cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How do you complete or re-attempt failed provisioning tasks

Go to solution
paul_abrahamson_sap
Active Participant

on ‎01-10-2011 1:54 PM

0 Kudos

Hi All,

If a modify operation has been perfomed, and subsequent provisioning tasks failed, is there a way to get IdM to go back and attempt to complete the failed task and remaining tasks.

For example, when the MX_VALIDTO attribute changes we call an event task to determine if MX_DISABLED should be set or not. This task is a generic pass which executes some logic which evaluates other attributes. This step failed because we caused an error to be raised due to an unexpected value in one of those other attributes.

We have now modified the logic in the script and want to 're-provision' the failed task without triggering a new change on the identity.

I know about the uRetryPrivilegeAdd and uRetryPrivilegeRemove internal functions, but it seems as if these only deal with cases where privilege assignment had failed. Is there something similar that will reconcile and clean up failed task heirarchies where it is just attribute / entry modifications rather than privilege assignments.

Regards

Paul

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-12-2011 3:35 PM
0 Kudos

Hi Paul,

Hope all is going well with your project, the two bits of code you need for this are:

Find all the failed privileges for an Identity

var sql = "SELECT MSKEY,aValue,provstatus FROM MXPV_Priv_AddStatus WHERE (MSKEY = " +V_MSKEY +" and (ProvStatus = 1001 or ProvStatus = 1101))";

sqlresult = uSelect(sql);

This will give you a load of pairs of failed MSKEY - identity and aValue - privilege, which you need to split into strings via an array and then into values, and you can then retry using

retry = uRetryPrivilegeAdd(provmskey,provavalue);

I've put the full code on http://sap-idm.blogspot.com/2011/01/retrying-failed-provisioning-tasks-in.html in case you need more information.

Good luck,

Ian Daniel

Show replies
Show replies
paul_abrahamson_sap
Active Participant
‎01-13-2011 12:00 PM
0 Kudos

Hi Ian,

Thanks for this I had investigated this following your advice when onsite. However, what I'm after is a way to repeat a failed provisioning task for a change which is not necessarily a privilege assignment.

The internal function and view which the help file and your post above mentions is specifically designed to re-provision failed privilege assignments.

We need to know if there's a way to re-trigger / re-attempt a provisioning task which is called as a response to the modification of an attribute on MX_PERSON either via the MX_PERSON Entry Type Modify Event Task, or via an attribute's Modify Event Task.

Thanks

Paul

Former Member
‎01-17-2011 5:21 PM
0 Kudos

Hi Paul,

Can you give me an example as I don't think it is important that it is a privilege.

Thanks,

Ian

Former Member
‎08-24-2011 2:57 AM
0 Kudos

Hi Ian,

How would you do this as a batch job to periodically retry failed provisioining entries? I've tried creating a job outside of the provisioning module and get the following error:

ToGeneric.addEntry

org.mozilla.javascript.EvaluatorException: uRetryPrivilegeAdd: Only valid for Provisioning jobs.

The SAP help for uRetryPrivilegeAdd states that this can be used as part of a periodic job:

"This can be a periodic job that retries all failed privileges. It is also possible to redo the privilege assignment for all users with a given privilege if the provisioning tasks have been changed."

Thanks,

Angela

Former Member
‎08-24-2011 8:27 AM
0 Kudos

I have managed to do this by using uProvision in a script to call the retry failed provisioning task.

Answers (1)

Answers (1)

Former Member
‎01-11-2011 8:52 AM
0 Kudos

Hi Paul

We have had the same problem a couple of times... In 7.0 there was a button to click to reprovision. In 7.1 this button does not exist so the only way to make the system reprovision without hurting anything would be to create a dummy role in the target system which can be assigned/unassigned. The role shouldn't have any useful authorisations attached to it as it is only used to trigger the provisioning. This will work in the case where a provisioning didn't finish because a dispatcher went stale or other cases where a provisioning flow didn't finish, but normally would finish.

Best regards,

Anders

Show replies
Show replies
Ask a Question