on 04-09-2015 2:34 PM
Hi Experts
While provisioning roles in IDM 7.2, I see this error in the Job logs:
Failed running function in string "$FUNCTION.sap_abap_getNameOfAssignedPendingPrivileges(mskey!!repname!!role!!true)$$". Marking entry as failed. Exception was: undefined: "sap_abap_convertToABAPValidFromDate" is not defined.
I am getting this error only if I provision the existing SAP users. Assigning any role to a new user works fine. Went through both the above mentioned scripts, but don't see any Problem there.
What am I missing here?
Best regards
Annapurna
Hi All
Thank you for your suggestions.
@Ole I checked that the global scripts exist and the links to them are okay too.
@Henrik Those two scripts are not there in the 'Revoke user membership' task. I added them now, but cannot confirm if it works yet, because the 'revoke' task is not getting triggered at all.
@V! I modified the script like you suggested and deleted the other two scripts. Tested it, but the assign task is not getting triggered at all.
Nobody used the IDM system for days now, but looks like all the privileges are reset back to the original status again ('None' instead of 'inherited'). So it's back to square one again where the assign/revert tasks won't trigger unless the assigned role has the 'inherited' privileges. I double checked and the 'Priv:rep:ONlY' is 'inherited' and is showing status 'ok' for all the users.
We are considering redoing the whole installation again. May be that would resolve all these strange issues.
Best regards
Annapurna
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I can see that there is a link to the global script sap_abap_convertToABAPValidFromDate in the job.
Please check that this global script really exists in the Global Scripts section.
Regards,
Ole K.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Could you check if the two scripts
sap_abap_convertToABAPValidFromDate
sap_abap_convertToABAPValidToDate
are assigned to the Revoke User Membership to Abap task?
That was my issue - it work fine for me now!
/henrik
Message was edited by: Henrik C. Madsen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All
I upgraded IDM to the latest patch. Imported the Provisioning Framework 2, with overwrite option - got no errors while importing. But still have the same three scripts in the SetABAP..... task.
Compared the date/timestamp and the size of the file at both the locations (installation media and local). And they are the same.
I still get the same error while provisioning
Though this time, I noticed something.
I had this role provisioning problem before (Ref: ). According to that thread, I changed a few of the privileges to test and it worked.
But now I think, this is what's causing the problem (I may be wrong, of course). Since this tech role (above image) is the basic role, every IDM role has it. I can now neither add, nor remove the 'inherited' privilege/role without getting the current error.
The provisioning works when I add any role to a new user. But I get this error, if I add another role or try to remove the existing role.
Sorry for the long mail. But it was necessary to explain the whole scenario to get to the root of the problem.
Thanks for the help. Let me know if you need any more info.
Best regards
Annapurna
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Annapurna,
I was just going through the setup in our landscape and noticed that we have only one script for Assign User Membership to ABAP which is "sap_abap_getNameOfAssignedPendingPrivileges"
As mentioned by Jai earlier, we have the same script as Jai.
Can you try by using the below script for "sap_abap_getNameOfAssignedPendingPrivileges" and delete the other two and try to execute?
Not sure, if this could work, but maybe can give a try.
Script below:
===============================================
// Main function: sap_abap_getNameOfAssignedPendingPrivileges
/**
* Returns a list of all privileges with properties {validfrom, validto} of the
* passed user for the passed repository and the passed privilege type.
* It contains all already assigned privileges plus/minus the delta of the
* current pending added and/or removed privileges.
