Skip to Content
0

SAP IdM 7.2 SP9 - role assignment/removal issue in ABAP system

Feb 08 at 11:13 PM

101

avatar image

Hi experts..... my client is using SAP IdM 7.2 SP9, SQL DB.

I have an issue where when a business role is assigned with a future valid from date in IdM it does the assignment in IdM but does not make the assignment in the backend ABAP system.

When the business role assignment has an valid to date defined, the role assignment is removed in IdM when the date passes but the privilege does not get removed in the backend ABAP system.

Please could you let me know how to investigate this and fix.

Thanks

Ranjit

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Deva Prakash B Feb 09 at 04:42 AM
1

Hi Ranjit,

1) I have an issue where when a business role is assigned with a future valid from date in IdM it does the assignment in IdM but does not make the assignment in the back-end ABAP system.

If any privilege is assigned to user with future validity date, then idm would provision the respective privilege to the backend system, once it reaches the valid from date. usually this setting is maintained in the repository level - go to repositories -> event tasks tab and check the execute list under the respective member event tasks.

For more information kindly check the below links

https://help.sap.com/viewer/4773a9ae1296411a9d5c24873a8d418c/8.0/en-US/8ced739a6a3e4f6b9dd9017ebaa4756e.html

https://help.sap.com/viewer/4773a9ae1296411a9d5c24873a8d418c/8.0/en-US/790b46587d3c498bb33a265a5950edaf.html

2) When the business role assignment has an valid to date defined, the role assignment is removed in IdM when the date passes but the privilege does not get removed in the backend ABAP system.

Check if there are any orphan privileges assigned to to the user by using the below query

Select * from idmv_link_ext2 with (nolock) where mcthismskey = <give user mskey without angular brackets> and mcorphan = 1.

If this query returns any results, then compare the privileges returned in the mcOthermskeyvalue column with roles still not removed from the backend system. If matches please check the below post on how to clean up the orphan assignments.

https://answers.sap.com/questions/388185/orphaned-privilege-removal-in-sap-idm-7280.html?childToView=387568#answer-387568

Regards,

Deva

Share
10 |10000 characters needed characters left characters exceeded
Ranjit Daniel Feb 25 at 07:59 PM
1

Hi All.... just an update, I restarted the dispatchers and have completed a test. It seems to be doing the assignments and removals as expected. I will need to complete a few more tests to confirm that this is working as expected. Will let you know how I get on in the next few days.

Thanks

Ranjit

Share
10 |10000 characters needed characters left characters exceeded
Ranjit Daniel Feb 13 at 02:11 AM
0

Hi Deva

Thanks for your response and apologies for my late response. I checked the repository and these are the member event tasks defined. Question is, do I need to add validate tasks to resolve the issue I'm facing? Customer if not using GRC and there is no approval required for role/priv assignments and removals.

I also checked the query you provided to check for orphan privileges and found none.

Please advise

Ranjit


Show 4 Share
10 |10000 characters needed characters left characters exceeded

Hello Ranjit,

normally the housekeeping should take care of the second issue. You can start it manually on the Dispatcher Housekeeping tab and start the "Reconcile dirty entry" procedure.

We had the issue, that there were so many dirty entries, it was not working correctly by itself anymore. So I had to manually trigger it several times (after it cleared a batch of entries) until it was caught up again. So you could try that.

.

Regards,

Steffi.

0

Hi Steffi

I checked the table and found no entries in the MXIV_DIRTY_MSKEYS table. I have also manually triggered the "Reconcile dirty entry" procedure a few times. I will test again. The issue I had was, on the 7th I assigned a business role to a user with two future date assignments - one from the 07th to the 7th and the other from the 09th to the 09th.

The first assignment was provisioned to the respective backend abap system but did not drop off on the 08th early hours (past midnight 7th). The second assignment for the 09th did not get provisioned to the abap system but on the 10th early hours (past midnight 9th) the role that was provisioned on the 7th dropped off in the ABAP system.

Interesting thing is that in the idm UI the related business role assignments were working as expected - i.e. the business role assigned on the 7th dropped off on the 08th early hours and the assignment for the 9th dropped off on the 10th early hours.

Below are the housekeeping scheduled procedures set for the dispatchers. Do you see anything that doesn't seem right to you? The 'Check for expired attributes' procedure is set to run at noon. I was wondering if this is ok?

0

Hello Ranjit,

we have the same Housekeeping setup concerning the schedule, so that looks okay to me.

.

The first assignment was provisioned to the respective backend abap system but did not drop off on the 08th early hours (past midnight 7th). The second assignment for the 09th did not get provisioned to the abap system but on the 10th early hours (past midnight 9th) the role that was provisioned on the 7th dropped off in the ABAP system.

.

That sounds a lot like the system was ignoring the day in between. Maybe a timezone issue?

So the business role was deleted and reassigned correctly. What about the privileges. Were they deleted and reassigned in IDM and just the backend didn't change or were they assigned to the user the whole time in IDM?

.

Regards,

Steffi.

0

Hi Steffi .... Sorry for my delayed response as I was running some more tests. It is inconsistent, one test I did with future dated role assignments worked as expected i.e. assigned and got de-assigned at the expected times.But the same test for another future date for the same role assigned at the right time but did not get removed when the assignment ended. The assignment in IdM works correctly, its just in the backend SAP system the role assignments & removals don't work most of the times for future dated assignments when they have start and end dates defined

To answer your questions, its can't be a timezone issue as all systems in the NZ time zone.

I think I have answered your other question as well above.

Is there anything else that I can check? I have already started the below at the dispatcher level.

0