Murali ,

Thanks !! Yes , i am also on SP7 Version . We will wait for fix as part of SP8 .

Thanks ,

Jerry

So happy that SAP let this kind of Important Major Bug go in SP updates !!

Thanks for warning Murali, I hope the SP8 will arrive soon so I don't lose my time trying to fix what will be in SP8 (or at least I hope).

For the rest, everything works fine and I hope SP8 won't create new bugs 😉

Hi Murali,

You seem uptodate with all updates about IDM.

I tried to find when SP8 will come to fix that bug, but I don't find the information.

Do you have an idea, or a place where to ask the question ?

Do you think there is an update (not Service Pack) which solve that ?

If it's in very long time, I'll try to understand and implement Ivan's solution.

Hi Murali,

Did you write a OSS Ticket for that bug ?

I wrote to a developer of IDM concerning this issue, here is his answer :

I am not able to confirm that this is a bug. I do not have made the same experience with SP7. Also, I do not know of any automatic provisioning after initial load of an ABAP system.

I recommend creating an OSS ticket if you still are uncertain.

I've seen a note but it not exactly the same problem that we have here, and I would like to be sure that our problem will be solved in SP8 and very soon.

Does anyone have any updates on this topic ?

I heard Mid-End June, that would be perfect.

Yes I have the same issue on SP7, role imported during Initial Load are deleted when I modify (add/delete) one role of a user.

I'll write a note to be sure the problem is solved in the next SP.

Thx for your support Murali.

Did you upgrade to SP7 V2.0 ?

We did it yesterday, but I have test it and I'll be off for 2 weeks.

I keep you posted when I'm back.

You can fix this by changing the SQL to 

mcAddAudit >= mcValidateAddAudit

or by checking that

mcValidateAddAudit = '-1' as well as NULL.

in sap_abap_getNameOfAssignedPendingPrivileges

When loaded as part of the initial load, the audit values for some are set to -1 for both.  This causes the issue where they're then removed if the user is updated.

Hopefully it'll be fixed in SP8

Peter

Hi Peter,

I'm still stuck with this issue, what I thought would be solved il SP7 Upgrade 2.

I did an initial load after upgrading to test if the problem was solved, but not. I don't want to put SP8 right know, I prefer to wait the first upgrade.

So my question, I don't see where to replace what you tell in your answer.

Is it somewhere in the part of the code here ?

Thx for your support.

Nicolas.

Hi Steffi, thanks for your reply even if you are not Peter 🙂

I've modified the code as explained (and I think it's what Peter tried to explain), but I still have the issue, imported roles are still deleted.

Thx for your help anyway.

I hope to solve this last major problem soon.

nicolas.

Hi Ivan,

My fault, I put the wrong print screen, I tried different things and on the last one i put 1 instead of -1, but neither works.

I'm still suffuring of this bug.

Thanks anyway for watching the code so closely 🙂

nicolas.

Yeah - still here (my timezone means things happen a little slowly sometimes).  I haven't tested SP8 yet so disappointed to hear that this is still a problem.

Nicolas, can I get you to do the initial load and then run

SELECT * from mxi_link WHERE mcOtherMskey = <mskey of a known imported privilege>

You should see mcAddAudit = -1 and mcValidateAddAudit = -1

Your script change looked OK (changing 1 back to -1).

Its possible that additional processing is happening and that's changing the audit values so the first step is to verify the data.

You can run the SQL directly to confirm you've got it right:

SELECT * FROM mxi_link WHERE mcLinkType=2 AND mcLinkState IN (0,1) AND mcExecState IN (1, 512,513) AND mcAddAudit IS NOT NULL and (mcAddAudit >= mcValidateAddAudit OR mcValidateAddAudit IS NULL)

As an aside- I noticed that this script was updated in SP8 so there may be some changes required.  I haven't had a chance to sit down and pull it apart yet.

Peter

A small answer before testing your previous solution / message.

I'm still on SP7 upgrade 2, I haven't installed SP8, I prefer to fix my current versions before jumping to the new SP and other issues.

I'll keep you posted.

Tx.

Peter,

- Do you want me to rerun all the tasks in the initial load ? As it's a sandbox systems with a lot of users / roles / ... it takes more than 5 hours.

I don't understand where I have to write this :

SELECT * from mxi_link WHERE mcOtherMskey = <mskey of a known imported privilege>

From where can I run sql ? (sorry if my question is stupid)

When I changed the Jscript and saved, I got the message on the print screen.

I don't think the issue is linked with the other Jscript, but we never know.

Tx.

PS : Did you upgrade to SP8 and do you advise to do it ?

Hi Nicolas

Run that sql in your favourite SQL tool.  I never build an IDM system without direct database access, so I just assume everyone else has it too

If the initial load takes that long, no, probably not.  You can just rerun the tasks which actually do the assignment - disable the rest or make a new job and copy the ones you want to run)

Peter

Hi Guys

I've just posted a blog post on how  I fixed this.  Hope it makes it clear ...

Peter