Hi Experts,

SAP IDM 7.2, SP8

Sometimes due to inconsistencies, users have assignments (inherited privileges (part of role)) with OK status in IDM but missing in backend systems.

Question 1: Is there any standard way to provision such user's all assignments (with OK status)?

1. I have tried uIS_RepairEntry internal function but it does not touch assignments in OK status if there are no structural changes required.

2. uPrivReconcile only reconcile failed/declined assignments.

3. I have tried uIS_SetDirty internal function but it does not trigger any assignment which is in OK status.

Infact it says that If an MX_PERSON entry is set dirty, this entry is marked dirty and all assignments will be reconciled but assignments in OK status are not provisioned.

Question 2: What does "all assignments will be reconciled" means here if it does not provision all assignments in OK status (mcExecState = 0 or 1).

4. I have created a job and created a script to use uProvision internal function to implement logic to trigger hook task 4 of repo(ABAP/JAVA) for the user.

for ABAP it works fine but for JAVA repo ,  stored procedure “mxpt_get_privilege_type” checks for audit id and pending privilege mskey and so check fails.

so, executing task  “SetJavaRoleForUser&Group” directly via script works fine.

Question 3:

I am interested to know if anyone has implemented anything better than this (point 4) to provision all assignments (with OK status) of user from IDM to backend system.

Kindly assist.

Thanks a lot in advance.

Regards,

Pradeep