We found that we had related problems with auto-privileges (i.e. those which are assigned to the role members attribute) are not properly removed when removing a business role. It turned out to be a bug in IdM 7.1 SP5 and we're awaiting a fix for it in SP6. However, a workaround is to run the reconcile job which forces the removal off the linked privileges.

You might want to check if you have any entries in the mxiv_dirty_mskeys view. If you do have, there's a standard job wizard which you can use to create a job to reconcile these dirty entries. When you run the job wizard it can be found under the following folder: Identity Center > Jobs > Reconcilliation > Reconcile dirty entries.

Paul

We have business roles with privileges assigned in the role members list, and these all get successfully provisioned when the role is added. the privileges appear as MX_AUTOPRIVILEGE attribute entries. So if you're looking for them under MXREF_MX_PRIVILEGE you won't see them there.

We set up our role and privilege metadata in the Identity Centre (MMC).

We assigned the role to the privilege by editing the privilege and adding the role in the role members tab

Example ROLE

General ROLE:CFS:USER

Display Name CFS Service

Description

Visibility Default

Membership Default

Assigned To Default

Member Events Default

Role Privileges Default

Member Privileges (To be linked following Privilege Initial Load)

Mutual Exclusions Default

Parent Roles None

Example PRIVILEGE

General PRIV:CFS:ACCOUNT

Display Name CFS Account

Description Controls provisioning of CFS Account

Repository CFS

Member Events Default

Tasks

Provisioning Task None/Inherited

Deprovisioning Task None/Inherited

Modify Task --Noneu2014NB change to None to prevent duplicate modify tasks

Master Privilege Default

Visibility Owner Entries:

ROLE:CFS:USER

Entry visibility: Owner only

Member visibility: All

Roles None

Role Members ROLE:CFS:USER

Seeting the Entry Visibility to Owner Only and assinging the role as the owner of the privilege means that the privilge can't be added to the user in UI only the Role can be added.

When the Role is added to the user in the UI, the user gets the MX_AUTOPRIVILEGE attributes for all the privilges which have the role in their respective role members list.

I hope this helps

Paul

Furthermore, did you edit the MX_ROLE and MX_PRIVILEGE Entry Types since the initial installation i.e remove the standard 'Allow' flags for any attributes for a role and privilege?

If you create a dummy new identity store you'll be able to see the default attributes which are assigned to each entry type in the entry type attribute list.

Compare these to your entry types in the enterprise identity store and if they're missing any, perhaps try and 'Allow' them back in. I would however be a little concerned about the integrity of these standard entry types if they've been changed.

P.s. I wouldn't recommend adding the dummy id store to your 'clean' development / test/ live environments. If you've got a sandpit environment to do this in, it would be better, as creating an IdStore creates a lot of metadata which may not be so easy to clean up aferwards

Edited by: Paul Abrahamson on Jun 23, 2011 4:56 PM

We see the UI primarily as the tool which our Service Desk uses to managing users and identities. All of the metadata configuration and role / privilege creation is done by our IdM 3rd-line team and we use the MMC for these tasks.