*
* Note: Needed by connectors that always send the complete list of privileges
* to the backend, e.g. ABAP, BusinessSuite, JAVA
*
* @param {Par} Format:
* MSKEY of user!!repository name!!privilege type<!!includeValidityProperty>
* e.g. 172645!!BQQ001!!PROFILE!!TRUE
* @return {String} List of Privilege (backend) names in format:
* if includeValidityProperty is defined as true, then
* {VALIDFROM=<date>!!VALIDTO=<date>}<priv>|{VALIDFROM=<date>!!VALIDTO=<date>}<priv>|{VALIDFROM=<date>!!VALIDTO=<date>}<priv>
* else
* <priv>|<priv>|<priv>
*/
function sap_abap_getNameOfAssignedPendingPrivileges(Par) {
importClass(java.lang.StringBuffer);
// enable this flag (tracingEnabled) only for debugging purposes as this will impact the performance
var tracingEnabled = false;
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: is called with " + Par);
var parameters = Par.split("!!");
var mskey = parameters[0];
var repositoryName = parameters[1];
var privilegeType = parameters[2];
var addValidityProperty = false;
if (parameters.length > 3 && parameters[3] != null && parameters[3].toLowerCase() == "true") {
addValidityProperty = true;
}
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: mskey: " + mskey);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: repositoryName: " + repositoryName);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: privilegeType: " + privilegeType);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: addValidityProperty: " + addValidityProperty);
var nolock = "";
if("%$ddm.databasetype%" == 1) { //MS-SQL
nolock = "WITH (NOLOCK)";
}
if (tracingEnabled) {
sap_debug_logUserAssignments(mskey);
}
/*
* - get only assignments (mcLinkType = 2)
* - get all assignments of current entry X (mcLinkState = 0, mcExecState = 1 & mcDisabled = 0)
* - and with assignments in state "pending add" (mcLinkState = 1 & mcExecState = 512 or 513,
mcDisabled can be 1 e.g. if the user gets reactivated)
* - assignments with mcExecState 2 (Rejected) and 4 (Failed) are not included. If a failed
* assignment gets retried, the state changes immediately to pending.
* - for specfified repository Y
* - and privilege type Z
* - add member task must have been running for the privilege (mcAddAudit IS NOT NULL)
-> no future assignments
-> no assignments for which an approval will be done but approval task is not yet running
* - no privileges for which an approval is needed/running
* mcValidateAddAudit < mcAddAudit <- approval is already done
* or mcValidateAddAudit IS NULL <- if no approval is necessary
* - no duplicate privilege names (-> SELECT DISTINCT) in case of contexts
*/
var sql = "SELECT DISTINCT privilegename.mcMSKEYVALUE, assignment.mcValidFrom, assignment.mcValidTo \
FROM idmv_value_basic_all repositorynames " + nolock + " \
INNER JOIN idmv_value_basic_all privilegetype " + nolock + " ON privilegetype.mskey = repositorynames.mskey \
INNER JOIN idmv_entry_simple privilegename " + nolock + " ON privilegename.mcMSKEY = repositorynames.mskey \
INNER JOIN mxi_link assignment " + nolock + " ON assignment.mcOtherMskey = repositorynames.mskey \
WHERE assignment.mcThisMskey = " + mskey + " \
AND assignment.mcLinkType = 2 \
AND (\
(assignment.mcLinkState = 0 AND assignment.mcExecState = 1 AND assignment.mcDisabled = 0) \
OR (\
assignment.mcLinkState = 1 AND assignment.mcExecState IN (512,513) \
AND ( \
(assignment.mcAddAudit > assignment.mcValidateAddAudit) \
OR \
(assignment.mcAddAudit IS NOT NULL AND assignment.mcValidateAddAudit IS NULL) \
) \
) \
) \
AND repositorynames.attrname = 'MX_REPOSITORYNAME' AND repositorynames.SearchValue = '" + repositoryName + "' \
AND privilegetype.attrname = 'MX_PRIVILEGE_TYPE' AND privilegetype.SearchValue = '" + privilegeType + "'";
//result looks like privMskeyValue!!privMskeyValue!!privMskeyValue
var result = uSelect(sql);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: SQL Query:\n" + sql);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Result: " + result);
var allPrivsStringBuf = new StringBuffer();
var firstElement = true;
if (result != null && result != "") {
var resultArray = result.split("!!");
for (var i = 0; i < resultArray.length; i++) {
var columns = resultArray[i];
var columnArray = columns.split("|");
//privMskeyValue is like PRIV:<type>:<repository>:<privilegeName>
var privMskeyValue = columnArray[0];
var repTemp = privMskeyValue.split(":");
var repstring = repTemp[0] + ":" + repTemp[1] + ":" + repTemp[2] + ":";
var privName = uReplaceString(privMskeyValue, repstring, "");
if (!firstElement) {
allPrivsStringBuf.append("|");
}
if (addValidityProperty) {
var validfrom = columnArray[1];
var validto = columnArray[2];
allPrivsStringBuf.append("{VALIDFROM=");
allPrivsStringBuf.append(validfrom);
allPrivsStringBuf.append("!!VALIDTO=");
allPrivsStringBuf.append(validto);
allPrivsStringBuf.append("}");
}
allPrivsStringBuf.append(privName);
firstElement = false;
}
}
var allPrivs = String(allPrivsStringBuf); // must be casted explicitly to String
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Calculated privileges for " + Par + " are: " + allPrivs);
return allPrivs;
}
/**
* Prints out all assignments the user has (also all assignments in pending remove state etc.)
