Hello Experts
We have just setup SAP IDM 7.2 SP8, I am trying to assign a Role / Privileges to ABAP system through Event tasks defined on repository.
Below are the things which I did for this setup:
1. Created Repository.
2. Completed Initial loads
3. Create one Tasks for create / modify ABAP user.
4. Assigned tasks on repository event task.
When I assign a privilege to a user from IDM UI then no jobs get triggered ( User has Account / system privileges already assigned) , In UI it shows the status as "OK" but no jobs are getting triggered for role assignment in backend system.
But when I try to assign a Role, I see following in system logs
I tried to write the MSKEYVALUE in a text file through the same tasks and I get a new MSKEYVALUE always ( MX_1453, MX_1454 etc) , However I guess it should have give me MSKEYVALUE of the user for which I am doing role assignment.
Can you please suggest me the way forward.
Regards
Deepak Gupta
- SAP Managed Tags:
Accepted Solutions (1)
Deepak Gupta wrote:
I tried to write the MSKEYVALUE in a text file through the same tasks and I get a new MSKEYVALUE always ( MX_1453, MX_1454 etc) , However I guess it should have give me MSKEYVALUE of the user for which I am doing role assignment.
Can you please suggest me the way forward.
Regards
Deepak Gupta
The MX_[number] is most likely the MSKEYVALUE of the Pending Value Object (assignment) not the userid of the user. You would need to query the user from the PVO.
Why deviate so heavily from the standard Provisioning Framework?
regards, Tero
Helo Gupta,
I am not sure, if this is, what Tero meant, but it seems that You are not using a lot of standard provisioning framework.
As a part of SAP Core Provisining Framework, You have following tasks (amongst of others):
Provisioning
Deprovisioning
Modify
Did You try using those as Your Add Task, Remove Task and Modify Task respectively?
Then in repository constants, You should take a look at hook tasks:
If You look further down into SAP Provisioning Framework, You will find the "Connectors" there.
Did You try assigning a respective ABAP plugin task to each hook task as described in here?
For example :
MX_HOOK1_TASK --> 1. Create ABAP User
MX_HOOK2_TASK --> 2. Modify ABAP user
etc.?
Moreover, could You please show show, how is the Assignment Grouping set on Your repository (to be found on "Privilege" tab of repository configuration)?
Kind Regards,
Darek.
Answers (2)
Hi Chaitanya.
Do You get any entries in system log, when this issue happens?
Also - since You are mentioning about assigning privileges, I assume we are discussing the "Provisioning" node of the CORE SAP Provisioning Framework.
Which event task do You have this node (Provisioning) assigned to on the repository?
And one more thing - can You go to IDM Admin UI, on Monitoring tab select Provisioning Audit and enter User's MSKEY (the one's that You assign this PRIV:ONLY to) into Entry ID?
Then, find the row for "Provisioning" task, select it and then on the bottom tab select "Trace" tab and look for the "Check entrytype" row.. Can You tell us, what do You have in information column next to it?
Here is the example (for the Deprovisioning task, but You should have the same for the Provisioning as well)
Kind Regards,
Darek.
Hi Darek,
The system log says this when I try to assign the 'ONLY' privilege to a user.
We are indeed talking about the core provisioning framework. The 'Provisioning' task is assigned to the 'MX_ADD_MEMBER_TASK' attribute of the repository.
We currently do not have access to the Monitoring tab and have asked the Basis guys to give us the same. I will update once I get it.
Below is the flow of events in the Provisioning task. It enters the Else loop here.
I am confident that MX_PENDING_VALUE is created. Right after I assign the task, I see an the entry MX_XXXX in the database for a split second and then it vanishes. I am not sure why this is being created at all. Please let me know if you can figure out something here.
I will post further updates once I access the Monitoring tab.
Regards
Chaitanya
Hello Chaitanya.
It is quite normal for a Pending Value to be created in such scenario. Until all the tasks in Provisioning Framework are executed, Pending Value exists. Then it's deleted, once there are no more tasks pending on it.
Could You please let us know, how do You assign this privilege to user (WEB UI or a Identity Cetnter Job?) and share the definition of that task which You use for that purpose, with us.?
