Hello,
I've run into a provisioning problem after having recently setup a new ABAP system, that has left me puzzled.
The initial load for this new ABAP system completed successfully, after I resolved a few issues. But when I tested provisioning a single privilege I'm getting the following warning related to the Company address. After the warning is displayed the job log states the provisioning was successful but the role does not get provisioned to the ABAP system.
The warning states:
MSKEYVALUE '!ERROR: No such attribute' does not start with MX_COMPANY_ADDRESS prefix 'COMPANY:'. Cannot remove it for provisioning. Provisioning of the company address assignment might fail.
What I should also add, is that while researching this error I came across a post that suggested adding the MXREF_MX_COMPANY_ADDRESS to the MX_PERSON entry type. While I tried that and it didn't work, what followed was a number of entries in the system log showing a large number of schema changes I did not make or try to save. Any ideas on this?
What I need help with is understanding (1) how to understand this issue, and (2) how to resolve it.
Appreciate that help.
Paul
- SAP Managed Tags:
Accepted Solutions (1)
Answers (2)
Thanks Tero.
I agree, I shouldn't have to add the company address reference, it should be there.
As I take a closer look at what's going on, I'm trying to rely on the logs to provide some insight. In looking through the global logs, and status I see something that doesn't make sense to me. I'll explain.
1) I'm testing provisioning using an identity store(#4) that I also used to test and complete the initial load with.
2) This identity store has much higher numbers assigned to the web enabled and provisioning tasks (7 digit task numbers) than the identity store (#2) I used previously (4 digit task numbers).
3) When I filter the status records to see which jobs were recently triggered, I see that the jobs from both identity stores were triggered, and it's the previous identity store's job for creating an ABAP Company Address that shows the error.
4) I've searched but I can't seem to find where this job is? Also, I'm not sure why identity store #2 tasks are being executed through the browser. I did check which web enabled task is opened in the browser when I try to provision a new role and it's for identity store #4 with the 7 digit task numbers.
Do you know if there's an easy way to locate a specific job? How would I ensure that only the provisioning tasks of the current identity store (#4) are being used?
Thanks,
Paul
Hi Paul,
unless you have modified the SAP Provisioning Frameword, the PF tasks are run against the Id Store referred in global constant "SAP_MASTER_IDS_ID". Just state 4 in your constant.
You can double check/fix the provisioning tasks by navigating through the Provisioning/Deprovisioning/Modify workflows (under SAP PF / Core) and the plugin/hook tasks (under SAP PF / Connectors) to the repository types you're provisioning to. This sounds tedious but it'll only take maybe 10-15 minutes.
There's a find-function, just right click, I am not sure how well that works. As sad it may sound ( ), I spent quite a lot of time in MMC, so I remember most of the stuff by heart.
regards, Tero
Hi Paul,
What is the status of the privilege assignment for your test user in UI? If it's pending then the assignment is "pending" for the account privilege (just assign the "priv:[rep_name]:only") but if it's "OK" then the assignment went through without any provisioning-task processing.
As the UI is asynchronous all it does is submit your form and then the tasks configured in IdM will start to execute. If privileges have correct tasks and repository set the provisioning should start.
If the tasks are enabled, they have dispatcher selected and are set to execute against correct Id Store, the next things to check would be that the privileges have correct tasks:
For normal privileges the modify task should be set to "none" (mx_modifytask=-1 if you look it from DB), all other tasks set to "inherited", so that they're inherited from repository. Correct repository should also be visible in the "member events tasks"
Your repository should look similar to below. I am using the SAP PF version 2 here so the Provisioning/Deprovisioning/Modify tasks in "PF\Core" have different task ids than for the earlier Provisioning Framework.
regards, Tero
Hi Tero,
Thanks again. The status of the privilege assignment is 'OK', which as you mentioned means it went through without any provisioning tasks being executed.
I've just been testing provisioning with a privileges, which are all alike. The tasks aren't set to inherited but that shouldn't matter should it?
Also here are the constant values for the repository I'm testing. Seems that I've got all the same entries as you do.
When I test the modify ABAP user this works and as you can see from the screenshot below, it does successfully execute subsequent tasks, but the assignment does not? Still puzzled.
Hi Tero,
I've made two changes:
1) Set the provisioning and deprovisioning tasks to 'inherited.
2) Set the repository system privilege to: PRIV:SYSTEM:R3D120 (as mentioned by Pradeep above)
After these changes were made the next test did trigger the provisioning task to execute, although it failed with a new error. Can you advise what these mean and how to resolve them?
Hello Jai,
I've checked the task 'SetABAPRole&ProfileForUser', but I don't see anything in this task that might cause an issue with provisioning. Can you make any suggestions as to what I should be looking for?
Here's how the task is currently setup:
Do you have other suggestions on provisioning the company address?
Cheers,
Paul
| User | Count |
|---|---|
| 87 | |
| 10 | |
| 10 | |
| 10 | |
| 7 | |
| 6 | |
| 6 | |
| 5 | |
| 5 | |
| 4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.