cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

System specific deprovisioning task don't start

Go to solution
Former Member

on ‎08-26-2010 2:28 PM

0 Kudos

Hello,

I use the SAP Provisioning Framework and I have configured a LDAP Repository for a Microsoft Active Directory Server. The MX_DEPROVISION should be called by the script sap_ModifyUser, but nothing happens when I delete the Privilege for LDAP Access.

The account variables are configured correctly, because if I make any changes in the IdM GUI, they be provisioned to the LDAP Server. Only the Deprovision-Task isn't called.

I check the hole "DeprovisionADS" structure, and all task and jobs are enabled and have a dispatcher... I hope someone could help me with a good idea how I can enabled the deprovision-task....

Regards

Peter

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-26-2010 2:43 PM
0 Kudos

Hi Peter,

did you check, whether you have configured the correct tasks in the AD repository.

I had a similiar problem some time ago - in my case the problem was a missing check mark in one of the tasks. Did you check, wehther there are some job hanging in the provisioning queue?

Best regards

Holger

Show replies
Show replies
Former Member
‎08-26-2010 2:49 PM
0 Kudos

How can I check the provisioning queue...?!

I tried to configure an other job for deprovisioning (which works fine in an other repositor) and the job don't start too...

All checkboxes are enabled

EDIT: OK, I found the provisioning queue (IdM UI) and there are a few jobs listed. But what I have to do now? (How) can I delete the jobs?

Edited by: Peter Dornheim on Aug 26, 2010 3:53 PM

former_member247081
Explorer
‎08-26-2010 3:12 PM
0 Kudos

The provisioning queue can be viewed from the UI on the Monitoring tab. Be sure you have the appropriate authority assigned to view that tab. If you need to empty the queue, there are delivered jobs that will remove tasks that are there.

Former Member
‎08-27-2010 12:00 PM
0 Kudos

Where can I find these jobs? In the SAP Provisioning Framework...?! There are (in my opinion) no jobs which clear the provisioning queue. In the IdM UI I can only see, but not modify the provisioning queue, although i have the role idm_monitoring_administration...

Former Member
‎08-30-2010 8:08 AM
0 Kudos

Hi Peter ,

you can find the job here:

New -> Run Job Wizard -> Next -> Identity Center/Jobs/SAP NetWeaver -> Clean Provisioning Queue <Database>

Best regards

Holger

Former Member
‎08-30-2010 11:06 AM
0 Kudos

Hi Holger,

thank you, the clearing of the provisioning queue works fine. But this don't solve my problem.

Maybe you or another can help me...:

I configured a privilege, which add the user to the Microsoft Active Directory. The Provisioning Task works fine, but if I delete the privilege from a user, no deprovisioning task starts. I have configured the Provisioning tasks in the repository, but nothing happens if i delete the privilege from the user.

Any ideas?

EDIT:

In the system log I can see, that no job is starting, but following "procedures" starts:

mxi_getEntryOrRepValue: attrname: MX_DELMEM_DISABLE_POLICY
mxi_getEntryOrRepValue: attrname: MX_DEL_MEMBER_TASK
mxi_getEntryOrRepValue: attrname: MX_DELMEM_DISABLE_POLICY
mxi_getEntryOrRepValue: attrname: MX_DEL_MEMBER_TASK

I think there is missing the mxi_getEntryOrRepValue: attrname: MX_DEPROVISIONTASK task, but how can I activate this

Edited by: Peter Dornheim on Aug 30, 2010 12:49 PM

Former Member
‎09-02-2010 11:50 AM
0 Kudos

I solved the issue, but I'm not sure how...

I test the provisioning task which didn't start (Rightclick and "Test Provisioning Task"). I saw that a few errors occure and I solved these. After the test runs without errors, the task was called as provisiontask...

Maybe this helps someone.

Former Member
‎10-25-2010 10:46 AM
0 Kudos

OK, now I have the same problem again:

I use the SAP Provisioning Framework to add users to the active directory. This works fine. But if I delete the privilege (which is responsible for the LDAP account), the "modify-task" starts, but the MX_DEPROVISON task is not initiated...

Any ideas?

EDIT

The deprovion task works correctly, when I do the following procedure:

1. Assign the LDAP privilege to the user --> Provisioning Task starts correctly

2. Unassign the privilege from the user --> Nothing happen

3. Assign the LDAP privilege to the user --> The job "Write Log entry" is executed

4. Unassign the privilege from the user --> Deprovison task starts correctly

I have no idea, why the unassignment works only on the second try.

Edited by: Peter Dornheim on Oct 25, 2010 12:07 PM

paul_abrahamson_sap
Active Participant
‎10-25-2010 11:46 AM
0 Kudos

Does you MX_PERSON identity have an attribute called ACCOUNT<repositoryname> e.g. ACCOUNTAD if AD is the name of the repository.

We had to ensure that after provisioning the AD account we set the ACCOUNTAD attribute so that the provisioning framework knows that the user has an account in that repository and therefore to start the deprovision task for the repository.

Former Member
‎10-25-2010 12:43 PM
0 Kudos

Yes it has the ACCOUNTMSAD attribute.

If I assign the privilege, the MX_PERSON has the attribute MXREF_MX_PRIVILEGE, too. If I delete the assignment in the IDM User-GUI, this attribute is deleted in the database, too, but no Provisioning job is started...

The provisioning job starts only after a second assignment / unassignment.

Answers (2)

Answers (2)

Former Member
‎11-30-2010 2:34 PM
0 Kudos

Hi Peter,

The deprovision task is not called by sap_modifyuser.

You just need to set the deprovision task on the repository.

When you unassign a user from a privilege on that repository, the deprovision task will kick in.

Thanks

Lahcen

Show replies
Show replies
Former Member
‎10-25-2010 1:03 PM
0 Kudos

Error still occuring (I have to post this, to mark the thread as not answered

Edited by: Peter Dornheim on Oct 25, 2010 2:04 PM

Show replies
Show replies
Former Member
‎10-29-2010 10:55 AM
0 Kudos

Hi Peter,

which version of the SAP Provisioning Framework are you using?

Greets,

Christoph

Former Member
‎11-22-2010 11:34 AM
0 Kudos

Seems we are facing the same issue. Assigning AD groups works fine when the corresponding privilege is assigned. But removal of the privilege does not kick off the deprovisioning task.

We are running 7.1 SP4 (7.10.40 2010-01-18 710_REL)

Has the issue been solved?

Any hint is appreciated.

Christof

Edited by: frkcwe on Nov 22, 2010 12:44 PM

paul_abrahamson_sap
Active Participant
‎11-23-2010 10:48 AM
0 Kudos

Repository- / system-specific de-provisioning tasks only get called when the last privilege linked to the repository is removed from the identity. Have you got any other privileges for that repository still assigned to the user?

Former Member
‎12-02-2010 11:47 AM
0 Kudos

Reason in our case was: the provision status for the preliminary provision task was "0" (task started). The deprovision task will only start if the the status is 1000 (Task ok) or 1100 (ok). The status can be found in the MXP_AUDIT table, it is also shown in MXIV_SENTRIES.

The provision task was a dummy task. We just created the ordered task group but no task within.

I find it strange that in such a situation the provisioning status is set to 0. Don't know if this is the way it should be.

Ask a Question