cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

remove privileges not allowed

former_member205095
Participant

on ‎08-11-2014 6:41 PM

0 Kudos

Hi experts,

I'm using IDM 7.2 SP 9, and when a user has an privilege and using the web user interface to remove a privilege and save, some minutes after we check the same user and the privilege gets the status as not allowed

Does anyone knows the reason of it ?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎08-13-2014 2:07 PM
0 Kudos

I would put a trace on this user's account then try to remove the privilege. That trace log should show you where the deprovisioning process is failing. At least then, you know where to focus your efforts.

Show replies
Show replies
former_member205095
Participant
‎08-15-2014 1:24 PM
0 Kudos

Hi Brandon,

I traced the user when I removed the privilege, however the procedure is triggered, but no taks or just is

triggered on job log, do you have any idea?

Former Member
‎08-15-2014 2:16 PM
0 Kudos

Are these 7 lines all that's coming in the trace log? I would think the log would be at least a little longer than 7 lines.

former_member205095
Participant
‎08-15-2014 2:59 PM
0 Kudos

Hi Brandon,

yes I tryed to do it again and it just run 7 lines of comands, could it be an error on the procedure?

Former Member
‎08-15-2014 3:46 PM
0 Kudos

What does this privilege control? Is this privilege granting rights within IDM itself or is IDM suppose to provision rights to a target system like SAP or AD? I ask because if it's within IDM, I could see why the trace log is so short. If by adding this privilege IDM is supposed to provision rights out to an external system, I would then check to make sure the account / system privileges are properly applied to this user and then check the modify task that's suppose to fire off as a result of adding a privilege to external systems. If all you're getting back is 7 lines, the core of your issue is, why aren't the tasks that actually do the work being executed? I wish I was sitting in front of your system so I could look through it and determine what's going wrong but unfortunately, that costs money. 

Former Member
‎08-19-2014 9:02 AM
0 Kudos

You can also try looking at the link-audit and see if there's any additional messages using:



select auditdate,auditid,operation,operationText,AdditionalInfo from idmv_linkaudit_ext where linkid =  1294502 order by AuditDate desc

It could also help to see some additional link properties for this assignment:



select 


mcThisMSKEYVALUE,mcOtherMSKEYVALUE,mcLinkState,mcAssignedDirect,


mcAssignedInheritCount,mcAssignedMasterPrivilege,mcOrphan,mcExecState,


mcExecStateHierarchy,mcLastAudit,mcMasterPrivMSKEY


from idmv_link_ext where mcUniqueID = 1294502

Br,

Chris

Steffi_Warnecke
Active Contributor
‎08-11-2014 7:25 PM
0 Kudos

Hello,

does this happen for all privileges of a specific repository? Or just for a specific user?


Regards,

Steffi.

Show replies
Show replies
former_member205095
Participant
‎08-12-2014 12:56 PM
0 Kudos

Hi Steffi,

this happen with all the privileges for all the repositories, the only that I can remove is the priv only

Steffi_Warnecke
Active Contributor
‎08-12-2014 1:00 PM
0 Kudos

Can you add a privilege of a backend system? Does this get provisioned successfully? Maybe the user, that is used for the provisioning doesn't have the neccessary permissions in the backend?

Or does this happen to IdM-specific privileges (e.g. for the tabs), too?

former_member205095
Participant
‎08-13-2014 12:04 AM
0 Kudos

When we add it in IDM it apply on the back end system, for the privileges that has GRC integration and others that not, the standard mx privileges I can do remove withouth problems.

the comunication user has the Sap_all and sap_new profile and also the integrations roles, this problem beguns after the upgrade to sp9

Ask a Question