cancel
Showing results for 
Search instead for 
Did you mean: 

Provisioning tasks not getting initiated when done in bulk

Former Member
0 Kudos

Hello IDM Gurus,

Needed your help with an issue we're currently facing; We're having an odd problem with provisioning/deprovisioning to our ABAP repositories. For each repository we are using the Add Member/ Remove Member tasks; for all repositoies, both the Add Member and Remove Member event tasks trigger a similar task that basically through the means of a script checks to see whether a user already has privileges within the target repository or not, then accordingly either adds the new privilege to the existing account or creates a new account and adds the new privilege; after the initial check is made, the decision on whether to add the privilege to the existing account or create a new one and add the privilege is done through a uProvision call from the script itself to the appropriate provisioning task for the specific repository in question; the check for whether the account exists or not is done within the Provisioning task itself.The same process is followed for deprovisioning as well. An example of how this would work is:

JohnDoe has no account in Repository A;

Privilege X (associated with repository A) is added to his account;

The script is called and a check is made; the provisioning task for repository A is called;

The provisioning task checks and sees that JohnDoe doesn't have an account in repository A, so an account is created and Privilege X is added to the new account.

After this, we add two new privileges Y and Z(both associated with repository A) to JohnDoe

The script is called and a check is made; the provisioning task for repository A is called;

The provisioning task checks and sees that JohnDoe has an account in repository A, so the two new privileges are simply added to the existing account.

This all works perfectly as long as we only work with one repository at a time; i.e. only add and remove privileges from one repository at a time; make all changes related to privileges for one repository; hit update; then try doing the same again for another repository. Whenever we make multiple changes related to multiple repositories, random things start happening, some changes go across in full, but some just don't; there's no logic in why certain changes happen and certain don't.

Does this have something to do with working with just one dispatcher? is it not able to handle that many changes at once? I tried using privilege/assignment grouping for each repository, grouping it by repository name as it should inherently group add and remove task, but even that didn't have any effect. Privilege changes were still going missing.

Any suggestions / ideas to rectify this behavior?

I would appreciate any help with the issue! Thanks in advance!

Best regards,

Sandeep

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hello IDM Gurus,

Does anyone happen to have any idea or understanding of what might be happening in the background? what could possibly be making provisioning requests disappear? or just not get initiated? is the load on the dispatcher too much? should privilege grouping be used in a more optimal configuration? Would greatly appreciate any suggestions or thoughts you might have on the issue!

Thanks in advance!

Best regards,

Sandeep

former_member2987
Active Contributor
0 Kudos

Sandeep,

Have you tried increasing the # of threads per dispatcher? Also have you looked at a trace from the SQL side?

Matt

Former Member
0 Kudos

Hey Matt,

Thanks a lot for your quick response! I tried changing the number of runtime engines from the default of 1 to 4 but it had no effect; I added 3 roles for 3 systems but only one system got an account provisioned to it; is 4 not enough? should I try a higher value? is the uProvision script not supposed to be called or used in that fashion for multiple simultaneous calls?

If looking at the backend to resolve this, would I need to only be looking at the MXP_PROVISION and MXP_AUDIT tables?

Thanks a lot in advance!

Best regards,

Sandeep

former_member2987
Active Contributor
0 Kudos

Hmmm... not sure.

also have you checked how you are adding the roles? It might make sense to add them one at a time rather than all in one pass.

Former Member
0 Kudos

Sorry for the delay in my response, but yes; something similar to what you had suggested, the customized script needed to separate the pending value objects by repository rather than applying them in bulk; a very "d'oh!" moment.

Haven't been able to fully test it, but I believe that was the crux of the issue.

Thanks a lot for your help!

Best regards,

Sandeep

former_member2987
Active Contributor
0 Kudos

Yeah, PVOs have been makin provisioning a real pain the you know what.

You'll notice in 7.2 there is less of a reliance on them and more automatic clean up. I'd expect this trend to continue.

MP

Former Member
0 Kudos

Yes; it can really be quite a pain!

Glad to know that 7.2 is slowly moving away from them; simplifies things a great deal!

Best regards

Sandeep

Former Member
0 Kudos

Hi Matt,

Just as a follow up question, with dispatchers, is threading / "max number of runtime engines" actually possible when using a UNIX dispatcher?

Thanks and Best regards,

Sandeep

former_member2987
Active Contributor
0 Kudos

I think in 7.2. Check out the dispatcher tuning doument.

Former Member
0 Kudos

OK Matt; thanks a lot! Yeah, I figured that was a feature only available in 7.2 and not 7.1 as I couldn't find any related documentation around it for 7.1

Thanks and Best regards,

Sandeep

former_member2987
Active Contributor
0 Kudos

Why are you using UNIX anyway? Just wondering, no criticism.

Former Member
0 Kudos

Hey Matt,

Hmmmmmmmmmmmmmmmmmm; cut a long story short, client requirements.

Cheers,

Sandeep

former_member2987
Active Contributor
0 Kudos

We'll we are aware of those, aren't we? UNIX is not a bad way to go, but as you can see it requires some more planning and thought.

I'll be watching your efforts with interest!

Former Member
0 Kudos

Yes; it's unfortunately more common than one would hope.

It definitely requires a lot more planning and thought and like one might think it isn't exactly just a hot swap of environments; what you're doing in Windows is not the exact same thing you'd end up doing when setting up with UNIX; things have to be scrutinzed a lot more.

hmmmmm; good experience, nevertheless.

Answers (0)