cancel
Showing results for 
Search instead for 
Did you mean: 

Error in removing privilege from the user

Former Member
0 Kudos

Hello IDM Experts,

When I am trying to remove privilege (direct assignment type) from the user in IDM UI (IDM 7.2 SP8) then I get

below error

Unable to set value for attribute Member of Privilege. Detailed information (may not be translated): Referenced value does not exist.


While removing it via custom job in IDM console, I get below error.

Error

putNextEntry failed storing<user mskeyvalue>

Exception from Modify operation:com.sap.idm.ic.ToPassException: ToIDStore.modEntry failed modifying entry '<user mskeyvalue>'. IDStore returned error message: " Referenced value does not exist:Attribute: MXREF_MX_PRIVILEGE" when storing attribute 'MXREF_MX_PRIVILEGE={e}<priv mskey>'

I ran the query  for user and privilege relationship and everything seems to be consistent.

select mcThisMskey, mcOtherMskey,mcExecState,mcExecStateHierarchy,mclinktype, mcLinkState,mcOrphan from mxi_link where mcthismskey = 1639496 and mcothermskey = 7989

Query result screenshot below:


Error shows referenced value does not exist . This privilege is assigned directly to user and exist in database with OK status.

Could you please let me know why this issue occurs and how to resolve this issue ?


Thanks & Regards,

Pradeep


Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hello All,

This Issue is resolved now. 🙂

Permanent Solution: Implement SAP Note 2075412.

Workaround:

Issue was that mcassigner had invalid mskey. It may happen if the mskey has been deleted.

mcassigner can be checked in idmv_link_ext for user-privilege relationship.

select mcassigner, mcthismskeyvalue, mcothermskeyvalue from idmv_link_ext_active where mcthismskeyvalue = '<usermskeyvalue'> and mcothermskeyvalue = '<privilegemskeyvalue>'

In such case mcassigner should have a valid user mskey or -1 (means unknown).

SAP has suggested to set value to -1.

To set mcassigner = -1 below query can be run.

UPDATE mxi_link SET mcassigner = -1 WHERE mcThismskey = ‘<usermskey>’ and mcOthermskey = ‘<mcprivilegemskey>’ AND mcOrphan=0 AND mcLinkType=2 AND mcLinkState<2

After updating mcassigner, removal of such privilege from user was successful.

Thank you to everyone whoever has put effort to provide me the solution.

Regards,

Pradeep

Answers (4)

Answers (4)

siarhei_pisarenka3
Active Contributor
0 Kudos

Hi Pradeep

Such error might also indicate that the user is inactive. Chech if the user has MX_INACTIVE attribute =1. Also check the state of the user in idmv_entry_simple view.

Also check the mcDisabled attribute of this link in the idmv_link_ext.

BR, Siarhei

Former Member
0 Kudos

Hi Pradeep ,


Can you please check IDMV_LINK_EXT_ACTIVE  to see what is the mcexecstatus for this specific assignment . Can you please check below mentioned fields in the Link Table for this specific assignment .

  • mclinkstate
  • mclinktype
  • mcdirty
  • mcorphan
  • mcexecstate

Can you please check what is the mcexecstate for this Link in Link Table . Also , please check what IDMV_LINKAUDIT_EXT shows up for this specific LINKID. Probably LINKAUDIT Table will give some clue why system not allowing removal if MCEXECSTATE is something like 1536..

Thanks ,

Jerry George

Former Member
0 Kudos

Hi Jerry,

Thank you for your reply.

idmv_link_ext_active query result shown below.It will be same as I mentioned in prblm description.

mcexecstate is 1 (assignment OK)

idmv_linkaudit_ext query result does not show any entry.

Kindly let me know if you have more info on what to analyze here.

Thanks & Regards,

Pradeep

Former Member
0 Kudos

Hi Pradeep ,

Can you please check whether MASTER privileges associated with the Privilege Repository is assigned to the User ((PRIV:ONLY , PRIV:SYSTEM:,...) Privileges , along with the Account Attribute)

If System , Account Privilege does not exist , try assigning the same & do a removal after the same .

Also , Can you check what AUDIT Table shows around this Link ID .

Thanks ,

Jerry George

Former Member
0 Kudos

Hi Jerry,

Thank you for your effort.

User has master privilege (PRIV:ONLY) and system privilege (PRIV:SYSTEM) of the privilege repository assigned in OK status in IDM (UI+Database).

User also have Account attribute (ACCOUNT<REPO>) of privilege repository for the user.

As I mentioned in above reply, user does not have LinkID for this privilege in idmv_linkaudit_ext view.

Kindly let me know if you have more info on what to analyze here.

Thanks & Regards,

Pradeep

Steffi_Warnecke
Active Contributor
0 Kudos

Hello Pradeep,

did you check, if the mskey 7989 still exists in idmv_value_basic and such? And can you find that privilege in the UI? It looks like though the link from user to priv is still there, the privilege itself might be gone.

Regards,

Steffi.

Former Member
0 Kudos

Hi Steffi,

Thank you for your reply.

mskey 7989 exist in idmv_value_basic  and is of privilege.

Earlier, I had checked existence of this privilege  in IDM UI.

Thanks & Regards,

Pradeep

normann
Advisor
Advisor
0 Kudos

Hi Pradeep,

you are not using right syntax. You would use {e}%mcOtherMSKEY% as mcOtherMSKEY is the attribute name the statement returns as the privilege mskey. The <> brakets is a syntax to let the engine resolve the mskeyvalue into the mskey - would mean if you use a view giving you mskeyvalue you coulf say {e}<%mcOtherMSKEYVALUE%>.

If you just want to delete one object anyway you do not need a statement but can just say {e}7989

Cheers

Norman

PS: you might not use mxi_link but some view like idmv_link_ext. Did you made IdM training or went through all the guides?


Former Member
0 Kudos

Hi Norman,

Thank you for your reply. 🙂

sorry for mentioning  <priv_mskey> which created confusion.

Actual error message in Job is below.

Note: User_MSKEYVALUE will have MSKEYVALUE of user.

Error putNextEntry failed storingUser_MSKEYVALUE

Exception from Modify operation:com.sap.idm.ic.ToPassException: ToIDStore.modEntry failed modifying entry 'User_MSKEYVALUE'. IDStore returned error message: " Referenced value does not exist:Attribute: MXREF_MX_PRIVILEGE" when storing attribute 'MXREF_MX_PRIVILEGE={e}7989'

This job is to removes all roles and privileges from the user.

So, when job try to remove this particular privilege from user, it runs into above error.

And if I try to remove same privilege from user using UI task, I get error as shown below in the IDM UI

Unable to set value for attribute Member of Privilege. Detailed information (may not be translated): Referenced value does not exist.

Showing database query result , my intention was to highlight field values for this user to privilege linking which I can show using mxi_link table or views idmv_link_ext or idmv_vallink etc.

Yes, I have gone through IDM training and have read all IDM documents. 🙂

Thanks & Regards,

Pradeep

normann
Advisor
Advisor
0 Kudos

Sorry that I asked for training but I really thought that was your syntax