cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Struggling with a few things in IDM 7.2

Go to solution
Former Member

on ‎04-18-2012 5:37 PM

0 Kudos

I've got a couple questions about IDM 7.2 that I'm hoping someone can weigh in on.  My environment is IDM 7.2 with the latest support packs installed (SP4).  I am provisioning only to ABAP systems/clients.

First question is around the provisioning queue.  I have 12 entries in my provisioning queue that seem "stuck" for lack of a better word.  From the Admin web page, when I visit the Provisioning queue, I see 2 task groups there (601/Provisioning & 751/Modify).  They have a queue size of 8 and 4 respectively.  I have looked in SQL at the mxpv_provision view and can see these 12 entries in there.  The Modify task group is in a state of "Busy" and the Provisioning task group is in a status of "Waiting for privilege add".  I have looked around and can't see any way to resend these entries or I just don't know how.  I have an MSKey in the mxpv_provision view.  Do I just resend this user?  The only thing I've found online is a way to clean out (delete) the provisioning queue, but I don't like that as I want to know WHY these records are hanging out there.  Does anyone have any pointers or info to help me understand this?  I've read the help docs about provisioning, but it still is not pointing me in the right direction.

Second question is around a best practice recommendation for reconciling the ABAP roles to privileges.  If I create a new role in the ABAP world, what is the right way to get that privilege into IDM?  I know I could schedule the initial load from Business Suite jobs every day/every night etc. but with the number of users, this can take a long time.  What I'd like to be able to do since we are in project mode is to be able to create a role in the ABAP world then quickly get that role into IDM for assignment purposes?  Are people using delta's for this?  Are there any standard jobs to run.  I've seen the blog posts about reconciling target systems with IDM, but those all looked like they were just writing differences out to HTML files which I don't care about.  I want an automated way to quickly get new roles into the IDM system.  Something I can schedule nightly and/or run on demand if I need to.  My thought is that the initial load jobs are a bit too heavy for this.  At first I thought about just copying those initial load jobs then cutting out all the user stuff so I could just update privileges, but I was just curious what others are doing for this.

Thanks for your time and thoughts.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-19-2012 3:55 PM
0 Kudos

Hi Eric,

1st question

First of all, clearing out the provisioning queue, usually breaks things worse than the state they were in before.  As a general rule, I barely ever do it unless I have no other options.  It will leave privileges in 1536 or 1536 mcExecStatus, which is basically stuck indefinitely.  They will be delivering a fix for this in an upcoming patch of SP I believe.

So the next step is to figure out why these got stuck in the provisioning queue.  You said they were in waiting status, wondering if it's mcExecStatus 513, which usually means, waiting on Master privilege.  Please run the following query to get a list of your pending privileges (check the syntax of my column and table names cause i'm just winging it)...

select * from mxi_link where mcLinkState = 1 and mcOtherEntryType = (select ocID from mxiv_EntryTypes whereocName = 'MX_PRIVILEGE')

We'll need to know the mcExecState of these privileges.  (if they're pending in the future, it'll be a different execstate, and we don't care about those - although, they'll still be in the provisioning queue). 

The most common issue, is that they're probably waiting for the master system privilege.  If that's the case I have a bunch of different options on how to handle those, but i'll wait to hear back.

2nd question

Best practice is to not have any users linked directly to privileges, only to business roles.  This is not always possible, so compromises on this are usually required.  However, you should shoot for this.  If all you want to do is import the privileges, create a custom job and just copy the privilege jobs from the initial load.  Best practice would to just have the Read and Wite abap privileges in its own job (with Delta on).  But your specific business case will have to be examined to determine what the best way forward is.

Good luck with your implementation.

Best Regards,

Chris Snyder

Show replies
Show replies
Former Member
‎05-12-2012 11:16 AM
0 Kudos

Hi,

I do have similar problem  when I run provision job for bulk users. I see the mcExecStatus isset  to 513. Is there any way can we re-run these provisioning taks that are still in waiting status, most likely they are waiting on master privilege. Any ideas on how I can clear those in the queue

Thanks,

Joe

Former Member
‎05-12-2012 5:34 PM

Hi,

You can try updating the CheckLink status by doing the following query or something similar...

UPDATE mxi_link SET mcCheckLink = GETDATE() WHERE mcUniqueID = <linkID>

The provisioning engine will recheck the link, it will either get cleared out or set back to NULL and nothing will happen.  I'm struggling with this as well, but this is the best I have so far.

Answers (1)

Answers (1)

Former Member
‎04-19-2012 9:51 PM
0 Kudos

Hi Eric,

Question 1.

I am not so shy about cleaning the provisioning queue in non-production environments if you know why an error happened, but agree with you that if you don't know why, you should avoid it. Normally there are only a few reasons why tasks don't run.

  1. The provisioning tasks is not enabled
  2. The provisioning tasks is not assigned to a dispatcher of the right type
  3. The dispatcher is not running
  4. There is a delay on the task
  5. There is an approval outstanding

I would look at each of the tasks in the queue and see if any of these apply. If not, I would look in the DSE log at the O/S of all the tasks to look for system errors that would mean they stopped.

Question 2.

There used to be an update job in 7.1 that will load ABAP roles into IdM as privileges without loading the users and their assignments. Might be worth trying to get hold of that and replicating it in 7.2?

Good luck!

Ian

Show replies
Show replies
Former Member
‎07-13-2012 1:55 PM
0 Kudos

Hi,

When I was running from provisioning jobs I got 11 entries got stuck in the provision queue due the fact that IdM was not able to connect to the backend ABAP system as the service is locked. After fixing the locking issue in the ABAP system these entries are still sitting in the queue. When I looked the SQL table the state of these jobs the mcExecState is set to  512.  This is not letting me push any changes to these entries, how do I push these so these users can get assigned with the master privilege.

Thanks,

Joe.P

Ask a Question