cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cannot reassign a privilege after the No Master Task failed

Go to solution
Former Member

on ‎06-25-2015 3:46 PM

0 Kudos

Hello,

I've been trying to use a privilege with a master priv and a no mater task to force precondition on a user to be calculated only once (definitive MSKEYVALUE depending on the user name).

The structure is like this:

PRIV:IAM:ONLY is master privilege of PRIV:IAM:MSKEYVALUE

Calculate MSKEYVALUE is the no master task of PRIV:IAM:MSKEYVALUE, it will try to calculate the MSKEYVALUE and will give the PRIV:IAM:ONLYto the user

The task that need the MSKEYVALUE calculated start by assigning the PRIV:IAM:MSKEYVALUE to the user, waiting for all event tasks before continuing and with a task on chain fail to mark the pending value as failed

If the MSKEYVALUE calculation fail, the task is correctly stopped, and the PRIV:IAM:MSKEYVALUE privilege will timeout and fail too. But when I try to reassign the privilege, manually or through the task, it will immediately fail without starting the No Master task, and the task itself will continue, because the assignment action itself did not fail.

Now, looking into the link table, the link with the privilege, when retried or deleted and reassigned, keep the same auditID for the No Master Task.

Is there any way to force the No Master task to retry when retrying the assignment or another way to ensure that a task is run only once on an user?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-25-2015 4:28 PM
0 Kudos

After some digging around, it seem that the No Master task can only be executed once per day, as seen in SAP Note 1813800. I'm still looking for a way to work around this for my one time only task.

Show replies
Show replies
Former Member
‎06-26-2015 9:33 AM
0 Kudos

Hi Julien,

SAP Note 1813800 says issue exists in IDM 7.2 SP7.

In higher SP level, issue should not exist.

If PRIV:IAM:ONLY(account  privileg) is in failed status(mcexecstate=4), then try reconciling the mskey of user(using internal function uIS_PrivReconcile() using job which will try to trigger provisioning for privilege again and if error occurs, check relevant global job log.

Regards,

Pradeep

Former Member
‎06-26-2015 9:45 AM
0 Kudos

From what I understood of the Note, the 24 hour delay is intended behaviour when the master privilege have not been assigned. This behaviour have been confirmed by retrying the assignment of the subject privilege with an older test, done a few days ago.

As I just said, the master privilege (PRIV:IAM:ONLY) is never assigned. This is what I intend to happen when the MSKEYVALUE cannot be correctly calculated due to missing data on a user.

My problem is that after the first failure, assigning the subject privilege (PRIV:IAM:MSKEYVALUE) again do not trigger the master task again, which emans there is no MSKEYVALUE calculation (either success or failed) and the task continue with an incomplete user.

terovirta
Active Contributor
‎06-26-2015 1:57 PM
0 Kudos

I am on Sp9 and there are no 24h delays/limits in  "No Master Task". I can assign random privilege to user, wait for the provisioining to complete, take away the account privilege, wait for the deprovisioning to complete, add another random privilege and loop forever.

What do you mean my MSKEYVALUE calculation?

All privileges must exist, must point to correct repository (attribute MX_REPOSITORY) and must have the required privilege (attribute MX_REQ_PRIV) plus have the needed tasks (MX_ADD/DEL_MEMBER_TASKs) set.

If you want to check the repository and privilege settings here, add a screen shot of you repository settings and privilege tasks.

regards, Tero

Former Member
‎06-26-2015 2:48 PM
0 Kudos

Our workflow need to calculate a definitive MSKEYVALUE for each user from it's firstname / lastname. This calculation is triggered by a no master task on the Account privileges for each repository, so that it is calculated before the account being created, and then the PRIV:IAM:ONLY is given.

Now, when this calculation fail, the PRIV:IAM:ONLY is never given, meaning that any subject privilege are not given. The problem is, the No Master Task can not be triggered again before 24 hours, because the master privilege have not been given. This behavior have both been verified experimentally, confirmed by the SAP note (which do not specify that this behavior is a bug), and further confirmed by the stored procedure mxp_xeval_link which DO posses a check for the no master task being run in the last 24 hours (verified in IDM 7.10).

No, I was able to work around this behavior by adding an On Chain Fail task to the MSKEYVALUE calculation task, which do add the master privilege then remove it. As noted by Tero, there is no limit when removing the master privilege, the No Master Task can start again right away.

Answers (0)

Ask a Question