on 08-11-2014 6:41 PM
Hi experts,
I'm using IDM 7.2 SP 9, and when a user has an privilege and using the web user interface to remove a privilege and save, some minutes after we check the same user and the privilege gets the status as not allowed
Does anyone knows the reason of it ?
I would put a trace on this user's account then try to remove the privilege. That trace log should show you where the deprovisioning process is failing. At least then, you know where to focus your efforts.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
What does this privilege control? Is this privilege granting rights within IDM itself or is IDM suppose to provision rights to a target system like SAP or AD? I ask because if it's within IDM, I could see why the trace log is so short. If by adding this privilege IDM is supposed to provision rights out to an external system, I would then check to make sure the account / system privileges are properly applied to this user and then check the modify task that's suppose to fire off as a result of adding a privilege to external systems. If all you're getting back is 7 lines, the core of your issue is, why aren't the tasks that actually do the work being executed? I wish I was sitting in front of your system so I could look through it and determine what's going wrong but unfortunately, that costs money.
You can also try looking at the link-audit and see if there's any additional messages using:
select auditdate,auditid,operation,operationText,AdditionalInfo from idmv_linkaudit_ext where linkid = 1294502 order by AuditDate desc
It could also help to see some additional link properties for this assignment:
select
mcThisMSKEYVALUE,mcOtherMSKEYVALUE,mcLinkState,mcAssignedDirect,
mcAssignedInheritCount,mcAssignedMasterPrivilege,mcOrphan,mcExecState,
mcExecStateHierarchy,mcLastAudit,mcMasterPrivMSKEY
from idmv_link_ext where mcUniqueID = 1294502
Br,
Chris
Hello,
does this happen for all privileges of a specific repository? Or just for a specific user?
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
When we add it in IDM it apply on the back end system, for the privileges that has GRC integration and others that not, the standard mx privileges I can do remove withouth problems.
the comunication user has the Sap_all and sap_new profile and also the integrations roles, this problem beguns after the upgrade to sp9
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.