cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD provisioning - stuck for a user

former_member631179
Explorer

on ‎10-28-2019 7:15 PM

0 Kudos

Hello Experts,

SAP IDM 8.0 sp6: Currently I'm encountering an issue for one user for which provisioning of certain groups in AD is stuck. These specific group memberships were not in line with what was being shown in IDM, as it was showing OK in IDM but in AD, user is not member of those groups. So I removed the group privileges using direct_reference=1 from IDM and retried the assignment through UI but the provisioning task declared as ADD member task, under assignment is not getting triggered whatsoever and shows assignment link in OK status without triggering provision. However the deprovisioning task under delete member task gets triggered promptly every-time when privilege is removed unfortunately as the user is not available in those groups , it throws an error ldap error 53. Same group privileges work fine with other users, it is only this specific user for which provisioning task does not gets triggered. Any leads in this regard is highly appreciated.

Regards

Rimesh

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎10-29-2019 9:10 AM

Hello Rimesh,

does this occur for all AD groups you assign to the user or just a few?

.

Regards,

Steffi.

former_member631179
Explorer
‎10-29-2019 9:48 AM
0 Kudos

Yes just checked, it occurs for all the AD groups ..

former_member631179
Explorer
‎10-29-2019 10:14 AM
0 Kudos

Thanks Steffi for looking.. it is apparently for all the roles , add member process does not trigger for any role irrespective of system while deprovisioning occurs ok ..

Steffi_Warnecke
Active Contributor
‎11-01-2019 12:09 PM

Hello Rimesh,

did you get it fixed based on this new information? Like re-creating the identity or checking it against others that work?

.

Regards,

Steffi.

former_member631179
Explorer
‎11-04-2019 8:33 AM
0 Kudos

Hi Steffi,

Unfortunately issue is still pending. Recreation of identity is not allowed here and I've already compared this user with others but could not find any worthy differences. Everything was working for this user until a few days ago.

Regards,

Rimesh

Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

niconapo2
Explorer
‎11-06-2019 6:07 PM
0 Kudos

Hi

Set mclinkstate = 2 in mxi_link table for this assignment. It will remove it and you'll be able to add it again with UI

Show replies
Show replies
alexanderbrietz
Active Contributor
‎11-04-2019 1:25 PM
0 Kudos

Hi Rimesh,

please provide more details about this user and its settings on the link table. I would like to know linkstate and execstate especially of the system- and only-privilege.

select * from idmv_link_ext
where mcthismskeyvalue = '<mskeyvalue of user>'
and mcotherocname = 'MX_PRIVILEGE'

You could also use mcthismskey = <mskey of user> if this is easier.

Depending on the result you should adjust the states according to the state the user has in AD.

Regards,

Alex

Show replies
Show replies
former_member631179
Explorer
‎11-04-2019 3:25 PM
0 Kudos

Hi Alex,

Thanks, linkstate is '0' and execstate = '1'. The problem is that provisioning is not getting triggered for the user, nevertheless it shows OK status and everything well in DB, but uprovision does not get called for this specific user whatsoever repository privilege belong to.

Thanks

Rimesh

alexanderbrietz
Active Contributor
‎11-04-2019 3:50 PM
0 Kudos

Can you compare two users and find differences apart from privilege assignments? Is ACCOUNT<AD> set correct? Any strange characters (IDN or similar?) in username or DN?

Please post data! Assignment IDMV_LINK_EXT, attributes IDMV_VALUE_BASIC,... Just black-out the stuff you don't want us to see or get it sorted out using SQL or whatever, but it would be helpful to see something here.

Regards,

Alex

Ask a Question