cancel
Showing results for 
Search instead for 
Did you mean: 

Removal of IDM Role does not remove MXREF_MX_PRIVILEGE

Former Member
0 Kudos

Hi SAP IDM Experts,

I'm encountering a strange problem that I can't seem to figure out; When removing an IDM role comprising multiple system privileges (The roles are configured with the technical system privileges assigned as "Member Privileges"), the role easily gets removed but the privileges contained within are still left within the IDM account; this leaves the account in a weird state of not showing the IDM role, but the Privileges still exist in IDM and in the target systems as well. This forces us to remove the system privileges again as a separate action inside the IDM account; this doesn't make sense and shouldn't have to happen if you remove the main IDM role containing these privileges in the first place.

Any idea on why this might be happening? how can this be fixed?

Thanks and Best regards,

SJ

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Sandeep, is this happening for all the users or only few users. why i am asking this is if it is for some users then those users might have so called dirty flag which will stop them from getting those priv's. You can do role reconcile. for them.

Thanks,

Arun

Former Member
0 Kudos

Hi Arun,

Thanks a lot for your response! This seems to be happening for a select set of users that were recently mass loaded into IDM; we are now discovering that removing roles from these users removes the roles in IDM but does not remove the privileges contained within those roles, in IDM or the target systems; does this seem like a case with the so called dirty flag that is preventing the privileges from getting removed when the related role gets removed?

If so, how do we run the role reconcile job?

Thanks a lot in advance!

Best regards,
SJ

Former Member
0 Kudos

Hi Sandeep,

Have you check for each user from the back end if the role got removed from attribute MXREF_MX_ROLE and MX_AUTOROLE. If the roles stay in any of the attributes then please re-provision a user from Role Assignment process again and that should take care of it.

Let me know if that helps.

If that does not help then you have to download a role reconsile job from IDM notes and run for these users which should remove the priv's from the users.

Let me know how that goes.

Thanks,

Arun

Former Member
0 Kudos

Hi Arun,

The roles have been removed from the MXREF_MX_ROLE and MX_AUTOROLE attributes as well as the related privileges in the MX_AUTOPRIVILEGE attributes, as expected, but the related privileges are still stuck in the MXREF_MX_PRIVILEGE attribute.

Any further provisioning works as expected with no problems; adding a new role gives the user the role within the MXREF_MX_ROLE & MX_AUTOROLE attributes, and the related privileges within the MX_AUTOPRIVILEGE attributes. Even removing the role, cleanly removes the related role & privilege attributes.

Best regards,
Sandeep

Former Member
0 Kudos

Hi Sandeep,

I see what you are saying. This is because of the Delta tab. When you enable Delta the each time a user gets added to a priv it would be updated in the log_entries with operation 3 and if there is any changes that will change to 2 and if there is no change then the operation would be 1.

So when the user is removed from the priv that will be changed to 5 and then it will be removed.

Here is the tricky thing - when you chose Automatic Deletion then it will delete it and move the status to operation 6 which is physical deletion. That means IDM thinks that it is already deleted.

But due to some dead lock error or some thing else it remains.

there is good help document on Logentries table. Please check that document:

The Logentries table

in this you will know more details about this.

the solution is create a job to run for these users only to remove the priv with value 6.

You can run this script to check for this users if that value is 6 or not.

 

select

* from logentries with (NOLOCK) where (operation = 6) and DN like

Please add the users in the DN like statement and you will see all those priv's with value 6.

Please let me know how that works and let me know if you need more information on how to proceed with this./

Thanks,

Arun.

Former Member
0 Kudos

Hi Arun,

Thanks a ton for your quick response! Just FYI we are currently using IDM 7.1.

I checked the logentries table with your statement and initially there was no NOLOCK option; so I removed that part of the statement and just ran:

select * from logentries where (operation = 6)

I only got 5 results (I suspect there must be a lot more than 5) of which none of them related to the current user I was investigating with.

Any ideas / suggestions?

Thanks a lot in advance!

Best regards,
Sandeep

Former Member
0 Kudos

Hi Sandeep

You said you mass loaded the users? How? Was it with Initial Load jobs?

just guessing: these priviliges (e.g. SAP profiles) were already/are assigned to the users in the source system before the initial load. Afterwards you assigned a business role to them which also contained these privileges. Then you have the privileges once in automatic and in direct assignment, so if you remove the role the direct ones still exist.

Maybe it's that simple?

Regards

Michael

Answers (0)