cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Privileges and Business Role links

Former Member

on ‎03-22-2012 9:40 AM

0 Kudos

Hi,

we are using IDM 7.2 SP3 and we are facing trouble when adding privileges to a business role.

First we create a business role with some privileges in it (MXREF_MX_PRIVILEGE), we then give the business role to a user (MXREF_MX_ROLE).

Then if we add other privileges to the business role, the business role gets it right but the link between the user and the privileges are not done, basically the user is still linked to an "old" version of the business role, which provoke that the user is then not provisioned with its new access rights to the target system.

Has anyone faced this problem before and is it a known IdM problem or does it come from the way we create the links?

If it is an IdM problem, do any of you has a workaround that doesn't involve deleting all links between the business roles and the users and then give them again?

Thank you for your help,

Cheers,

Clotilde Martinez

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎03-22-2012 12:45 PM
0 Kudos

I found the answer: the global constant MX_RECONCILE was set to FALSE, I changed it to TRUE and it worked.

Show replies
Show replies
Former Member
‎03-28-2012 10:13 PM
0 Kudos

Hi,

You can also run the "reconcile dirty entries" job rather than setting the global constant to TRUE.  There may be a danger in setting this to true if you change a business role that is connected to thousands of users in the middle of the day.  Could cause quite a load on the system.  Wheras the job could be run nightly to reconcile these users.

Former Member
‎10-30-2012 5:02 PM
0 Kudos

Hi Chris,

a few month later, i finally did turn off the MX_RECONCILE to false. I imported the reconcile job framework (run job wizard...) and tried it.

First with a business role given to 6 persons, i deleted one privilege from the br and launched the reconcile job, nothing happened. Since those users had the privilege both directly and indirectly i assumed it was "normal" since they just lost the indirect link (even though the link is still in the database). so i tried again, deleting one direct link from the user and then deleting the same privilege from the business role that this user also had and then launching the reconcile job and again nothing happened.

This job is not a provisioning one, the query used was "select mskey from mxiv_dirty_mskeys" (return 6 mskeys) and the script only contains OutString = uIS_PrivReconcile(Par.get("MSKEY"),1); (i changed it adding the 1 at the end so it would retry failed and refused assignments just in case the matter was there).

Is there anything else to do to make it run?

Many thanks for your help,

Clotilde

Ask a Question