cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Repair assignment status "Not Allowed"

Former Member

on ‎11-22-2014 5:42 AM

0 Kudos

Hello Gurus,

We are having some privilege assignments to users which are in status "Not Allowed". Is there some way to fix them? I have tried executing the stored procedure mc_repair_assignments for the entry but there is no change.

Thanks in advance for your help.

Regards,

Subbu

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

clotilde_martinez
Participant
‎04-09-2015 8:00 AM
0 Kudos

Hi,

we are facing the same problem, did you find any solution?

We are going to delete the link in the database but i'd like to know first if something less "brutal" can be done.

Thank you,

Clotilde

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎04-09-2015 9:04 AM
0 Kudos

Hello Clotilde,

I don't know what IDM version you're on, but on IDM 7.2 SP 8 you can just remove them the normal way via the UI. This was not possible in SP 7, as far as I remember.

Regards,

Steffi.

clotilde_martinez
Participant
‎04-09-2015 9:12 AM
0 Kudos

Hi Steffi,

we're running IDM 7.2 sp9 patch 10, my colleagues tried to remove it from the webUI when the problem appeared and i just tried again, it doesn't move

Do you have any other thoughts on this?

Thanks,

Clotilde

Steffi_Warnecke
Active Contributor
‎04-09-2015 9:20 AM
0 Kudos

Hmm no, sorry. 😕 I know we had a lot of headache because of this in earlier versions, but now we can just remove them via the UI like an "OK" assignment, so I have no workaround present.

I'd guess, that the assignment isn't complete anymore, so that's why it won't be removed via UI.

Have you tried removing them with a job and the {e} operator?

Regards,

Steffi.

normann
Advisor
Advisor
‎04-09-2015 9:24 AM
0 Kudos

Hi Clotilde,

usually that happens when there is

  • a PVO existing to the assignment or
  • audit entries in state running.

Can you check the audit table for the audits belonging to the assignment (including child and parent audits). There is another table explaining the audit state ids (don't have the table name in my head, 20 or 21 was running as far as I remember). I already had the case that a task was just stuck and found that issue in the audit table.

Regards

Norman

Former Member
‎04-09-2015 9:27 AM
0 Kudos

Hi Clotilde,

If in UI privilege status shows 'Not Allowed' then probably  mclinkstate would be 1.

you can check it using view idmv_link_ext in DB.

normally, you can set the mcexecstate of privilege to 1026 (rejected) and then remove it using IDM UI or custom job.

Query to set status to 1026.

UPDATE mxi_link SET mcexecstate = 1026 WHERE
mcThismskey = <usermskey> and mcOthermskey = <privmskey> AND mcOrphan=0 AND
mcLinkType = 2 AND mcLinkState < 2

Let me know in case of questions.

Regards,

Pradeep

Former Member
‎04-21-2015 4:35 PM
0 Kudos

I tried this query, but the PRIV gets automatically reassigned with a status of Not Allowed, AFTER its deleted.  A look at the table again reveals that the mcExecState returns to 1024 also.

Former Member
‎11-27-2014 2:33 AM
0 Kudos

Hi Everyone,

Do you have any more suggestions to drop these privileges so that they can be processed again?

Regards,

Subbu

Show replies
Show replies
ChrisPS
Contributor
‎11-28-2014 8:19 PM
0 Kudos

Hi,
    please open a support incident on SAP Service Marketplace so that the issue can be checked by SAP support

Regards,

Chris

Former Member
‎12-04-2014 10:39 AM
0 Kudos

Hello Subramaniam,

what is the current status of mcexecstate. of the privilege for the user.

you can check it using view idmv_link_ext in DB.

normally, you can set the mcexecstate of privilege to 1026 (rejected) and then remove it using IDM UI or custom job.

Query to set status to 1026.

UPDATE mxi_link SET mcexecstate = 1026 WHERE
mcThismskey = <usermskey> and mcOthermskey = <privmskey> AND mcOrphan=0 AND
mcLinkType = 2 AND mcLinkState < 2

This should work.

Regards,

Pradeep

former_member198652
Active Participant
‎12-12-2014 11:00 AM
0 Kudos

Hi Pradeep,

We too facing the same issue. I did exactly what you said, i.e. update the role status to rejected, and deleted in UI. But after that also it is again showing the same  previlege with not allowed status.

Can you please help me how to fix this.

Regards,

Jaya

Former Member
‎11-26-2014 2:28 AM
0 Kudos

Hi Christopher / Steffi

Yes, the privileges were part of an approval process in some cases but we have also seen this status for roles assigned directly through HCM process.We have seen the status change if the privilege was in pending status when we try to remove them.

Hi Matt,

I tried using {e} but it does not drop the privileges.

Regards,

Subbu

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎11-24-2014 9:36 PM
0 Kudos

Hello Subbu,

I remember getting this status, when we tried to remove privileges that had the status "Pending". After saving and a refresh (we tried that through the UI) they changed to "Not allowed".  They weren't part of an approval process though. Just waiting for other stuff to happen that didn't and when we tried to get rid of them to start anew, that status changed and was stuck.

But it's so long ago, I don't know how we fixed that.

Regards,

Steffi.

Show replies
Show replies
former_member2987
Active Contributor
‎11-24-2014 9:40 PM
0 Kudos

I wonder if dropping the privileges using {e} to remove futures would do the trick, Former Member

jaisuryan
Active Contributor
‎11-22-2014 5:12 PM
0 Kudos

Hi Subramaniam,

Could please let us know the system details, version, db etc?

Please check if the assignment is still valid (MX_VALIDTO is in future)?

And have you implemented context based provisioning?

Kind regards,

Jai

Show replies
Show replies
Former Member
‎11-22-2014 8:23 PM
0 Kudos

Hi Jai,

Thanks for your reply.

We are using NW IdM 7.2 SP8 with an SQL SB.

We have not implemented context based provisioning. It is a pilot implementation and at the moment we are assigning privileges directly to end users. The valid to date is not in future. In some cases we are not assigning valid from and to dates.

Regards,

Subbu

jaisuryan
Active Contributor
‎11-22-2014 9:26 PM
0 Kudos

Hi Subbu,

Can you please post some screenshots? Thanks.

BR

Jai

Former Member
‎11-22-2014 11:23 PM
0 Kudos

Hi Jai,

Please find below screenshot of privileges set to "Not Allowed"

Regards,

Subbu

ChrisPS
Contributor
‎11-24-2014 8:21 PM
0 Kudos

Hi - is it possible that the privileges were a part of any approval process ? If the approval was declined then such a status could result. Possibly the approval is someway stuck.

Also check for the provisioning/deprovisioning tasks if there are any errors or if any of the tasks are disabled or not assigned dispatchers as this could be a reason that the privilege assignment is not updated.

Regards,

Chris

Ask a Question