*/
function sap_debug_logUserAssignments(mskey) {
var columns = "mcUniqueId, mcThisMSKEY, mcOtherMSKEY, mcAttrName, mcThisOcName, mcOtherOcName, mcThisMSKEYVALUE, mcOtherMSKEYVALUE, mcLinkState, mcAssignedDirect, mcAssignedInheritCount, mcExecState, mcExecStateHierarchy, mcChangeNumber, mcGroupGuid, mcLastAudit, mcAddedTime, mcModifyTime, mcValidateAddAudit, mcAddAudit, mcContextMSKEY, mcContextCategory, mcContextStr1, mcContextStr2, mcOrphan, mcSoDViolation, mcNotAllowedFor, mcUnsupportedContextType, mcMissingConditionalContext, mcDisabled, mcRequestID";
var debugSql = "SELECT " + columns + " FROM idmv_link_ext WHERE mcThisMskey = " + mskey + " ORDER BY mcUniqueId";
var debugResult = uSelect(debugSql);
//format output
debugResult = uReplaceString(debugResult, "!!", "\n");
debugResult = uReplaceString(debugResult, "\|", "\t");
columns = uReplaceString(columns, ", ", "\t");
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Debug SQL Query:\n" + debugSql);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Debug Result:\n" + columns + "\n" + debugResult);
}
Thanks & Regards,
V!
Hi Jai
Could you please confirm if the Identity center version and the schema versions below, match yours or not?
How can I make sure I get the right Provisioning framework this time? Do I need to reinstall/upgrade the db schema, designtime, runtime components and all that?
Thank you for your response
Best regards
Annapurna
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Annapurna,
We are in Patch level 7 and schema level is 1130 but that shouldn't be a problem here.
I think re-applying designtime should put updated provisioning framework to templates folder from where you import.
Then import the provisioning framework 2 in correct Identity Store. As Tero suggested, make sure you check the option to over write the scripts).
Check for warnings and errors while importing the framework. (check the import log file).
Not relevant here but still. You should consider patching to latest version available. I remember patch 2 had other bugs which were resolved in new patches.
Kind regards,
Jai
Hi guys
Thanks for the ideas. I'll try both your suggestions and let you know if any of it resolves the issue. I am currently not at the clients', so I cannot try them out immediately. Will get back to you with the results within the week.
Best regards
Annapurna
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Annapurna,
It sounds stupid. Can you try delete the scripts "sap_abap_convertToABAPValidFromDate" and "sap_abap_convertToABAPValidToDate" and then relink them to the global scripts?
Cheers,
Chenyang Xiong
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Annapurna,
Show some screenshots from the failing task(job/destination tab) and the task used to assign the privileges.
BR,
Simona
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Have you upgraded the Provisioning Framework from earlier version to PF2?
