on 10-28-2019 7:15 PM
Hello Experts,
SAP IDM 8.0 sp6: Currently I'm encountering an issue for one user for which provisioning of certain groups in AD is stuck. These specific group memberships were not in line with what was being shown in IDM, as it was showing OK in IDM but in AD, user is not member of those groups. So I removed the group privileges using direct_reference=1 from IDM and retried the assignment through UI but the provisioning task declared as ADD member task, under assignment is not getting triggered whatsoever and shows assignment link in OK status without triggering provision. However the deprovisioning task under delete member task gets triggered promptly every-time when privilege is removed unfortunately as the user is not available in those groups , it throws an error ldap error 53. Same group privileges work fine with other users, it is only this specific user for which provisioning task does not gets triggered. Any leads in this regard is highly appreciated.
Regards
Rimesh
Hi
Set mclinkstate = 2 in mxi_link table for this assignment. It will remove it and you'll be able to add it again with UI
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rimesh,
please provide more details about this user and its settings on the link table. I would like to know linkstate and execstate especially of the system- and only-privilege.
select * from idmv_link_ext
where mcthismskeyvalue = '<mskeyvalue of user>'
and mcotherocname = 'MX_PRIVILEGE'
You could also use mcthismskey = <mskey of user> if this is easier.
Depending on the result you should adjust the states according to the state the user has in AD.
Regards,
Alex
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alex,
Thanks, linkstate is '0' and execstate = '1'. The problem is that provisioning is not getting triggered for the user, nevertheless it shows OK status and everything well in DB, but uprovision does not get called for this specific user whatsoever repository privilege belong to.
Thanks
Rimesh
Can you compare two users and find differences apart from privilege assignments? Is ACCOUNT<AD> set correct? Any strange characters (IDN or similar?) in username or DN?
Please post data! Assignment IDMV_LINK_EXT, attributes IDMV_VALUE_BASIC,... Just black-out the stuff you don't want us to see or get it sorted out using SQL or whatever, but it would be helpful to see something here.
Regards,
Alex
User | Count |
---|---|
76 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.