cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDM 7.2 SP9 updating business role does not trigger provisioning

former_member297605
Active Participant

on ‎10-22-2014 5:51 AM

0 Kudos

Hi All..... When I update a business role and add privileges to it updates the role in IdM but the additional access is not getting provisioned to the users assigned to the role in the backend SAP system.

How do I fix this? Please advise.

IDM 7.2 SP9

DB - SQL

This is the UI task

and the log show this and nothing else gets triggered.

Should global constant MX_RECONCILE be used in IdM 7.2 SP9?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎10-27-2014 5:32 AM
0 Kudos

Hi Ranjit,

Try the following:

Please click on Dispatchers under Management:

On the right hand side, click on the Housekeeping tab, for Reconcile dirty entries as highlighted in the following screenshot, select Every Minute.

Click Apply

Let me know how you go. Cheers!

KV

Show replies
Show replies
former_member297605
Active Participant
‎10-27-2014 11:57 AM
0 Kudos

Hi KV

This is already set to "Every Minute"

Thanks

Ranjit

Former Member
‎10-29-2014 6:42 PM
0 Kudos

Ranjit,

We are having the exact same issue with our system ever sine we updated to 7.2 sp8.  

The global script that used to be called in the reconile role job sap_core_reconcile_users from what we can tell has changed significantly and I noticed that if you do not disable that job before you make an update to a BR then the processes failes.

Now when we use what seems to be the older version of the script the modify BR job works perfectly albiet slow if depending on the amount of users in the role.  (we usually ran updates to a large role on the weekend).

A lot of SCN discussion states (as predeep) that we are now supposed to use the housekeeping job reconcile dirty entries.   The reason for this that I can tell per SAP documentation is because SAP change the way reconciliation works so that when you make a change to a role it is not instantanious and happens at a scheduled time so that users would potentially experience no downtime (which by setting it to every minute defeats the purpose)

What we are finding is that this job calls the reconcilePriv stored proceedure and from what we can see currently that stored proceedure is causing multiple deadlock issues on our side before it finally times out with a "cookies" error. 

I have had an open incident for almost 2 weeks on high sev with SAP and gotten no response but we are almost at the point of pulling back in the old script that worked for the BR reconcile and turning off the housekeeping job until we (or someone at SAP) can answer why the stored procedure is running so long.

I don't know if this helps but it may shed a little light on your situation.

former_member297605
Active Participant
‎11-03-2014 10:18 PM
0 Kudos

Hi Michael

Sorry for my late response. I tried disabling the job that called the script "sap_core_reconcile_users" and then made the change to the BR but still the same issue i.e. it removed the priv from the BR in role UI and the change is also visible in the User UI in idm but the change does not push through to the backend SAP system.

The "idmv_link_ext_active" table has mcorphan with 1 for the users who have been assigned the BR.


I noticed you said older version of the script work well with the modify BR UI task. Please could provide me details of this script. Also, do I have to disable the "Reconcile dirty entries" housekeeping job?


Thanks

Ranjit

Former Member
‎11-05-2014 2:23 PM
0 Kudos

Ranjit,

I am being told by SAP that the script and job are no longer valid anymore and that it is the housekeeping job that is supposed to perform the reconcile.   This was put in place to keep mass amounts of users from all losing access during work hours so that it could be scheduled to run during non-peak times.

The problem that you are having and that my company is having, is that the Stored Procedure to do this cleanup is not functioning.

I was told to go to 7.2 SP8 patch 4 but when I upgraded in QAS I got schema mis-match errors and have not been able to correct them.

I could provide the scirpt but as an IDM novice I would not recommend using it as I do not know what other potential side-affects it might have.

former_member297605
Active Participant
‎11-06-2014 1:20 AM
0 Kudos

Thanks Michael.... Please could you let me know if you hear anything further from SAP about a possible fix.

Former Member
‎11-06-2014 2:22 PM
0 Kudos

sure Ranjit, but to date our ticket on High has been open for almost 3 weeks and they have not been very responsive to our needs.

jaisuryan
Active Contributor
‎10-22-2014 9:54 AM
0 Kudos

Hi Ranjit,

Yes, "sap_core_reconcile_users" will reconcile users only if global constant MX_RECONCILE is to FALSE.

So if my understanding is correct, you have configured distributed provisioning using GRC framework and works fine when you assign a business role to a user?

Check if MX_ADD/DEL_MEMBER_TASK for the privilege is not set to "-1"

Check if the privilege has below attributes assigned.

Kind regards,

Jaisuryan

Show replies
Show replies
former_member297605
Active Participant
‎10-23-2014 12:33 AM
0 Kudos

Hi Jaisuryan

Thanks for your response. MX_RECONCILE is set to false.

I have two clients - one with distributed provisioning using GRC framework and works fine when I assign a BR to a user. However when I change the same BR and add a new privilege (SAP role) to it, the change is reflected in IdM but the additional sap role does not get provisioned  to the user in the backend SAP system.

The second client does not use GRC for provisioning. The provisioning occurs through idm and is a very standard set up. However I have the same issue as explained above.

The MX_ADD/DEL_MEMBER_TASK at the repository level is not set to -1. They have the provisioning and de-provisioning tasks assigned respectively. Where else should I check this? Please could you provide me a screenshot.

