on 08-16-2012 6:59 PM
Helo all,
Using IDM 7.2/SP4. I ran the initial load with read passes only enabled with the intent of loading the users from EP to the IDM Data Store. My log says Users, roles and groups were read but I cannot see them via the UI. I am not using VDS. What am I doing wrong considering I have no errors. Thanks in advance.
I can see only the system privilege in the UI.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am however not abled to assign the portal system privilege to a user that exist in the UI. I get some error from CreateJavaUser that seems to be related to password. I have disabled the password lines from the writeuser pass but same error. Any ideas?
putNextEntry failed storingSPML.SAPUSER.tempUser
Exception from Add operation:com.sap.idm.ic.ToPassException: Exception when
creating user :ALPHANUM_REQUIRED_FOR_PSWD
Exception from Modify operation:com.sap.idm.ic.ToPassException: SPML
exception: Unexpected error when processing modify request Unsupported ID found
null
1. Your Password policy in AS Java UME is set to include numbers in the password.
2. If you want to CREATE a user in AS Java UME you have to supply a password.
3. Do you have Password provisioning enabled in you ID Store?
4. You should enable the password lines in the Write Passes and change the custom_Password-Script in Global Scripts according to your needs. Else you create a user in IDStore without password which won't help much, imho.
BR
Michael
sajin ts wrote:
As I have followed the steps given by Michael now I am able to see the number of users. But the roles are not showing. please find the below screenshot of the same.
Are all the passes in the job enabled? Both the passes that read from AS ABAP to temp tables and the passes that write data from temp tables to Id Store? Do you see data in the temp tables?
Can you find any of the roles if you search them as follows:
select mskey, attrname, searchvalue, is_id from idmv_value_basic where searchvalue like '%NAME_OF_ANY_OF_THE_PRIVILEGES_THAT_SHOULD_APPEAR%'
and if anything is returned what does following SQL return:
select mskey, attrname, searchvalue, is_id from idmv_value_basic where mskey = [MSKEY_FROM_PREVIOUS_QUERY]
(I assume you did set the correct Id Store for the roles as you did for the users and you're creating roles with MX_ROLE entry type, but you can verify the correct entry type and Id Store ID from the query results.)
regards, Tero
Thank you Steffi and Tero for quick reply
@Steffi-As I am new to IDM please tell me you are asking about the passes. if yes I have attached below. or else kindly let me know what exactly needs to show .please suggest.
@Tero - I am unable to see the passes that you have indicated, read from AS ABAP to temp tables and the passes that write data from temp tables to Id Store. please find the below screenshot of the same. kindly suggest...
Thanks
Sajin
Hello Sajin,
that's the read PASS for the roles Tero was talking about. As you can see, the data is written into a database (in the "table name field" is the temp table defined).
"WriteABAPRolePrivileges" further down then reads the information from that table and writes it into the IdM. Could you show the destination-tab from that one, please?
And did you check the SQL-queries, Tero provided to see, if the roles are there (and just maybe for other reasons not found in the UI)?
You can check that in the MMC, too. When you go to your Master ID store (usually NOT the Enterprise People-thing) there, then "Identity store metadata" and there "Privileges".
Regards,
Steffi.
Peter suggested using attributes MXREF_MX_PRIVILEGE for privilege assignments and MXREF_MX_ROLE for role assignments rather than the MX_ASSIGNMENT that is mapped to your UI. Just select them from the list in your screen shot.
That "Assign" UI task is standard screen within the SAP Provisioning Framework and should work out of the box, did you perhaps modify it?
I've seen MX_ASSIGNMENT been used in similar UI tasks in previous project and it worked..
If you have few minutes maybe try creating a new UI task with minimum attributes for the user and use the MXREF_MX_PRIVILEGE as Peter suggested, if that saves the entry without errors and triggers provisioning then add MX_ASSIGNMENTS to your UI and if that works the problem is elsewhere (not visible in the screen shots) in the "Assign" UI definitions than these attributes.
Exactly - much like you have for groups (MXREF_MX_GROUP), you need to use MXREF_MX_PRIV and MXREF_MX_ROLE. MX_ASSIGNMENT is a collection of all the assignments and is kept up to date by the system. If you want to assign something, you need to specify the mxref attributes as these form the basis for whats displayed in MX_Assignments.
MX_Assignments is essentially read only.
Peter
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.