on 10-09-2011 11:58 AM
Hello IDM Gurus,
Needed your help with an issue we're currently facing; We're having an odd problem with provisioning/deprovisioning to our ABAP repositories. For each repository we are using the Add Member/ Remove Member tasks; for all repositoies, both the Add Member and Remove Member event tasks trigger a similar task that basically through the means of a script checks to see whether a user already has privileges within the target repository or not, then accordingly either adds the new privilege to the existing account or creates a new account and adds the new privilege; after the initial check is made, the decision on whether to add the privilege to the existing account or create a new one and add the privilege is done through a uProvision call from the script itself to the appropriate provisioning task for the specific repository in question; the check for whether the account exists or not is done within the Provisioning task itself.The same process is followed for deprovisioning as well. An example of how this would work is:
JohnDoe has no account in Repository A;
Privilege X (associated with repository A) is added to his account;
The script is called and a check is made; the provisioning task for repository A is called;
The provisioning task checks and sees that JohnDoe doesn't have an account in repository A, so an account is created and Privilege X is added to the new account.
After this, we add two new privileges Y and Z(both associated with repository A) to JohnDoe
The script is called and a check is made; the provisioning task for repository A is called;
The provisioning task checks and sees that JohnDoe has an account in repository A, so the two new privileges are simply added to the existing account.
This all works perfectly as long as we only work with one repository at a time; i.e. only add and remove privileges from one repository at a time; make all changes related to privileges for one repository; hit update; then try doing the same again for another repository. Whenever we make multiple changes related to multiple repositories, random things start happening, some changes go across in full, but some just don't; there's no logic in why certain changes happen and certain don't.
Does this have something to do with working with just one dispatcher? is it not able to handle that many changes at once? I tried using privilege/assignment grouping for each repository, grouping it by repository name as it should inherently group add and remove task, but even that didn't have any effect. Privilege changes were still going missing.
Any suggestions / ideas to rectify this behavior?
I would appreciate any help with the issue! Thanks in advance!
Best regards,
Sandeep
Hello IDM Gurus,
Does anyone happen to have any idea or understanding of what might be happening in the background? what could possibly be making provisioning requests disappear? or just not get initiated? is the load on the dispatcher too much? should privilege grouping be used in a more optimal configuration? Would greatly appreciate any suggestions or thoughts you might have on the issue!
Thanks in advance!
Best regards,
Sandeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey Matt,
Thanks a lot for your quick response! I tried changing the number of runtime engines from the default of 1 to 4 but it had no effect; I added 3 roles for 3 systems but only one system got an account provisioned to it; is 4 not enough? should I try a higher value? is the uProvision script not supposed to be called or used in that fashion for multiple simultaneous calls?
If looking at the backend to resolve this, would I need to only be looking at the MXP_PROVISION and MXP_AUDIT tables?
Thanks a lot in advance!
Best regards,
Sandeep
Sorry for the delay in my response, but yes; something similar to what you had suggested, the customized script needed to separate the pending value objects by repository rather than applying them in bulk; a very "d'oh!" moment.
Haven't been able to fully test it, but I believe that was the crux of the issue.
Thanks a lot for your help!
Best regards,
Sandeep
Yes; it's unfortunately more common than one would hope.
It definitely requires a lot more planning and thought and like one might think it isn't exactly just a hot swap of environments; what you're doing in Windows is not the exact same thing you'd end up doing when setting up with UNIX; things have to be scrutinzed a lot more.
hmmmmm; good experience, nevertheless.
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.