If you look Simona's screen shot the script sap_abap_convertToABAPValidFromDate is not there among the linked scripts.
Perhaps you imported a new PF-version but in the import didn't choose to overwrite the script sap_abap_getNameOfAssignedPendingPrivileges with newer version that doesn't call sap_abap_convertToABAPValidFromDate (?).
regards, Tero
Hi Annapurna,
More like a paradox, the script doesn't look like yours in our system.
==========================================================
// Main function: sap_abap_getNameOfAssignedPendingPrivileges
/**
* Returns a list of all privileges of the passed user for the passed repository
* and the passed privilege type. It contains all already assigned privileges
* plus/minus the delta of the current pending added and/or removed privileges.
*
* Note: Needed by connectors that always send the complete list of privileges
* to the backend, e.g. ABAP, BusinessSuite, JAVA
*
* @param {Par} Format: MSKEY of user!!repository name!!privilege type
* e.g. 172645!!BQQ001!!PROFILE
* @return {String} List of Privilege (backend) names in format : <priv>|<priv>|<priv>
*/
function sap_abap_getNameOfAssignedPendingPrivileges(Par) {
importClass(java.lang.StringBuffer);
// enable this flag (tracingEnabled) only for debugging purposes as this will impact the performance
var tracingEnabled = false;
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: is called with " + Par);
var parameters = Par.split("!!");
var mskey = parameters[0];
var repositoryName = parameters[1];
var privilegeType = parameters[2];
var addValidityProperty = false;
if (parameters.length > 3 && parameters[3] != null && parameters[3].toLowerCase() == "true") {
addValidityProperty = true;
}
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: mskey: " + mskey);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: repositoryName: " + repositoryName);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: privilegeType: " + privilegeType);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: addValidityProperty: " + addValidityProperty);
var nolock = "";
if("%$ddm.databasetype%" == 1) { //MS-SQL
nolock = "WITH (NOLOCK)";
}
if (tracingEnabled) {
sap_debug_logUserAssignments(mskey);
}
/*
* - get only assignments (mcLinkType = 2)
* - get all assignments of current entry X (mcLinkState = 0 & mcExecState = 1)
* - and with assignments in state "pending add" (mcLinkState = 1 & mcExecState = 512 or 513)
* - assignments with mcExecState 2 (Rejected) and 4 (Failed) are not included. If a failed
* assignment gets retried, the state changes immediately to pending.
* - for specfified repository Y
* - and privilege type Z
* - add member task must have been running for the privilege (mcAddAudit IS NOT NULL)
-> no future assignments
-> no assignments for which an approval will be done but approval task is not yet running
* - no privileges for which an approval is needed/running
* mcValidateAddAudit < mcAddAudit <- approval is already done
* or mcValidateAddAudit IS NULL <- if no approval is necessary
* - no duplicate privilege names (-> SELECT DISTINCT) in case of contexts
*/
var sql = "SELECT DISTINCT privilegename.mcMSKEYVALUE, assignment.mcValidFrom, assignment.mcValidTo \
FROM idmv_value_basic_all repositorynames " + nolock + " \
INNER JOIN idmv_value_basic_all privilegetype " + nolock + " ON privilegetype.mskey = repositorynames.mskey \
INNER JOIN idmv_entry_simple privilegename " + nolock + " ON privilegename.mcMSKEY = repositorynames.mskey \
INNER JOIN mxi_link assignment " + nolock + " ON assignment.mcOtherMskey = repositorynames.mskey \
WHERE assignment.mcThisMskey = " + mskey + " \
AND assignment.mcLinkType = 2 \
AND (\
(assignment.mcLinkState = 0 AND assignment.mcExecState = 1 AND assignment.mcDisabled = 0) \
OR (\
assignment.mcLinkState = 1 AND assignment.mcExecState IN (512,513) \
