on 06-25-2015 3:46 PM
Hello,
I've been trying to use a privilege with a master priv and a no mater task to force precondition on a user to be calculated only once (definitive MSKEYVALUE depending on the user name).
The structure is like this:
PRIV:IAM:ONLY
is master privilege of PRIV:IAM:MSKEYVALUE
Calculate MSKEYVALUE
is the no master task of PRIV:IAM:MSKEYVALUE
, it will try to calculate the MSKEYVALUE and will give the PRIV:IAM:ONLY
to the user
The task that need the MSKEYVALUE calculated start by assigning the PRIV:IAM:MSKEYVALUE
to the user, waiting for all event tasks before continuing and with a task on chain fail to mark the pending value as failed
If the MSKEYVALUE calculation fail, the task is correctly stopped, and the PRIV:IAM:MSKEYVALUE
privilege will timeout and fail too. But when I try to reassign the privilege, manually or through the task, it will immediately fail without starting the No Master task, and the task itself will continue, because the assignment action itself did not fail.
Now, looking into the link table, the link with the privilege, when retried or deleted and reassigned, keep the same auditID for the No Master Task.
Is there any way to force the No Master task to retry when retrying the assignment or another way to ensure that a task is run only once on an user?
After some digging around, it seem that the No Master task can only be executed once per day, as seen in SAP Note 1813800. I'm still looking for a way to work around this for my one time only task.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Julien,
SAP Note 1813800 says issue exists in IDM 7.2 SP7.
In higher SP level, issue should not exist.
If PRIV:IAM:ONLY(account privileg) is in failed status(mcexecstate=4), then try reconciling the mskey of user(using internal function uIS_PrivReconcile() using job which will try to trigger provisioning for privilege again and if error occurs, check relevant global job log.
Regards,
Pradeep
From what I understood of the Note, the 24 hour delay is intended behaviour when the master privilege have not been assigned. This behaviour have been confirmed by retrying the assignment of the subject privilege with an older test, done a few days ago.
As I just said, the master privilege (PRIV:IAM:ONLY) is never assigned. This is what I intend to happen when the MSKEYVALUE cannot be correctly calculated due to missing data on a user.
My problem is that after the first failure, assigning the subject privilege (PRIV:IAM:MSKEYVALUE) again do not trigger the master task again, which emans there is no MSKEYVALUE calculation (either success or failed) and the task continue with an incomplete user.
I am on Sp9 and there are no 24h delays/limits in "No Master Task". I can assign random privilege to user, wait for the provisioining to complete, take away the account privilege, wait for the deprovisioning to complete, add another random privilege and loop forever.
What do you mean my MSKEYVALUE calculation?
All privileges must exist, must point to correct repository (attribute MX_REPOSITORY) and must have the required privilege (attribute MX_REQ_PRIV) plus have the needed tasks (MX_ADD/DEL_MEMBER_TASKs) set.
If you want to check the repository and privilege settings here, add a screen shot of you repository settings and privilege tasks.
regards, Tero
Our workflow need to calculate a definitive MSKEYVALUE for each user from it's firstname / lastname. This calculation is triggered by a no master task on the Account privileges for each repository, so that it is calculated before the account being created, and then the PRIV:IAM:ONLY is given.
Now, when this calculation fail, the PRIV:IAM:ONLY is never given, meaning that any subject privilege are not given. The problem is, the No Master Task can not be triggered again before 24 hours, because the master privilege have not been given. This behavior have both been verified experimentally, confirmed by the SAP note (which do not specify that this behavior is a bug), and further confirmed by the stored procedure mxp_xeval_link which DO posses a check for the no master task being run in the last 24 hours (verified in IDM 7.10).
No, I was able to work around this behavior by adding an On Chain Fail task to the MSKEYVALUE calculation task, which do add the master privilege then remove it. As noted by Tero, there is no limit when removing the master privilege, the No Master Task can start again right away.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.