cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Orphaned Privilege removal in SAP idm 7.2/8.0

Go to solution
Former Member

on ‎12-19-2017 1:49 PM

0 Kudos

Hello Gurus,

i hope, everyone are good and rocking ;),

this time i came here to know something about ORPHANED privileges. as far as i know, orphaned privileges are those entries who doesn't have parent entry / parent may be removed. then, MCORPHAN goes 1 to show its status.

question here is ,

i could not remove them via reconcile/repair entry or any custom jobs and assignment operators. is there any way to tackle this issue guys.

I'm strictly forced not to use SQL update query directly in database. I'm in search of finding a custom job or a script i can write to over come. but i read some blogs saying that we cannot remove them via above mentioned methods..

so, i'm up here to seek your help, could you guys please help me to solve this .

suggestions are much more welcome

regards

Mano...

Show replies
Show replies
former_member2987
Active Contributor
‎12-19-2017 2:29 PM
0 Kudos

Hi Mano,

It would be helpful to know which version and database you are using so that we know what options we have to help you with. Can you share some of the things you tried in general? There are quite a few {} operators that can be used.

In the end, it might only be possible to do this via SQL. If you have restrictions, you'll probably need to open a SAP ticket so that you have some backup.

Matt

Answer

Accepted Solutions (1)

Accepted Solutions (1)

devaprakash_b
Active Contributor
‎12-20-2017 11:00 AM
0 Kudos

Hello Manojkumar,

Below is the process to remove orphan assignments, in any version of SAP IDM,

  1. List down all the orphan assignments where mcorphan = 1
  2. check if the orphan assignments is inherited privilege or not.
  3. If the orphan assignment is inherited, then assign the privilege as direct assignment using {DIRECT_REFERNCE=1}<privilege mskeyvalue>, if it is direct assignment already then do not perform anything (mcassigneddirect = 1 then direct assignment else inherited assignment)
  4. After assigning the orphan privileges as direct assignments, then remove the privileges from users using {e} operator as below in the job

You can create a custom job and use to identity store as below


Direct assignment of orphan privilege

MSKEYVALUE - provide user mskeyvalue

changetype - modify

MXREF_MX_PRIVILEGE - {DIRECT_REFERENCE=1}<privilege mskeyvalue>


Removal of orphan privilege

MSKEYVALUE - provide user mskeyvalue

changetype - modify

MXREF_MX_PRIVILEGE - {e}<privilege mskeyvalue>

The above steps should work, if not provide the screen shot of the job and steps performed.

Regards,

Deva Prakash Budati

Show replies
Show replies
Former Member
‎12-27-2017 4:26 PM
0 Kudos

Thanks Deva, let me try these steps and will post you ,

Regards

Manojkumar Malaiyarasan

Answers (4)

Answers (4)

Former Member
‎12-28-2017 11:33 AM

Hello Mano,

there is a stored procedure called mxi_deleteOrphanAssigment which can be used to solve your problem.
For more details please refer to note 2499697 Introducing new DB stored procedure for orphan assignments revocation.

Best Regards

Lennart

Show replies
Show replies
ivan_petrov
Active Participant
‎04-30-2020 9:16 AM
0 Kudos

Hi Mano,

Actually the best answer you have selected is not the best answer.

Don't get me wrong - it works, but much better is to follow the SAP Note

2499697 Introducing new DB stored procedure for orphan assignments revocation.

Provided to you by lennart.kayser

It is a stored procedure which might be later become a house-keeping procedure.

It has options to provision or not provision to backend system during the cleanup and it does it properly also setting some additional audit information.

Regards,

Ivan Petrov

Show replies
Show replies
Former Member
‎12-28-2017 11:03 AM
0 Kudos

Hello Prakash,

When i tried your Method i got an error saying that Missing conditional context , so do i need to specify the context value out there?. I tried that as well, but still it says error .

i have attached the screenshot

regards

Manojkumar

Show replies
Show replies
Former Member
‎12-20-2017 7:55 AM
0 Kudos

Hello Matt,

thanks for instant response ,

We are currently using IDM 8.0 and SQL database 2012 . And, i tried using some operators like {e},{d},{D} in the attribute MXREF_MX_PRIVILEGE. since i just want to remove these Orphaned privileges.

For Example:

Attribute Name 'MXREF_MX_PRIVILEGE' and its value like {e}<PRIVILEGE NAME>, replacing with {d},{D} respectively. and i have chosen Changetype as Modify as well.

when i chose Changetype as delete, it deleted entire entry . so i cannot do that .

SO Matt, do you feel that am i doing anything wrong out here?

if so, please let me know

regards

Mano..

Show replies
Show replies
Ask a Question