AND ( \
(assignment.mcAddAudit > assignment.mcValidateAddAudit) \
OR \
(assignment.mcAddAudit IS NOT NULL AND assignment.mcValidateAddAudit IS NULL) \
) \
) \
) \
AND repositorynames.attrname = 'MX_REPOSITORYNAME' AND repositorynames.SearchValue = '" + repositoryName + "' \
AND privilegetype.attrname = 'MX_PRIVILEGE_TYPE' AND privilegetype.SearchValue = '" + privilegeType + "'";
//result looks like privMskeyValue!!privMskeyValue!!privMskeyValue
var result = uSelect(sql);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: SQL Query:\n" + sql);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Result: " + result);
var allPrivsStringBuf = new StringBuffer();
var firstElement = true;
if (result != null && result != "") {
var resultArray = result.split("!!");
for (var i = 0; i < resultArray.length; i++) {
var columns = resultArray[i];
var columnArray = columns.split("|");
//privMskeyValue is like PRIV:<type>:<repository>:<privilegeName>
var privMskeyValue = columnArray[0];
var repTemp = privMskeyValue.split(":");
var repstring = repTemp[0] + ":" + repTemp[1] + ":" + repTemp[2] + ":";
var privName = uReplaceString(privMskeyValue, repstring, "");
if (!firstElement) {
allPrivsStringBuf.append("|");
}
if (addValidityProperty) {
var validfrom = columnArray[1];
var validto = columnArray[2];
allPrivsStringBuf.append("{VALIDFROM=");
allPrivsStringBuf.append(validfrom);
allPrivsStringBuf.append("!!VALIDTO=");
allPrivsStringBuf.append(validto);
allPrivsStringBuf.append("}");
}
allPrivsStringBuf.append(privName);
firstElement = false;
}
}
var allPrivs = String(allPrivsStringBuf); // must be casted explicitly to String
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Calculated privileges for " + Par + " are: " + allPrivs);
return allPrivs;
}
/**
* Prints out all assignments the user has (also all assignments in pending remove state etc.)
*/
function sap_debug_logUserAssignments(mskey) {
var columns = "mcUniqueId, mcThisMSKEY, mcOtherMSKEY, mcAttrName, mcThisOcName, mcOtherOcName, mcThisMSKEYVALUE, mcOtherMSKEYVALUE, mcLinkState, mcAssignedDirect, mcAssignedInheritCount, mcExecState, mcExecStateHierarchy, mcChangeNumber, mcGroupGuid, mcLastAudit, mcAddedTime, mcModifyTime, mcValidateAddAudit, mcAddAudit, mcContextMSKEY, mcContextCategory, mcContextStr1, mcContextStr2, mcOrphan, mcSoDViolation, mcNotAllowedFor, mcUnsupportedContextType, mcMissingConditionalContext";
var debugSql = "SELECT " + columns + " FROM idmv_link_ext WHERE mcThisMskey = " + mskey + " ORDER BY mcUniqueId";
var debugResult = uSelect(debugSql);
//format output
debugResult = uReplaceString(debugResult, "!!", "\n");
debugResult = uReplaceString(debugResult, "\|", "\t");
columns = uReplaceString(columns, ", ", "\t");
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Debug SQL Query:\n" + debugSql);
uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Debug Result:\n" + columns + "\n" + debugResult);
}
================================================================
May be something wrong with your download file. Download the latest upgrade files again, import and make sure you over write the scripts.
Kind regards,
Jai
Hi Annapurna,
I guess the script "sap_abap_convertToABAPValidFromDate" is missing in the task. Can you please confirm if its already there?
Kind regards,
Jai
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Annapurna,
Yes, we need more information else everyone has to try shooting in the dark.
Along with screenshots, can you please check if the hook tasks are correctly configured? May be your Hook task 4 is configured to point wrong task. Is your repository ABAP or BusinessSuite? If ABAP, MX_HOOK4_TASK should point to "4. Assign User Membership to ABAP" and for BusinessSuite it should be "4. Assign User Membership to BS ABAP".
Kind regards,
Jai
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.