on 03-26-2015 2:08 PM
Hi,
I set up Active Directory as a target system. I imported the new packages for Eclipse and did the initial load for AD (System privileges were created).
When I assign the PRIV:AD:ONLY privilege to an identity, the identity gets provisioned to AD.
When I assign the PRIV:AD:ONLY privilege to a group, the group gets provisioned to AD.
So far so good.
But when I assign the group to the identity I get the error in the execution log:
Cannot obtain mskey for group privilege PRIV:GROUP:AD:CN\=MY AD GROUP\,CN\=GROUPS\, DC\=DUMMY\, DC\=COM
The CN represents my CN in the Active Directory, but, I have no PRIV:GROUP:AD privilege?
so I can not provision group assignments to AD and I used only the default packages with no modifications.
And an additional question, when does the RDS for 8.0 comes out?
Are there some predefined approval processes like in 7.2?
Thanks, Patrick
Hi Patrick,
Were you able to confirm that this group priv is available in the system?
check if the SQL gives any hit,
select * from idmv_entry_simple with (nolock) where mcmskeyvalue = 'PRIV:GROUP:AD:CN\=MY AD GROUP\,CN\=GROUPS\, DC\=DUMMY\, DC\=COM'
By default, the initial load job in IDM 7.2 have "WriteGroupPrivileges" enabled. Hope this is the case in IDM 8.0 as well.
Kind regards,
Jai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jai,
Ahhhh
Thank you! you pointed me in the right direction, I disabled a few actions in the initial load job, including "WriteGroupPrivileges".
I had to disable the following Attributes: MX_INHERIT, MX_GROUP_INHERITANCE
I got the following error:
Value not legal for this attribute:Attribute: MX_GROUP_INHERITANCE" when storing attribute 'MX_GROUP_INHERITANCE=ONE'
Thanks for the fast help!
Patrick
Edit: Do I need for every Group in IDM a privilege for the target system?
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.