With your final suggestion to add attributes to the privilege, do these attributes need to be added to the entry type MX_PRIVILEGE. I have checked and these attributes are already "allowed" for MX_PRIVILEGE. Please could you provide me more detail of what you meant.

Thanks

Ranjit

Former Member
‎10-23-2014 3:36 AM
0 Kudos

Hello Ranjit

MX_reconcile is not relevant for IDM 7.2  sp7 onwards.

Reconciliation is now done as part of housekeeping job defined at dispatcher level.

Can you check if IDM ui for user also show this new Privilege linked via business role.

U can check it via MX_assignment attribute defined for user or via idmv_link_ext view.

If it does not appear then u can use uis_repairentry() to repair the missing linkage.

help.sap.com/saphelp_nwidmic_72/helpdata/en/66/9ab51174e4407b8d2fc24e9e5267a4/content.htm?frameset=/en/e1/8645dd31a44bdd95b0148cab621415/frameset.htm

Regards

Pradeep

former_member297605
Active Participant
‎10-23-2014 7:21 AM
0 Kudos

Hi Pradeep

I can see the new privilege assigned to the user in the user ui task but the issue is that new privilege which is a sap role does not get assigned to the user in the backend sap system.

Please could you let me know how to fix this.

Thanks

Ranjit

Former Member
‎10-24-2014 4:28 AM
0 Kudos

Hello Ranjit

What is the status of this privilege linked to user?

Run below query n share the result.

Select mcothermskeyvalue, mcexecstate, mcorphan, mcassigneddirect from idmv_link_ext_active where mcthismskeyvalue = '<usermskeyvalue>' and mcothermskeyvalue = '<privilegemskeyvalue>' ;

Regards

Pradeep

former_member297605
Active Participant
‎10-27-2014 11:53 AM
0 Kudos

Hi Pradeep

I just tried adding a PRIV to a BR and the PRIV has OK status for the user in the UI and it provisioned the access to the user in the backend which did not happen earlier. Very strange as it seems to be erratic. The other issue I have is when I remove a PRIV from a BR it reflects on the UI for the user but in the backend SAP system it does not remove that role.

Please see below query for that PRIV

Former Member
‎10-27-2014 12:07 PM
0 Kudos

Hello Ranjit,

With your above reply, I understand that

1. you had business role B1 assigned to user U1 in IDM already.

you tried to assign priv P1 to B1 and then when you check user in UI , you see that User has B1 with P1 in the IDM UI.

and now same P1 is provisioned to user in backend system.

So this works fine.

2. when you remove P1 from B1 in IDM UI and then go to user in IDM UI then you see that P1 is also removed from the user  in IDM UI but P1 is not removed from this user in backend system.

Is this the issue you are having or something different ?

Have you taken the SQL query result shown above after removing P1 from B1 ?

Regards,

Pradeep

former_member297605
Active Participant
‎10-27-2014 12:25 PM
0 Kudos

Hi Pradeep

Yes that's right for point 2.

Former Member
‎10-27-2014 12:46 PM
0 Kudos

Hi Ranjit,

ok. your query result shows that Priv P1 is still linked to User U1 in OK status (mcexecstate = 1) and is an orphan entry (mcorphan = 1)

As IDM see this as orphan entry , so removing this privilege from user via IDM job or using IDM UI would not work.

Ideally if business role is removed that then associated privilege should automatically get removed from user.

Does this issue occur in general for all users ?

If you set the mcorphan =  0 and mcassigneddirect = 1 for this privilege for this user and then try to remove this privilege from user in UI then it would get removed.

Query:

UPDATE mxi_link SET mcAssignedDirect=1, mcOrphan=0 WHERE

mcThismskey = <usermskey> and mcOthermskey = <privmskey> AND mcOrphan=1 AND

mcLinkType = 2 AND mcLinkState < 2

Regards,

Pradeep

former_member297605
Active Participant
‎10-27-2014 12:54 PM
0 Kudos

Thanks Pradeep I'll try this and get back

former_member297605
Active Participant
‎10-29-2014 12:24 AM
0 Kudos

Hi Pradeep

Your suggestion has helped quite a bit, thanks a lot.

One other issue I seem to have is when I add a privilege P1 to a BR B1 the users assigned to that BR B1 are provisioned with P1 in the backend SAP system. So that works fine.

However, when I remove the privilege P1 from BR B1 the "reconcile role members" job runs, the role UI and user UI gets updated with the change but the privilege P1 does not get removed from the user in the backend SAP system. When I query the "idmv_link_ext_active" table as you advised earlier P1 shows up in mcorphan with 1.

What is the reason for this and how can I fix it so that when a privilege is removed from a role in IdM it actually pushes that change to the users in the backend SAP system and removes the privilege?

Please advise.

Thanks

Ranjit

Former Member
‎10-29-2014 6:47 PM
0 Kudos

Pradeep,

Have you actually run either stored proceedure yourself and seen it work? 

If you have can you please take a look at:

and provide input as to how we are running the job?    currently when we execute this SP it triggers multiple RT agents in the backend and deadlocks our database.

Ask a Question