cancel
Showing results for 
Search instead for 
Did you mean: 

Handling pending value during event tasks

Former Member
0 Kudos

We have a scenario to segregate provisioning flow of AD for different types of users (eg. Internal and External). Add member task screenshot is shown as below and no approval flow is involved here.

Once user is created through idM UI immediately AD provisioning would take place based on the role assigned. Both master privilege and group assignment privilege are linked to the same role here.

The problem that we are facing is Check External User Conditional task. Sometime the process is behaving weird. It is getting stuck at this point or  goes to False condition (Looks Inconsistent). Later we found whenever it goes to false it is the pending value mskey that is getting passed not the parent mskey.

I tried with different query combination but nothing  worked   Just pasting below the relevant screenshot to give an idea what i am trying to do. The query is obviously incorrect.

Looking for expert advice  for this scenario.

Thanks

Karthik

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

You can always have a task that sets a context variable above the switch / condition.  You can do as much work in there as you like and it simplifies the switch / conditional task as the SQL in there can be kind of touchy.  Once the context variable is set, just query that.

Peter

Answers (3)

Answers (3)

Former Member
0 Kudos

Thanks Peter

Setting the context variable and using it in the switch condition looks to be a prudent way of achieving our requirement but i didn't get a chance to try it out yet .. Will  sure update this thread once tried..

@ Ridoun Taibi

Thanks once again for your detailed input and suggestion

. We are managing different UI task for internal and external. Also query that i share based on MSKEYVALUE is used during the development. Actually now we have enhanced based on the user category field to make it more future proof. I will try to incorporate your other inputs applicable to us.

Former Member
0 Kudos

When i try using the ToGeneric pass it is the pending value MSKEY that gets printed.

So finally we went something like below and it looks fine so far.

SELECT COUNT(MSKEY)

  FROM [mxmc_db].[dbo].[idmv_vallink_basic]

WHERE mcAttrName = 'MSKEYVALUE'

AND mcValue LIKE 'E%'

AND MSKEY = (SELECT mcValue

  FROM [mxmc_db].[dbo].[idmv_vallink_basic]

  WHERE MSKEY = '%MSKEY%'

  AND mcIdStore = '2'

  AND mcAttrName = 'MX_ENTRY_REFERENCE')

Can anyone comment is it the recommended way that we are doing or have any better suggestion ?

Basically we are trying to segregate user provisioning for different types of users with single Add member task configured in the repository.

former_member190695
Participant
0 Kudos

So, you have an UI task where you manually create identities, correct? Is the above task the UI Task or the provisioning task? Do you link directly to it or do you use repository constants like MX_HOOK? Anyway, %SUBJECT.MSKEY% will only work If the task has "Retrieve values from pending object" checked, this is not applicable for Switch/Conditional tasks. Use context instead to set and use variables during your processing.

I would not recommend using the above SQL query to differentiate between an Internal and External Employee. What if the business decided to create external users with a different prefix? You need to modify the query. From a technical point of view the above query could have impact on performance, this is of course depends on the number of identities, systems, etc. in your environment. Use mcSearchValue instead of mcValue, always use WITH(NOLOCK) in MS SQL environment.

I would also not create both user types using the same UI task as Internal and External users could have different attributes that needs to be set, e.g. start and end date, ESS/MSS access, etc. 

I would use different UI Tasks for each user type and set attribute values accordingly. One of the attributes could be the satandard MX_FS_IDENTITY_TYPE for example to distinguish between an internal and external employee. In your conditional task you could identify the user type based on the value in the above attribute.

Every scenario in an Identity Management solution requires good analysis and understanding of other and underlying scenario's and processes, so my best practice doesn't mean it will be applicable to yours.

former_member190695
Participant
0 Kudos

Hi Karth,

Replace the %NOLOCK% variable with WITH(NOLOCK) If you have recently deployed SP7.

Not sure why but since SP7, I am too not able to use %NOLOCK% as described in the IdM Help.

Good luck.

Regards,

Ridouan

Former Member
0 Kudos

Thanks Ridouan for your input but query as such is not correct. I don't think subject.mskey is working here.

I am getting following exception,

TaskId:102319 - Could not carry out execCheckSQL:(SELECT COUNT(*) FROM idmv_value_basic  WHERE MSKEY=%SUBJECT.MSKEY% AND attrname='MSKEYVALUE' AND searchvalue like 'E92%') - exception:com.microsoft.sqlserver.jdbc.SQLServerException: Incorrect syntax near

Also during the add task event i clearly notice it is the pending value mskey that is getting set and not the parent mskey.

How can i get parent mskey in the query as subject.mskey doesn't seem to work ?

Former Member
0 Kudos

Hi Karthik,

Can you try to use%SUBJECT.MSKEYVALUE% AND AVALUE='E92% or any other reference attribute used in Pending value objects.

Regards,

Ali.

former_member190695
Participant
0 Kudos

Hi Kath,

I see!. Just use %MSKEY% instead of %SUBJEC.MSKEY% as I am assuming this task is based on the standard provisioning so no PVO is created.

Regards,

Ridouan

Former Member
0 Kudos

Hi Ridouan,

If i use just %MSKEY% then it always comes to FALSE2 loop. I tried printing the mskey it looks PVO value.

Do you mean to say if it is standard provisioning no MVO is created ? I read it in the help that PVO will get created while executing member events.Not sure where we are going wrong here.

Thanks

Karthik

former_member190695
Participant
0 Kudos

There 's nothing wrong with your sql query, have you replaced the %NOLOCK% with normal WITH(NOLOCK). A pending value is created but the task is not based on an PVO object but on MX_PERSON. You should be able to use %MSKEY% to retrieve your data. Create a ToGeneric pass and print the MSKEY and MSKEYVALUE or even test the sql query.