on 11-30-2015 10:12 PM
Hi all,
I noticed that for some reason, when I delete an entry (whether with the Delete Identity task or a To IS pass with changetype:delete) it replaces the mskeyvalue to MX_<mskey> and the entrystate is changed to 2.
So far, in other IDM installations, this was not happening. The entry was simply deleted.
Currently running DesignTime 7.2 sp10 patch8 // RT sp10 patch3
Any ideas on how to change this ?
Thank you!
Marco
Hello Marco,
This can happen when an object should be deleted while there is another process working with the object. I have seen a few of these entries before. This can for example happen when a deletion process is executed on a person that still has an orphan assignment on it. The user will be marked for deletion but cannot be deleted because of the reference on it. When you remove the orphan assignment the housekeeping will automatically kick in, even though there might still be a process running for sending an Email notification that the assignment was removed. To have something to work with, the system will automatically create/rename the object to MX_<MSKEY> which usually indicates a temporary value (Pending Value) that should be deleted after being worked off. The behaviour is a bit inconsistent though. Sometimes it just works fine, sometimes the MX_<MSKEY> thingy happens. I guess this is a problem within the housekeeping procedure and timing. From what I can remember you need to delete these entries directly via mc_ids_reset_mskey %MSKEY% (SQL syntax) afterwards because they are not visible in the UI anymore.
This is surely a bug but for more insight on this, I would probably recommend you to open a ticket with SAP.
Regards
Tobias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Marco,
The orphan assignment does not have to be the only reason, there are other situations that could trigger this behaviour. Can you check the provision queue for one of those deleted entries and check if anything is still hanging around there? The user was created via a UI task?
Regards
Tobias
Hello Marco,
just tried to reproduce this on our test system but I cannot seem to do it but we are not running SP10 admittedly. Can you check if you find anything for one of these users in the audit table? If you created the guy directly via the add user option and afterwards deleted him via a Job and changetype delete there should probably be nothing in there. Is this happening for all of your users? Does the same happen when you for example try to delete a privilege or a business role?
Regards
Tobias
Hi Tobias,
There's nothing on the provisioning or audit tables. It's a fresh new install. No provisioning framework has been imported yet, no repositories, no privileges or business roles.
As soon as I finish setting up the config point, I added the user manually. Created a to IS pass:
mskeyvalue: testuser and changetype: delete.
Thanks for your help
Marco
Hello Marco,
OK, this is a little bit of a special case then. You will have pretty severe issues in the complete IDM system if you do not import the provisioning framework. If you for example create an initial load job for a repository through the wizard everything will be set up by the system but you will encounter all global scripts being used within the job are empty for example.
To be honest I do not know if this can also be the root cause for your deletion behaviour but I would really suggest to import the provisioning framework first, since the behaviour you are encountering is usually triggered by different situations coming together as Matt and I pointed out. But since you do not have anything imported into your IDstore this changes the game a bit.
Regards
Tobias
Hello Marco,
this depends a little bit on the frequency this occurs when users are deleted in your system. If it happens all the time I would recommend to review the deletion process for users. E.g. what is running prior to this, what is the condition a user needs to be in in your system when it is deleted etc.
and if nothing can be found there, open a case with SAP to report this so they have a look at your system.
If this only happens occaisonally it might be something you have to cope with and fix the cases manually, (unfortunately) yes.
Regards
Tobias
Hi Marco,
I would agree with Tobias' comments, however I have seen one other scenario where this happens, and it is when provisioning goes through without an explicitly defined MSKEYVALUE. It takes a little bit of work but it can happen.
This could also happen if the deprovisioning process gets interrupted or if the IDM account is removed and then the identity is reconciled (as opposed to loaded) back into IDM.
Most updates to IDM have tried to address this, but I guess it can still happen.
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.