cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Assignment OK, but assignment status failed.

Go to solution
Former Member

on ‎06-21-2013 9:50 AM

0 Kudos

Hello experts,

I have implemented the approval workflow which was working smooth. But today when I have done an assignment, it went for approval and after the approver has approved the assignment request, it triggered a mail saying assignment has approve( as we configured). But the status of the assignment is Failed. I am confused here. This happened in production. Can you please tell me were to check the root cause of this assignment failure. Please find below the relavant screenshots.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-08-2013 2:55 AM
0 Kudos

Hello All,

I have resolved this issue, using the new repair assignment feature that is going to be available with IDM 7.2 SP8. For pre SP8 version, you will be able to get the database objects from SAP.

Firstly the issue was the ACCOUNT%$rep.$Name% attribute was not created for AD repository of the user, which I have resolved my self.

Then for provisioning the assignments I have used the repair assignments. The detailed steps I have followed are mentioned in my blog on this. I will share the link for the blog once it is approved by moderator.

Thanks,

Krishna.

Show replies
Show replies
Former Member
‎07-17-2014 10:05 AM
0 Kudos

Hi Krishna,

Can you kindly let me know how you resolved the issue of adding ACCOUNT%$rep.$Name% attribute for AD repository with out deleting the user in AD?


We faced similar issue recetly for a ABAP system but our scenario is enterprise role based solution where every role contains <RepName>ONLY privilege along with the business privileges.


Now when IDM 7.2 SP8 system tried to assign this enterprise role to user as the user ID already exist in the ABAP system the <RepName>ONLY privilege assignment got failed and hence the assignment of all the business privileges gone to pending status.


Since we are using IDM role based solution, as per design all privileges must be assigned to users through IDM enterprise roles only (including  <RepName>ONLY privilege).


For your case If the ACCOUNT%$rep.$Name% attribute got assigned to user through mass import job/initial load job through flat file, can you kindly suggest what could be the easiest solution for our case (i.e role based solution)?

The current work around solution we did is deleting the user from ABAP system and retried the failed provisioning from IDM so that IDM can create the user again and assign the business privileges. 

Wanted to know whether there is any other solution with out deleting the user in the backend like above?

Regards,

Venkata Bavirisetty

ChrisPS
Contributor
‎07-17-2014 10:18 AM
0 Kudos

Hello Venkata,
                      best practice is to create a new thread as this thread is already answered.
In terms of the solution there are some internal database procedures which can be used to repair
assignments. See this blog which details how it can be used

http://scn.sap.com/community/idm/blog/2013/07/08/repair-failedstuck-pending-assignments

written by Krishna.

Thanks

Chris

IdM Space Moderator

Answers (1)

Answers (1)

ChrisPS
Contributor
‎06-21-2013 2:04 PM
0 Kudos

Hello Krishna,

                     check if any of the privileges assigned to the role have failed. Look up the users

role/privilege assignments in the web UI and run an advanced search and look for all assignments. There maybe a failed privilege assignment causing this.

Thanks,

Chris

Show replies
Show replies
Former Member
‎06-25-2013 3:25 AM
0 Kudos

Hi Christopher,

I have checked as you suggested. Yes there is one privilege assignment that got failed. We are doing assignment of 7 privileges together separated with | . out of 7, first 4 got assigned, 5th one (the PRIV:CSAD:ONLY) failed and the other two are in pending state.

How can I find why this privilege assignment has failed.  Can you please provide the pointers on the same.

Former Member
‎06-25-2013 7:52 AM
0 Kudos

Hi Christopher.

I have checked the system. There is  privilege <PRIV:CHCSAD:ONLY> when assigned, it will run the AD provisioning jobs and user will be created in Active directory. But for the User I have created. there is already an entry in active directory. So this privilege assignment has failed.

How can I assign this privilege in IDM now, without triggering the create AD user task ( since this particular ID is already existing). Can you please help. I have to assign this privilege as this is a master privilege for the other privielges.

Thanks,

Krishna.

ChrisPS
Contributor
‎06-25-2013 11:22 AM
0 Kudos

Hello Krishnu,

                      check the create user hook task job log and see if there are any failures for this assignment. You maybe able to run a force restart however you say that the user already exists on the AD directory which suggests that the master privilege assignment created the user in the AD before it failed.

In SP8 there will be a new tool to allow retry of privileges if you cannot do this via the UI.

Thanks,

Chris

Former Member
‎06-25-2013 1:35 PM
0 Kudos

Hi Christopher,

If I remove the privilege and re-assign, now the create user task fails with an error "Entry already exists" and the privilege assignment goes to failed status. How can I make the status of this privilege as OK, so that the child privileges can get processed. Since this privilege PRIV:CHCSAD:ONLY is the master privilege of other two privileges, they are in pending status. Could you please suggest how can I make the status of the privilege PRIV:CHCSAD:ONLY to Success/OK.

Thanks,

Krishna.

ChrisPS
Contributor
‎06-25-2013 1:37 PM
0 Kudos

Hi Krishna,

                which release are you currently running in this case ?

Thanks,

Chris

Former Member
‎06-25-2013 1:42 PM
0 Kudos

Hi Chris,

We are currently on 7.2 SP7

Thanks,

Krishna.

ChrisPS
Contributor
‎06-25-2013 5:38 PM
0 Kudos

Hi Krishna - can you open an OSS ticket and I will pick it up.

Thanks,

Chris

Former Member
‎06-25-2013 9:08 PM
0 Kudos

Hi,

If the users will always exist in Active Directory, and IdM should not create them, but know about them, then you can use the Inital Load jobs as templates to build update jobs to load the AD users into identities in IdM, either new identities or link them to an existing one based on matching and AD attribute to MSKEYVALUE in IdM.

Hope that helps, if not I'm sure will look after you via an OSS message.

Good luck,

Ian

Former Member
‎06-26-2013 9:12 AM
0 Kudos

Hi Chris,

Have raised a OSS. 0000586868 2013. Please take it up.

Thanks,

Krishna.

Former Member
‎07-08-2013 2:59 AM
0 Kudos

Hello Chris,

Thanks for providing the objects for Repairing failed assignments feature. Intially when I tried with that I was not able to resolve.

But finally this weekend I was able to fix this with the solution you have suggested.

Thanks,

Krishna.

Ask a Question