Struggling with a few things in IDM 7.2
I've got a couple questions about IDM 7.2 that I'm hoping someone can weigh in on. My environment is IDM 7.2 with the latest support packs installed (SP4). I am provisioning only to ABAP systems/clients.
First question is around the provisioning queue. I have 12 entries in my provisioning queue that seem "stuck" for lack of a better word. From the Admin web page, when I visit the Provisioning queue, I see 2 task groups there (601/Provisioning & 751/Modify). They have a queue size of 8 and 4 respectively. I have looked in SQL at the mxpv_provision view and can see these 12 entries in there. The Modify task group is in a state of "Busy" and the Provisioning task group is in a status of "Waiting for privilege add". I have looked around and can't see any way to resend these entries or I just don't know how. I have an MSKey in the mxpv_provision view. Do I just resend this user? The only thing I've found online is a way to clean out (delete) the provisioning queue, but I don't like that as I want to know WHY these records are hanging out there. Does anyone have any pointers or info to help me understand this? I've read the help docs about provisioning, but it still is not pointing me in the right direction.
Second question is around a best practice recommendation for reconciling the ABAP roles to privileges. If I create a new role in the ABAP world, what is the right way to get that privilege into IDM? I know I could schedule the initial load from Business Suite jobs every day/every night etc. but with the number of users, this can take a long time. What I'd like to be able to do since we are in project mode is to be able to create a role in the ABAP world then quickly get that role into IDM for assignment purposes? Are people using delta's for this? Are there any standard jobs to run. I've seen the blog posts about reconciling target systems with IDM, but those all looked like they were just writing differences out to HTML files which I don't care about. I want an automated way to quickly get new roles into the IDM system. Something I can schedule nightly and/or run on demand if I need to. My thought is that the initial load jobs are a bit too heavy for this. At first I thought about just copying those initial load jobs then cutting out all the user stuff so I could just update privileges, but I was just curious what others are doing for this.
Thanks for your time and thoughts.