on 10-22-2014 5:51 AM
Hi All..... When I update a business role and add privileges to it updates the role in IdM but the additional access is not getting provisioned to the users assigned to the role in the backend SAP system.
How do I fix this? Please advise.
IDM 7.2 SP9
DB - SQL
This is the UI task
and the log show this and nothing else gets triggered.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ranjit,
We are having the exact same issue with our system ever sine we updated to 7.2 sp8.
The global script that used to be called in the reconile role job sap_core_reconcile_users from what we can tell has changed significantly and I noticed that if you do not disable that job before you make an update to a BR then the processes failes.
Now when we use what seems to be the older version of the script the modify BR job works perfectly albiet slow if depending on the amount of users in the role. (we usually ran updates to a large role on the weekend).
A lot of SCN discussion states (as predeep) that we are now supposed to use the housekeeping job reconcile dirty entries. The reason for this that I can tell per SAP documentation is because SAP change the way reconciliation works so that when you make a change to a role it is not instantanious and happens at a scheduled time so that users would potentially experience no downtime (which by setting it to every minute defeats the purpose)
What we are finding is that this job calls the reconcilePriv stored proceedure and from what we can see currently that stored proceedure is causing multiple deadlock issues on our side before it finally times out with a "cookies" error.
I have had an open incident for almost 2 weeks on high sev with SAP and gotten no response but we are almost at the point of pulling back in the old script that worked for the BR reconcile and turning off the housekeeping job until we (or someone at SAP) can answer why the stored procedure is running so long.
I don't know if this helps but it may shed a little light on your situation.
Hi Michael
Sorry for my late response. I tried disabling the job that called the script "sap_core_reconcile_users" and then made the change to the BR but still the same issue i.e. it removed the priv from the BR in role UI and the change is also visible in the User UI in idm but the change does not push through to the backend SAP system.
The "idmv_link_ext_active" table has mcorphan with 1 for the users who have been assigned the BR.
I noticed you said older version of the script work well with the modify BR UI task. Please could provide me details of this script. Also, do I have to disable the "Reconcile dirty entries" housekeeping job?
Thanks
Ranjit
Ranjit,
I am being told by SAP that the script and job are no longer valid anymore and that it is the housekeeping job that is supposed to perform the reconcile. This was put in place to keep mass amounts of users from all losing access during work hours so that it could be scheduled to run during non-peak times.
The problem that you are having and that my company is having, is that the Stored Procedure to do this cleanup is not functioning.
I was told to go to 7.2 SP8 patch 4 but when I upgraded in QAS I got schema mis-match errors and have not been able to correct them.
I could provide the scirpt but as an IDM novice I would not recommend using it as I do not know what other potential side-affects it might have.
Hi Ranjit,
Yes, "sap_core_reconcile_users" will reconcile users only if global constant MX_RECONCILE is to FALSE.
So if my understanding is correct, you have configured distributed provisioning using GRC framework and works fine when you assign a business role to a user?
Check if MX_ADD/DEL_MEMBER_TASK for the privilege is not set to "-1"
Check if the privilege has below attributes assigned.
Kind regards,
Jaisuryan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jaisuryan
Thanks for your response. MX_RECONCILE is set to false.
I have two clients - one with distributed provisioning using GRC framework and works fine when I assign a BR to a user. However when I change the same BR and add a new privilege (SAP role) to it, the change is reflected in IdM but the additional sap role does not get provisioned to the user in the backend SAP system.
The second client does not use GRC for provisioning. The provisioning occurs through idm and is a very standard set up. However I have the same issue as explained above.
The MX_ADD/DEL_MEMBER_TASK at the repository level is not set to -1. They have the provisioning and de-provisioning tasks assigned respectively. Where else should I check this? Please could you provide me a screenshot.
With your final suggestion to add attributes to the privilege, do these attributes need to be added to the entry type MX_PRIVILEGE. I have checked and these attributes are already "allowed" for MX_PRIVILEGE. Please could you provide me more detail of what you meant.
Thanks
Ranjit
Hello Ranjit
MX_reconcile is not relevant for IDM 7.2 sp7 onwards.
Reconciliation is now done as part of housekeeping job defined at dispatcher level.
Can you check if IDM ui for user also show this new Privilege linked via business role.
U can check it via MX_assignment attribute defined for user or via idmv_link_ext view.
If it does not appear then u can use uis_repairentry() to repair the missing linkage.
help.sap.com/saphelp_nwidmic_72/helpdata/en/66/9ab51174e4407b8d2fc24e9e5267a4/content.htm?frameset=/en/e1/8645dd31a44bdd95b0148cab621415/frameset.htm
Regards
Pradeep
Hello Ranjit
What is the status of this privilege linked to user?
Run below query n share the result.
Select mcothermskeyvalue, mcexecstate, mcorphan, mcassigneddirect from idmv_link_ext_active where mcthismskeyvalue = '<usermskeyvalue>' and mcothermskeyvalue = '<privilegemskeyvalue>' ;
Regards
Pradeep
Hi Pradeep
I just tried adding a PRIV to a BR and the PRIV has OK status for the user in the UI and it provisioned the access to the user in the backend which did not happen earlier. Very strange as it seems to be erratic. The other issue I have is when I remove a PRIV from a BR it reflects on the UI for the user but in the backend SAP system it does not remove that role.
Please see below query for that PRIV
Hello Ranjit,
With your above reply, I understand that
1. you had business role B1 assigned to user U1 in IDM already.
you tried to assign priv P1 to B1 and then when you check user in UI , you see that User has B1 with P1 in the IDM UI.
and now same P1 is provisioned to user in backend system.
So this works fine.
2. when you remove P1 from B1 in IDM UI and then go to user in IDM UI then you see that P1 is also removed from the user in IDM UI but P1 is not removed from this user in backend system.
Is this the issue you are having or something different ?
Have you taken the SQL query result shown above after removing P1 from B1 ?
Regards,
Pradeep
Hi Ranjit,
ok. your query result shows that Priv P1 is still linked to User U1 in OK status (mcexecstate = 1) and is an orphan entry (mcorphan = 1)
As IDM see this as orphan entry , so removing this privilege from user via IDM job or using IDM UI would not work.
Ideally if business role is removed that then associated privilege should automatically get removed from user.
Does this issue occur in general for all users ?
If you set the mcorphan = 0 and mcassigneddirect = 1 for this privilege for this user and then try to remove this privilege from user in UI then it would get removed.
Query:
UPDATE mxi_link SET mcAssignedDirect=1, mcOrphan=0 WHERE
mcThismskey = <usermskey> and mcOthermskey = <privmskey> AND mcOrphan=1 AND
mcLinkType = 2 AND mcLinkState < 2
Regards,
Pradeep
Hi Pradeep
Your suggestion has helped quite a bit, thanks a lot.
One other issue I seem to have is when I add a privilege P1 to a BR B1 the users assigned to that BR B1 are provisioned with P1 in the backend SAP system. So that works fine.
However, when I remove the privilege P1 from BR B1 the "reconcile role members" job runs, the role UI and user UI gets updated with the change but the privilege P1 does not get removed from the user in the backend SAP system. When I query the "idmv_link_ext_active" table as you advised earlier P1 shows up in mcorphan with 1.
What is the reason for this and how can I fix it so that when a privilege is removed from a role in IdM it actually pushes that change to the users in the backend SAP system and removes the privilege?
Please advise.
Thanks
Ranjit
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.