cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Assigning New Privilege/Role issue

Go to solution
Ckumar
Contributor

on ‎02-12-2014 7:43 AM

0 Kudos

Hi All,

I have few users in IDM who has direct privileges(even though they have Coresponding roles) while rest all users have Automatic privileges based on the roles assigned to them, because few users have been pushed from the AD to IDM.
Now when i am assigning a new role to the user who has automatic privileges, system is assigning the corresponding privileges as automatic privileges. its working fine but when i am assigning a new role for those users who has direct privileges, for some users it assinging the privileges as Automatic privileges while for some its assigning the privileges as direct privileges.
I have investigated the issue and i found that uIS_PrivReconcile script is responsible for assigning the privileges. this is an inbuilt Identity Centre Script.

Could you please help me how it actually works. I found the description for this script as perform a reconciliation of the Roles/Privileges assigned to the users in the identity store after the Role and/or Privileges are modified.

Please help me out to solve my issue.

Regards,
C Kumar

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-12-2014 10:03 AM
0 Kudos

If you're using a 7.2 version (please also mention service pack level in requests) where the dispatchers have housekeeping options you do not need to care about the uPrivReconcile function. In addition the uPrivReconcile call should only be required when you do hierarchy changes in earlier versions, such as linking role to role, or privilege to role. There's a template job provided with the product that used to be scheduled to run every X minutes to do this.

If you have this, don't worry about uPrivReconcile:

You can also check your database to see if there's any entries that require privilege reconciliation using



select count(*) from MXIV_DIRTY_MSKEYS

Note that in some older SP releases this view that returns inactive entries that can't be reconciled until they're activated again.

Where do you see this "conflicting" status btw? Is it in the Workflow UI?

Br,

Chris

Show replies
Show replies
Ckumar
Contributor
‎02-12-2014 2:28 PM
0 Kudos

Hi Chris,

Thanks for the Reply

Sorry i forgot to mention the Service pack.
I am using the SAP NetWeaver Identity MAnagement 7.2

yes i have checked, i have housekeeping options in Dispatcher and Reconcile dirty entries procedure is already Enabled.

Please tell me why i am facing such issue with some old users and how to fix it.

old user -> for some users, privileges(even though they have Corresponding roles) are not displaying as automatic privilege while it is visible under Assigned Privileges. i am denoting those users as old user.

waiting for further response.

Former Member
‎02-12-2014 3:16 PM
0 Kudos

7.2 is the version number, and you tagged your message with product version 7.2 as well so this is clear. I was asking for the Service Pack level and perhaps even patch number if you have it.

You can find this in the management console, both in the startup splash screen, and in help about where it will say Version 7.20.XX <year>-<month>-<day>

Its also listed on the Database tab of the management console where it will say 7.20.9.0-SQL-2013-12-15 or something similar, above the schema update number. The reason I'm asking is that there's been any updates to the hiearchy calculations in later SP/patches.

You still haven't anwered where this problem is seen, so I'll just assume its the Workflow Web UI.

Please the query below after replacing username and privilegename with the user-mskeyvalue and privilege-mskeyvalue so that we can see what the actual state of the user/assignment is since you say the UI is displaying it wrong. It will list the state and inheritance (if any) of the assignment:

select mcThisMskey, mcOtherMskey,mcExecState,mcExecStateHierarchy,mcLinkState,mcAssignedDirect,mcAssignedInheritCount,mcAssignedDynamicGroup,mcOrphan from idmv_link_ext

where mcThisMskeyValue='username' and mcOtherMskeyValue='privilegename'

Br,

Chris

Answers (1)

Answers (1)

Former Member
‎02-12-2014 9:14 AM
0 Kudos

Hi Kumar,

For the few users who has the direct privileges (even though they have Corresponding roles), are the privileges displayed under automatic privileges also ?

can you try removing the direct privileges assignments for the users(even though who have Corresponding roles) and see what happens.

I mean, where the privileges are added back again by uIS_PrivReconcile ? Under direct assignment/automatic assignments ?

~ Krishna.

Show replies
Show replies
Ckumar
Contributor
‎02-12-2014 2:10 PM
0 Kudos


Hi Krishna,

Thanks for the reply

As i already explained in the question, for some users direct privileges (even though they have Corresponding roles), are the privileges displayed under direct privileges only not under the Automatic privileges. to make it more clear, here i will denote such user as old user.

when i remove those direct privileges(even though they have Corresponding roles), from the direct privilege list of the old user, the corresponding account of the old user gets deleted.

whenever i am trying to assign a new role(containing new privileges) to old user:
privileges are added under automatic privilege for some old user while for some old user it is added as direct privileges.

Do you have any idea why its happening.
please help me out to solve this issue.

terovirta
Active Contributor
‎02-12-2014 2:18 PM
0 Kudos

If you have direct privilege linkages and assign a business role which as the same privileges the direct linkage still exists. When you take the business role off from the user the direct link exists. This is standard functionality.

Do you really mean that if you have two users without any AD access and you assign a business role with AD privileges, the other user may get the privilege assignments displayed as inherited and the other may get the displayed as direct linkages?

regards, Tero

Ask a Question