Also - could You share with us a bit of background of Your system? Did it work before? When did it stop working?
I am a bit surprised by this "Got MSKEY: not-existing-MSKEY" error.
Also - Your Provisioning Framework does not seem like the SP8 version.
Did You upgrade Your IDM to SP8 recently? If Yes - could You please upgrade Your SAP provisioning framework as well (however I'm not sure if that is the reaoson for Your issue)
Moreover - could You send a screen shot of Your Event Task configuration for related repository, as presented on the screen below?
as well, as event tasks assigned to "MX_PRIVILEGE" entry type?
Could You start executing the following SQL Query soon after You save the Entry in Web Ui after adding the PRIV:ONLY to it (assuming, that You're uisng WEB UI for the purpose), until the pending value appears?
select * from idmv_vallink_basic vallink with (nolock)
inner join idmv_entry_simple entry with (nolock) on vallink.mskey = entry.mcmskey and entry.mcentrytype = 'MX_PENDING_VALUE'
where entry.mccreated >= dateadd(mi, -5, getdate())
order by vallink.mskey desc
This will show contents of all Pending Values created during last five minutes (which still exists, which means that You need to "catch" this pending value before it gets deleted - this will requre a bit of a reflex).
Kind Regards,
Darek.
Hi Darek and Deepak,
I have put a 5 min wait time on the Check Entry Type task. There is stored procedure which is executed every time this task is triggered.
Coming to Darek's point,
As you rightly guessed, I use the Web UI ('Assign Privileges, Roles and Groups' task of the framework) to assign the privilege to a user. really unsure why the System Log says "Got MSKEY: not-existing-MSKEY"
The system was installed with SP8 on it. I am not sure if the provisioning framework belongs to the same. If there is any way to check, that would be helpful. We ran an SAP system initial load and then trying to assign the 'ONLY' privilege to check if role assignment works.
Here are the screenshots:
Repository:
MX_PRIVILEGE:
Result after executing the query:
This entry got deleted after I extracted the data. 18115 is the MSKEY of the user to which the role was assigned. 18116 is the MSKEY of PVO.
The Else loop is triggered and the Set Task to Error State is executed.
Let me know if this is of any help
Regards
Chaitanya
Hello Chaitanya.
As Deepak says - it's hard to say, what is wrong, as, so far, everything seems to be looking fine.
You didn't mention, what the background of that system is.
Menawhile - Could You please set the trace on that test user and then execute the activity again?
You can do this either through Admin WEB UI (/idm/admin, tab "TRACE"), once You get access to it, or "manually" by setting global constants:
MX_TRACE_ENTRY = <MSKEYVALUE>
MX_TRACE_RT = 1
Below, example for trace set for user with MSKEYVALUE Idmtest03:
Also, make sure that "Enable Trace" in the "Options" tab of Your Identity Management Configuration in MMC" is set, as seen on screen below:
Once done, assign the PRIV:ONLY to user again and wait until the provisioning fails.
Then check the contents of the mc_trace_data table and share it with us please:
select * from mc_trace_data with (nolock)
Details on how to use IDM Trace can be found in IDM Solution Operations Guide (http://service.sap.com/~sapidb/011000358700001223922010E)
Kind Regards,
Darek.
Hi Darek,
I have done as asked.
Attached is the trace for same.
I will see what I can find from this.
--Chaitanya
Hello Chaitanya.
I wen't through this trace and, I must admit, that the errors/warnings that are there are really strange indeed.
It looks like the basic mechanisms of IDM Provisioning do not work correctly.
("W:Got MSKEY - not-existing-mskey" (even though MSKEY is properly determined few lines above); "ERROR!AuditId, variable does not exist in mxpt_get_entrytype")
Is provisioning working for any other user at all? Or does it fail for everyone?
I am affraid that I won't be able to help more here just by looking at screenshots.
Just one final question - could You send be screenshot of Your IDM Database Information, which includes Latest schema update?
This is, what I mean:
Kind Regards,
Darek.
| User | Count |
|---|---|
| 84 | |
| 10 | |
| 10 | |
| 10 | |
| 7 | |
| 6 | |
| 6 | |
| 5 | |
| 4 | |
| 4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.