Hi Murali,

Do you speak about that ? (it's standard in SAP Provisioning Framework)

If yes, where can I find the validation task ?

I don't see anything in my "To do" or "Approval request".

It can directly go to the ABAP system, I don't need any validation, as only validators will have access to IDM.

Nicolas.

I had earlier this year same kind of issue - where I had two task blocking the task execution and for that reason all privileges were left pending.

I opened SAP customer message and with SAP tachnician we found out the One my customized task contained semicolon (;) in condition query - it didn't report any error it just stop to that task..

That was towarsds ECC

And after we found and fixed that there was one task was someway corrupted and by disabling and enabling it removed the block - and that was toward AD..

Here is SQL queries we used to find blocking tasks ..

Find Provistioning tasks pending

select auditref from mxp_provision where actionid = 601

select count(*) from mxp_provision

Find Audit ref

select * from mxp_provision order by auditref desc

Find Task ID

select * from mxp_audit where auditid = 37284

Find tasks

select t.taskname,a.* from mxp_ext_audit a,mxp_tasks t where a.aud_task = t.taskid and a.aud_ref = 37284 order by aud_datetime

-- I don't remember what this was - I suppose finding if user has Account attribute for repository

select count(mskey) from idmv_value_basic_all  where mskey=143446 and attrname in

(SELECT 'ACCOUNT'||REP_NAME FROM mc_repository where REP_ID=61);

Find Queries with semicolon

select * from mxp_tasks where boolsql like '%;%'

BR

V-M

Hi,

In IDM I don’t have any tab with pending request / tasks it’s why I don’t understand where or how to validate.

In my Event Tasks I put the Provisioning task from Provisioning Framework.
I just tried with “Validate add task” but I don’t get any To Do or Approval in my IDM.

At role Level I don’t have Task yet.

Here are some print screens that would help me to find the solution.

Thx.

I think we are close to the solution but not yet 😞

I did what you wrote : remove the assignement tast "Add Task" & "Remove Task".

But my requests are stil going to Pending.

I'm sure I missed something else, but I don't find what.

Basically, I've haven't modified the SAP Provisioning Framework, maybe I have to change something there ?

Thanks for the document link, I printed it, it could be interresting for later.

Do you have a link to a document concerning SAP Provisioning Framework configuration or setup ?

Thx,

Nicolas.

Hi,

I still don't get how to avoid this Pending Task but thanks anyway.

I hope someone will point out my mistake in the configuration.

Nicolas.

Do you have entries in mxp_provision table?

I don't have access to the table, but I haven't performed a lot of tasks.

I can process the tasks manually by oing in Connectors - BAP connector -- As abap tasks and do "Test Provisioning Task" and the request is performed correctly, but the status in IDM is still pending.

And is the account provisioned to ABAP side and does it have any Roles - which you indended it to have?

V-M

Provisioning works perfectly, my problem is more : how to remove the pending / validation process ?

Or what do I have to do to see the pending tasks in the "TO DO" tab.

I must probably add my user as validator somewhere or something like that.

Sorry Only answer if could think -  would be that on Provisioning framework some task block completion would be some task which is some way broken and provisioning is stopped in stage it is not yet gone in to end - that's why I asked if there is something on mxp_provistioning table..

it's easier  to look tables than guessing from Job log if every step has been done on provisioning..

You can also post pictures of Job log - if there could be something obvious to look for..

V-M

Pending value could mean that something went wrong in ordered task and not specialy that it's waiting for an approval ?

Yes..

I experienced such on my project that privileges was left pending because there was two tasks which caused provisioning operation to stop ( leave waiting ) to task which had such error or corruption which didn't cause any error to log - in my case there where two - 1. semicolon on my custom condition task query and 2. corrupted SAP provided task .

Problem was to find where the problem was - so solution was to dug it from Database level with certain queries - Developing SAP IDM is most always matter of knowing also system under the hood. Solution for me was to open SAP Customer message and SAP helped me to find the problem causing tasks.

After fixing those tasks pending operations where applied.

Could be also something else on your case- cannot be sure

BR

Veli-Matti

Thanks for your reply Veli-Matti, I try search in that direction !

I think you might have right, I didn't know that error could cause pending, I thought it meant that a validation was needed.

Nicolas.

Hi Nicolas,

The assignment is in state pending until both the Validation and Assignment task has finished.

The Provision tasks (which are a legacy thing from 7.0/7.1 versions) are run *after* the privilege has been assigned to the person.

If an assignment is stuck in pending state you can try to look at the extended audit (mxp_ext_audit table, or Admin UI) to see where the process got stuck. A typical query for the ext-audit could be:

select t.taskname, a.* from MXP_Ext_Audit A, MXP_Tasks T where

T.TaskID=A.Aud_Task and A.Aud_ref in (

select mcValidateAddAudit from mxi_link where mcLinkState > 0 and mcThisMSKEY in(

select mcmskey from mxi_entry where mcMSKEYVALUE like 'USER.TEST.PVO%'

) UNION ALL

select mcAddAudit from mxi_link where mcLinkState > 0 and mcThisMSKEY in(

select mcmskey from mxi_entry where mcMSKEYVALUE like 'USER.TEST.PVO%'

) UNION ALL

select mcProvAudit from mxi_link where mcLinkState > 0 and mcThisMSKEY in(

select mcmskey from mxi_entry where mcMSKEYVALUE like 'USER.TEST.PVO%'

)

)

order by A.Aud_ref desc, Aud_datetime desc

which lists the audits for links that are not active (mcLinkState=0) for the user(s) USER.TEST.PVO*. You should be able to see what the last task that executed was, if theres a message returned from it, or if the last task is only partial compared to the workflow in your configuration.

Hi Veli-Matti,

You were right, I was looking in the wrong direct, i thought that the role assignement needed to be validated but in fact another task locked the whole assignation !

Nicolas.

Hello Murali,

Yes it works now.

I thought that "Pending" meant that the request needed to be validated (in To Do) but in my case it meant that it's locked in a previous step of the process.

When you add a privilege, if you go fast and check in IDM the status of the role, you can see pending but it's simply because the process is still busy (sometimes you have 5-7 steps of 2-5 secondes, so you see pending and after 20-30 secondes the privilege is assigned).

Nicolas.

Hello,

I just did it but I still have this problem when I create a user :

ToIDStore.modEntry failed modifying entry 'TEST_222'. IDStore returned error message: " Referenced value does not exist:Attribute: MXREF_MX_PRIVILEGE" when storing attribute 'MXREF_MX_PRIVILEGE={A}<PRIV:SYSTEM:Enterprise People>'ToIDStore.modEntry failed modifying entry 'TEST_222'. IDStore returned error message: " Referenced value does not exist:Attribute: MXREF_MX_PRIVILEGE" when storing attribute 'MXREF_MX_PRIVILEGE={A}<PRIV:SYSTEM:Enterprise People>'

I still have to figure out what is wrong with this.

Nicolas.