cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recreate user in IDM

Go to solution
former_member569171
Explorer

on ‎07-03-2014 8:30 AM

0 Kudos

Hi experts,

My user (MSKEYVALUE= myUser, MSKEY=12345678) has some problem.

Under "Simple search" the user cannot be found. Under "Advanced search" the user can be found and the user is not INACTIF.

In UI the user has 5 ABAP privileges that in Pending status that I cannot not removed form the UI.

select * from idmv_entry_simple where mcMSKEYVALUE='myUser'

--> NO RESULT

select * from idmv_link_ext where mcThisMskey= 12345678

--> Give more information and shows that this user has 5 privileges under the status mcExecState=1536

So I think that my user was deleted and only the links to pending privileges still available in IDM.

I tried a job with MXREF_MX_PRIVILEGE = {D} / {E} <privilege> and also MXREF_MX_PRIVILEGE = {D} {LINKID = linkid} <privilege>

But still no succes so any help how to get back my user?

Victoria

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-08-2014 10:13 AM
0 Kudos

Hi Victoria,

If your user was deleted from IdM to re-active it you should follow the steps below:

1. Get the user’s mskey from:

select * from mxi_entry where mcmskeyvalue=MSKEYVALUE;

2. Update the entry state:

update mxi_entry set mcentrystate=0 where mcmskey=%MSKEY%;

3. Update user’s attribute:

update mxi_values set disabled=0 where mskey=%MSKEY%;

4. Delete fromtable: mxi_values  - MX_INACTIVE(attrid=%ATTRID%) and MC_DISABLE(attrid=%ATTRID%)) - if you user them

BR,

Simona

Show replies
Show replies
former_member569171
Explorer
‎07-09-2014 9:21 AM
0 Kudos

Hi Simona,

Thanks for your help.

Could you please give more details on the step 4 which I don't understand ?

The query is not clear for me.

Victoria

Former Member
‎07-09-2014 9:41 AM
0 Kudos

Hi Victoria,

The easiest way, after you have execute steps from 1 to 3 to delete the needed attributes is from IdM console(you can have a helper task to do this).

BR,

Simona

former_member569171
Explorer
‎07-09-2014 11:27 AM
0 Kudos

Hi Simona,

Could you please give a screenshot or sql statement for the point 4 ?

BR,

Victoria

Former Member
‎07-09-2014 11:48 AM
0 Kudos

HI Victoria,

  You can try this:

DELETE FROM mxi_values where  attr_id = %ATR_ID% and mskey=%MSKEY%;

BR,

Simona

former_member569171
Explorer
‎07-09-2014 12:36 PM
0 Kudos

Hi Simona,

And what about the assigned privileges in UI, what should I do for them ?

many thanks,

Victoria

Former Member
‎07-09-2014 12:58 PM
0 Kudos

Hi Victorya,

The easy way is to update(set to removed) all of the assigned privileges - mclinkstate = 2 and mcexecstate, mcexecstatehierarchy to 1052 for the current user:

1. update mxi_link set mclinkstate=2 where mcthismskey=%MSKEY% and mcattrid='%PRIV_ID%';

2. update mxi_link set mcexecstate=1052 where mcthismskey=%MSKEY% and mcattrid='%PRIV_ID%';

3. update mxi_link set mcexecstatehierarchy=1052 where mcthismskey=%MSKEY% and mcattrid='%PRIV_ID%';

This way you will remove the previous access(pending and assigned) and the user will be reactivated.

BR,

Simona

former_member569171
Explorer
‎07-09-2014 1:28 PM
0 Kudos

Hi Simona,

Thank you very much for your help.

To summarize I have to execute these 3 sql statement to remove privileges and next I have to execute the first 4 sql statement to delete and reactivate from idm ? right ?

BR,

Victoria

Former Member
‎07-09-2014 1:46 PM
0 Kudos

Hi Victoria,

  Yes, you can do that or you can re-activate the users first(steps 1 to 4) and then remove the access(the choice is yours).

BR,

Simona

former_member569171
Explorer
‎07-09-2014 1:52 PM
0 Kudos

Hi Simona,

The mcExecState 1052 does not exit ? did you mean 1025 ?

With  %PRIV_ID% do you mean the mskey of the privilege to be removed ?

BR,

Victoria

Former Member
‎07-09-2014 4:23 PM
0 Kudos

Hi Victoria,

Yes, I meant 1025

BR,

Simona

Answers (4)

Answers (4)

former_member569171
Explorer
‎07-14-2014 10:57 AM
0 Kudos

Hi Simona,

Thanks for the help,

Victoria

Show replies
Show replies
former_member569171
Explorer
‎07-09-2014 2:51 PM
0 Kudos

Hi Simona,

Any update please, do you mean by %PRIV_ID% the mskey of the privilege to be removed or only the Attr_ID of MX_ACTIVE, MX_DISABLED, MX_LOCKED ?

Thanks,

Victoria

Show replies
Show replies
Former Member
‎07-09-2014 3:55 PM
0 Kudos

Hi Victora,

No, by %PRIV_ID% I mean, that you will specify that in mxi_link - table you will update only privileges(all MX_PRIVILEGES have the same ATTRIBUTE_ID). As well in this table(mxi_link) you have only reference values (reference values - in this case for entry type MX_PERSON) not attrubute of the user.

BR,

Simona

former_member569171
Explorer
‎07-09-2014 4:30 PM
0 Kudos

Hi Simona,

So to get the value of %PRIV_ID% I have to look in my Identity store schema and search for the ID of the entry MX_PRIVILEVE right ?

What about the value 1052 did you mean 1025 ?

Many thanks,

Victoria

Former Member
‎07-09-2014 5:33 PM
0 Kudos

Hi Victoria,

  About the execstate value, yes I meant 1025. As for the MX_PRIVILEGE reference ID you can use this select to get it:

select distinct(mcattrid) from idmv_vallink_basic_active where mcattrname='MXREF_MX_PRIVILEGE' and mskey in(

select mskey from idmv_vallink_basic where mcattrname='MSKEYVALUE' and mcsearchvalue ='%MSKEYVALUE%');

Note: %MSKEYVAUE% - of some user in IdM.

BR,

Simona

former_member2987
Active Contributor
‎07-03-2014 2:35 PM
0 Kudos

Victoria,

Please look under the idmv_value_ext view to see if the user is there.  It does indeed sound like the user is gone for some reason. 

Reconstructing the user will probably need to be done manually but you might find some information in the audit tables.

Matt

Show replies
Show replies
former_member569171
Explorer
‎07-03-2014 5:21 PM
0 Kudos

Hi Matt,

After checking the table idmv_value_ext I can find the user there ,

Any comment?

Victoria

former_member2987
Active Contributor
‎07-07-2014 1:15 PM
0 Kudos

Victoria,

Very interesting, how about idmv_value_ext_active?

Could it be the user's MX_ACTIVE, MX_DISABLED, or MX_LOCKED Attributes are populated?

Matt

former_member569171
Explorer
‎07-03-2014 10:47 AM
0 Kudos

Any comments or Input please ?

We are using SP 7.2 SP7

Victoria

Show replies
Show replies
Ask a Question