cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Should global constant MX_RECONCILE be used in IdM 7.2 SP9?

former_member297605
Active Participant

on ‎09-18-2014 6:27 AM

0 Kudos

Hi Experts

In IDM 7.2 SP9 should MX_RECONCILE be used?

I currently have this set to FALSE but the "Reconcile dirty entries" job is also not enabled and not running on scheduled basis.

The issue my client currently has is that when a role or privilege(ABAP) is added to an existing business role which is already assigned to a user(s) those users are not getting the additional roles/privileges in the backend target systems.

Is this because the "Reconcile dirty entries" is not running? Should this be running on a regular basis? What is the SAP best practise recommendation?

Please could you assist.

Thanks

Ran

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member297605
Active Participant
‎10-09-2014 5:35 AM
0 Kudos

Hi All..... Further to my original post above I just wanted to provide more info on the issue.

When I update a business role and add privileges to it updates the role in IdM but the additional access is not getting provisioned to the users assigned to the role in the backend SAP system.

How do I fix this? Please advise.

This is the UI task

and the log show this and nothing else gets triggered.

Show replies
Show replies
former_member297605
Active Participant
‎09-19-2014 3:06 AM
0 Kudos

Hi All

Please could someone give me some advise on the above issue.

Thanks

Ran

Show replies
Show replies
Former Member
‎09-19-2014 7:28 AM
0 Kudos

HI Ranjit,

MX_RECONCILE is obsolete in SAP IDM 7.2 SP7 onwards.

See details here https://help.sap.com/download/releasenotes/nw/idm/SAP-NW_Idm_ReleaseNotes_7-2-SP7.pdf

reconcile dirty entries is now triggered as part of housekeeping jobs as defined below at disptacher level.

As it is a change in structure changes which normally IDM takes care internally by triggering reconciliation but you can also try using uIS_RepairEntry internal function

New Internal Functions for Reconciliation (New) - SAP NetWeaver Identity Management Library - SAP Li...

Hope this helps.

Regards,

Pradeep

former_member297605
Active Participant
‎09-20-2014 2:07 AM
0 Kudos

Hi Pradeep

Thanks for your reply. I have checked and have the dispatcher enabled to do "Reconcile dirty entries" but the issue i'm having is when I assign roles to existing business roles in idm through an import job it does not provision the users the additional roles in the backed target system. Users are already assigned to the BR in IdM.

Please could you advise what the issue could be.

Thanks

Ranjit

former_member297605
Active Participant
‎09-20-2014 3:46 AM
0 Kudos

Hi Pradeep

Further to my above response, I also wanted to let you know that provisioning is actually done via GRC. So when BRs are assigned to users in IdM it sends a request off to GRC for approvals and once approved by the manager it provisions the roles. Currently GRC is set to auto approve as we are in a go-live situation. The issue is as explained above when BRs updated with additional roles/privileges the additional access is not being provisioned to users who are assigned to that BR.

Please could you provide some tips on how to fix this issue.

Thanks

Ranjit

karthikeyan_viswanathan2
Explorer
‎09-23-2014 11:16 AM
0 Kudos

Hi Ranijt,

The added/removed  roles to the business roles will be provisioned/deprovisioned if IDM is doing the activities. If the Business roles are changed(Modify Operation), are you sending the Roles assignment request again to GRC ? There should be a trigger if an operation is expected due to this modify operation.

Regards,

Karthik

former_member297605
Active Participant
‎09-24-2014 10:55 PM
0 Kudos

Hi Karthik

Thanks for your advise. Yes they go to GRC and provisioning is done in GRC.

Where should I look for this trigger? Should it be at an entry type level (i.e. MX_ROLE) or at an attribute level (i.e. which attribute??)

Please advise.

Thanks

Ranjit

Ask a Question