new DB stored procedure for orphan assignments revocation.

Best Regards

Lennart

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Dec 20, 2017 at 07:55 AM
0

Hello Matt,

thanks for instant response ,

We are currently using IDM 8.0 and SQL database 2012 . And, i tried using some operators like {e},{d},{D} in the attribute MXREF_MX_PRIVILEGE. since i just want to remove these Orphaned privileges.

For Example:

Attribute Name 'MXREF_MX_PRIVILEGE' and its value like {e}<PRIVILEGE NAME>, replacing with {d},{D} respectively. and i have chosen Changetype as Modify as well.

when i chose Changetype as delete, it deleted entire entry . so i cannot do that .

SO Matt, do you feel that am i doing anything wrong out here?

if so, please let me know

regards

Mano..

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Dec 28, 2017 at 11:03 AM
0

Hello Prakash,

When i tried your Method i got an error saying that Missing conditional context , so do i need to specify the context value out there?. I tried that as well, but still it says error .

i have attached the screenshot

regards

Manojkumar


snip.jpg (40.3 kB)
Share
10 |10000 characters needed characters left characters exceeded