on 01-19-2012 9:45 AM
Environment: SAP NetWeaver IdM 7.2 SP3
Hi All,
I've got a serious problem with member events kicking off provisioning tasks. In my setup there is a privilege called PRIV:UME:USERACCOUNT which triggers the task "Create UME user" when it gets assigned to a user. When this event happens for the first time, the mentioned task is triggered, and the user will be tried to be synchronized to UME. However, if there is a problem with the task "Create UME user" and the user is not synchronized, then assigning the privilege to the user again (and of course after fixing the problem in the provisioning task) does not trigger the "Create UME user" task again. By this second trial nothing can be seen in the logs, it's like the user would be flagged as "a problematic one" and therefore not synchronized never again.
When I delete and recreate the mentioned user, and assign to him the privilege again, then the task is triggered again, and the user gets created in UME...
Any thoughts on this? How can we synchronize users which failed earlier?
Kind regards,
Zoltan Kormany
Edited by: Zoltan Kormany on Jan 19, 2012 11:59 AM
Hi Zoltan,
as I mentioned here:
please do the following steps:
Go to the UI
Go to the Task where you assign the privs
on the right side with the assigned Privs klick on "Advanced"
click on "any"
click on the failed assigment
theres a retry button, press it and save the assigment
provisioning should start again
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Christoph,
Thank you very much for this useful information, that really helped. I also realized that the connection of a user and a privilege has a state (e.g. OK, Not allowed, Denied, Assignment failed etc). Do you know where these status informations are stored in the database? It would be nice to be able to query for all "failed" assignments for example. I don't remember reading of this in the docs either.
Kind regards,
Zoltan
Hi Zoltan,
in the view idmv_link_ext is a column called LinkExecStateHier. This column can have various values which indicates the state of the assignment. Everything other then 1024, 0, 1, and 1025 is not that good
Please have a look in the help of the identity center and search for "LinkExecStateHier". There you can see all the values
BR,
Christoph
Hi.
In mxiv_sentries there is a column "prov_status" or something like that (I do not have an 7.1 DB at hand so I can't check at this moment). Check if its value is 21 or 11 or something like that. If so this indicates that initial provisioning failed (and you say exactly this happened) and then the logic won't do any new provisionings. What might help is delete the privilege assignment and assign it again.
Maybe this helps.
Cheers,
Kai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kai,
thank you for your reply, unfortunately in my environment (version 7.2) there is no mxiv_sentries view. On the other hand I cannot delete the mentioned privilege assignment as it is not assigned to the user. The only solution I see currently is to delete the user and create it again. After the user has been recreated it is possible to assign to him the privilege, and with that, to trigger the tasks.
Kind regards,
Zoltan
Hey Zoltan,
I do believe that the problem you are refering to is a big issue with the new version of IdM. I am facing the same issue.
The research I have done into this leads me to believe that some special value isn't assigned correctly because the job was stopped prematurely. Maybe someone else can answer this but is it somehow possible that the Update Changenumber job has something to do with this?
I can however advice you to always keep your IdM up to date with the latest SP and even Patch Levels. Each Patch Level brings new bug fixes and hugely improves the product.
KR,
Jonathan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.