cancel
Showing results for 
Search instead for 
Did you mean: 

Assignment status showing 'Not Allowed' on IDM UI

Former Member
0 Kudos

Hi Experts,

On IDM User Interface we are having privilege assignments to users which are showing status "Not Allowed". Is there any way to fix it ? Role Assignment has not been completed so it was showing 'Pending' status.


I have tried to fix the issue at database level using below SQL query to make assignment 'Rejected'.


UPDATE mxi_link SET mcexecstate = 1026 WHERE

mcThismskey = <usermskey> and mcOthermskey = <privmskey> AND mcOrphan=0 AND

mcLinkType = 2 AND mcLinkState < 2

but the assignment is showing 'Not Allowed' status, also i have deleted the assignment link in the database.

Delete from mxi_link where

mcThismskey = <usermskey> and mcOthermskey = <privmskey> AND mcOrphan=0 AND

mcLinkType = 2 AND mcLinkState < 2

and tried role assignment again but still assignment status showing 'Pending' and then 'Not Allowed', i have also used re-consile/repair entry functions to fix this issue but not any luck.

We have implemented 'Context Based Assignment provisioning', this is the reason if any issue with context based assignment.

Experts, Please suggest the solutions.

Accepted Solutions (0)

Answers (3)

Answers (3)

Ckumar
Contributor
0 Kudos

Hello Kishor/IDM Experts,

Could you please share whether you were able to fix the Not allowed issue for the privileges. We are getting the same issue in our IDM 7.2 SP10.

I ran the below query for such entries

select mcThisMSKEYVALUE,mcOtherMSKEYVALUE,mcLinkState,mcAssignedDirect,

mcAssignedInheritCount,mcAssignedMasterPrivilege,mcOrphan,mcExecState,

mcExecStateHierarchy,mcLastAudit,mcMasterPrivMSKEY

from idmv_link_ext  where MCOTHERMSKEY =%PRIV_MSKEY%  and MCTHISMSKEY=%USER_MSKEY%

and got this output

I knew the value of mcExecState 1024 means Remove (Views for reference attributes) but I wanted to know why its mcExecState value has been changed to 1024 and how to fix it.

I also wanted to know if mcExecState value is 1024 then is it show Not allowed in SAP IDM UI always or it is showing in just my case.

Regards,

C Kumar

former_member297605
Active Participant
0 Kudos

Hi C Kumar

If you click on "not allowed" does it allow you to retry the assignment? If so, do you see any errors in the job log after you try a "retry". Do you have GRC integration? Does GRC complete the final provisioning?

Regards

Ranjit

Ckumar
Contributor
0 Kudos

Hello Ranjit,

Retry option was disabled for these privileges in the SAP IDM UI.

Yes, we have SAP IDM-GRC integration too and strangely today all these privileges status has been changed to Failed.

Didn't get time to check whether they complete final provisioning through GRC. I will check and post.

Regards,

C Kumar

former_member297605
Active Participant
0 Kudos

Hi Kumar

Since the assignment status is "failed" now you should be able to click it and complete a retry. After you do a retry and save the record check the job log in the IDM MC to see if there are any errors and if the assignment status goes back to "failed".

If GRC AC is completing the final provisioning check the GRC Access Requests for the affected user to see if there any requests in "Pending" status for the privileges that are failing. This may be one of the reasons why it is failing in the IdM end.

Regards

Ranjit

devaprakash_b
Active Contributor
0 Kudos

Hi Kumar,

I too have come across of this issue many times. Whenever i try to remove and privilege with 512 status it changes to not allowed. Please update the mcexectate to 1025 and then re assign the privileges.

update MXI_LINK set mclinkstate =2 ,mcexecstate =1025,mcexecstatehierarchy =1025,mcaddaudit = NULL, mcdelaudit = NULL, MCLINKTYPE ,MCLASTAUDIT = 0, MCAUDITID = 0
where mcthismskey = <usermskey> and mcuniqueid = <linkid>;



Regards,

DP

Ckumar
Contributor
0 Kudos

Thanks DP!

I believe it should be 1024 instead of 1025. Could you please check and  confirm.

I too have come across of this issue many times. Whenever I try to remove and privilege with 512 status it changes to not allowed. Please update the mcexectate to 1025 and then re-assign the privileges.


As per my knowledge, mcExecState 1024 means Remove and here Privileges status is automatically changing to Failed next days so I believe this is not required.


I am investigating my work-flow that why system is trying to remove these privileges even their mcexecstate is 512 and will update soon.


Regards,

C Kumar

Former Member
0 Kudos

Hi Kishore,

Can you share the value of mclinkstate, mcexecstate, mcassigneddirect, mcexecstatehierarchy,mcorphan using mxi_link or idmv_link_ext for such entries ?

Regards,

Pradeep

jaisuryan
Active Contributor
0 Kudos

Hi Kishor,

Seems like this is happening quite few times in 7.2.. I have seen this in my last project as well (no context based provisioning used) but never really got chance to investigate in detail.

Above blog is unresolved too but if you can check Per Krabsetsve's comment and post the SQL results here, we can try to decode further.

Kind regards,

Jai