Geoff,

I think you nailed it on the head with that "ACCOUNT-XXX" attribute...I created a task to clean up the user, and it is helping.

Now there are 2 others that I want to ask about.

TEMPACCOUNT-XXX

I assume serves much the same purpose as the ACCOUNT-XXX attr...I see them both get created and destroyed in the Provision and Deprovision tasks (respectively).

By that logic, to clean up the prob I have, I've removed all role (And by relation privelege) assignments to my user, and then gone in and deleted the entry in all the ACCOUNT attributes.

There are also a couple of other attributes that look simlar:

DNLABS

TEMPDNLABS

(Note: LABS is the name of my AD repository here)

TEMPACCOUNT

TEMPDN

Should these 4 be populated, in your experience, or are they the same as the ACCOUNT-XXX attributes up top?

Thanks again for your advice while I work through the proper procedure for this.

Troy Shane

Ok, I think you have it now, except for the exact order of things.

Here's what I face right now:

I assign a Business Role, with those 5 priveleges assigned to it, to my user, Larry.

Larry gets created ok in ABAP and Java, and actually, the roles get assigned just fine there. If i change the role he's assigned to (Manager West, instead of East for example) I see them get updated with no problems (Very smoothly, in fact) in both the ABAP and the Java. For example, if I simulate a promotion for Larry through the IDM User Interface, and assign him a VP role, I see the roles updated properly. (Besides some SPML Date format warnings on the MX_VALIDFROM & MX_VALIDTO, but those I can live with for now.)

However, I still, have two problems:

1. It seems that NOW...(sorry, different behaviour now than when I first posted this message, due to the recommendations I've implemented) when I remove the Role assignment in IDM, the user's roles get removed properly in the repository systems. Then the tasks to delete the Java and ABAP users run, but they BOTH error out. It seems that the jobs that modify the role/profile assignments for both my ABAP and Java system (Standard SAP Prov Framework tasks - SetJavaRole&GroupForUser & SetJavaRole&GroupForUser ) also effectively deletes the users, because by the time the delete tasks run, the users are no longer there. These tasks throw the errors:

Pass: DeleteJavaUser

Error in delete: Can not delete object with id SPML.SAPUSER.Larry because Could not delete object as id seems to be invalid SPML.SAPUSER.Larry

(...makes sense)

Pass: DeleteABAPUser

User Larry does not exist

(...also makes sense)

Ok, admittedly, this one is low impact, and I don't really need to get it fixed, I just want to understand why it is throwing an error...should it really be deleting the users when it first removes the roles, and then checks that there are no more privelege assignments for that system? (When I have 2 priveleges for the same system assigned through roles, it doesn't delete the user, just removes the role, as expected...no errors

Ok, this one is my real issue now (Thanks for reading this far):

2. I have the role configured as above, including priveleges from all 3 of my repositories (I hit "post" too early above):

Role = ROLE:BUSINESS:SALES_EAST

5 Priveleges total :

- Z_INNOTECH_EAST-Group (JV1)

- Eastern Region-Group (LABS)

- Sales-Group (LABS)

- Z_INNOTECH_SALES_EAST-Role (CR7)

- Z_INNOTECH_SALES_EAST-Role (JV1)

JV1 = AS Java 7.01 SP4 (EHP1 SP4)

CR7 = SAP CRM ABAP 7.01 SP2

LABS = Active Directory OU

The ABAP & Java tasks faithfully fire now, every time I assign or unassign a Business role to my user Larry. (Yay!)

There are also 2 AD groups (privelege) assigned to Larry through the role: Eastern Region group and Sales Group.

There is also an inherited "Employee" Business Role, which has the AD "Employees" Group - for base employee access.

The idea is that, a member of the Eastern Region Sales group would automatically be an Employee, so it is a Child Role of most of my major roles.

When I assign this Business Role, the Active Directory tasks very rarely and very inconsistently fire...I am watching th results in the Job Log and also through my AD tools...

I am using IDM 7.1 SP2 (Patched on Monday past)

Using individual tasks through the IDM UI, I can create Users, and enable them...but the Provisioning seems not to work. I have the tasks set properly in the Repository definition and am using the SAP delivered ones (I have tried using modified copies with limited success, and am now back to basics) This proves it isn't the repository definition, or permissions on the repository. I'm always using the same Administrative user to assign/unassign these users, so now I'm stumped!

Phew, ok that's enough for now...I'll post more error messages once I've investigated the AccountRepoName that you suggest...I haven't seen that Attribute and don't know if it is defined here.

TIA (and so far...),

Troy

(Ok...how come I don't have any line returns in my message?)

Troy,

Does the role (or roles) have an mx_provision_task attribute set?

When you assign the role to the user, does it actually show up assigned to the user or is the status 'Pending?'

Do you have the provisioning tasks specified for the repositories in question?

Do you have the repositories specified for the privileges in question?

These are the things I'd look at first.

-G

Troy,

Are you using SP2? It seems there are some workflow changes in role assignment to make sure that special provisions for role assignment.

For the live expert session discussing it: https://websmp207.sap-ag.de/~form/sapnet?_FRAME=CONTAINER&_OBJECT=011000358700001693102008E

From here you can view/listen to the presentation or just download the slide deck.

HTH,

Matt