cancel
Showing results for 
Search instead for 
Did you mean: 

User deletion: mskeyvalue replaced by MX_<MSKEY>

Former Member
0 Kudos

Hi all,

I noticed that for some reason, when I delete an entry (whether with the Delete Identity task or a To IS pass with changetype:delete) it replaces the mskeyvalue to MX_<mskey> and the entrystate is changed to 2.

So far, in other IDM installations, this was not happening. The entry was simply deleted.

Currently running DesignTime 7.2 sp10 patch8 // RT sp10 patch3

Any ideas on how to change this ?

Thank you!

Marco

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hello Marco,

This can happen when an object should be deleted while there is another process working with the object. I have seen a few of these entries before. This can for example happen when a deletion process is executed on a person that still has an orphan assignment on it. The user will be marked for deletion but cannot be deleted because of the reference on it. When you remove the orphan assignment the housekeeping will automatically kick in, even though there might still be a process running for sending an Email notification that the assignment was removed. To have something to work with, the system will automatically create/rename the object to MX_<MSKEY> which usually indicates a temporary value (Pending Value) that should be deleted after being worked off. The behaviour is a bit inconsistent though. Sometimes it just works fine, sometimes the MX_<MSKEY> thingy happens. I guess this is a problem within the housekeeping procedure and timing. From what I can remember you need to delete these entries directly via mc_ids_reset_mskey %MSKEY% (SQL syntax) afterwards because they are not visible in the UI anymore.

This is surely a bug but for more insight on this, I would probably recommend you to open a ticket with SAP.

Regards

Tobias

Former Member
0 Kudos

Hi Tobias,

Thank you for your reply.

In our case, this is a brand new installation without anything on it, so no orphan assignments are "pending".

To test it, we had created a new environment and did the pass right after the first connection to the IC.

Any other suggestions are welcome

Marco

Former Member
0 Kudos

Hello Marco,

The orphan assignment does not have to be the only reason, there are other situations that could trigger this behaviour. Can you check the provision queue for one of those deleted entries and check if anything is still hanging around there? The user was created via a UI task?

Regards

Tobias

Former Member
0 Kudos

Hi,

The provisioning queue is empty. The user was created using the Add User... option under the Identity store (without admin privs)

thanks!

Former Member
0 Kudos

Hello Marco,

just tried to reproduce this on our test system but I cannot seem to do it but we are not running SP10 admittedly. Can you check if you find anything for one of these users in the audit table? If you created the guy directly via the add user option and afterwards deleted him via a Job and changetype delete there should probably be nothing in there. Is this happening for all of your users? Does the same happen when you for example try to delete a privilege or a business role?

Regards

Tobias

Former Member
0 Kudos

Hi Tobias,

There's nothing on the provisioning or audit tables. It's a fresh new install. No provisioning framework has been imported yet, no repositories, no privileges or business roles.

As soon as I finish setting up the config point, I added the user manually. Created a to IS pass:

     mskeyvalue: testuser and changetype: delete.

Thanks for your help

Marco

Former Member
0 Kudos

Hello Marco,

OK, this is a little bit of a special case then. You will have pretty severe issues in the complete IDM system if you do not import the provisioning framework. If you for example create an initial load job for a repository through the wizard everything will be set up by the system but you will encounter all global scripts being used within the job are empty for example.

To be honest I do not know if this can also be the root cause for your deletion behaviour but I would really suggest to import the provisioning framework first, since the behaviour you are encountering is usually triggered by different situations coming together as Matt and I pointed out. But since you do not have anything imported into your IDstore this changes the game a bit.

Regards

Tobias

Former Member
0 Kudos

Thanks to both of you for your replies,

This "empty" environment is the second that I installed for troubleshooting purposes. The first being a fully deployed environment, with a provisioning framework, etc.. and having the same issue.

I'll just assume it works as designed

Thanks again!

Marco

Former Member
0 Kudos

Hello Marco,

this depends a little bit on the frequency this occurs when users are deleted in your system. If it happens all the time I would recommend to review the deletion process for users. E.g. what is running prior to this, what is the condition a user needs to be in in your system when it is deleted etc.

and if nothing can be found there, open a case with SAP to report this so they have a look at your system.

If this only happens occaisonally it might be something you have to cope with and fix the cases manually, (unfortunately) yes.

Regards

Tobias

Answers (1)

Answers (1)

former_member2987
Active Contributor
0 Kudos

Hi Marco,

I would agree with Tobias' comments, however I have seen one other scenario where this happens, and it is when provisioning goes through without an explicitly defined MSKEYVALUE.  It takes a little bit of work but it can happen.

This could also happen if the deprovisioning process gets interrupted or if the IDM account is removed and then the identity is reconciled (as opposed to loaded) back into IDM.

Most updates to IDM have tried to address this, but I guess it can still happen.

Matt