cancel
Showing results for 
Search instead for 
Did you mean: 

Provisioning Fails for Certain Users in Certain Repositories Only

Gregnol
Explorer
0 Kudos
228

I am running IDM 8 and I am trying to modify a users access via the IDM UI for a certain repository.
Provisioning shows as OK status but does not update the user in the ABAP system.
I get the following error

I have review the users account and can see that the use has the valid Priv_xc1010 only for that specific repository.
I also checked and the user has the System related priv assigned to them as well.

When I run the following sql statement I am able to see that the user does not have the Attrname for ACCOUNTXC1010

select*from idmv_value_basic_active where mskey ='45927'

How can I update this users account so that I can update use IDM to deprovision the users access?

I have tried to provision this user to other environments and it works no problem.

This user and others like it came in as part of an initial load.

Accepted Solutions (1)

Accepted Solutions (1)

lambert-giese
Active Participant

MX_PERSON who have an account in a repository must have the ACCOUNT%$rep.$NAME% attribute set to their logon ID in that repository, in addition to having assignments to PRIV:%$rep.$NAME%:ONLY and PRIV:SYSTEM:%$rep.$NAME%.

If that constraint is not fulfilled for some of your data, then this data is inconsistent - maybe because of wrong logic in the initial load job that created the inconsistent entries.

One way to fix this is to implement a data cleansing job that processes the inconsistent entries to add the missing ACCOUNT%$rep.$NAME% attribute, typcially using a toIdStore pass.

After running such a job, deprovisioning the account from SAP IDM web UI will no longer run into the problem shown in your screenshot.

Gregnol
Explorer
0 Kudos

Thanks Lambert. I created a simple toidstore pass based on the update user account attribute pass and the issue has been resolved.

Answers (1)

Answers (1)

former_member198652
Active Participant
0 Kudos

Hi Robert,

As Lambert said, check the user in DB, is he having AccountXCXC1010 attribute with mskeyvalue. If it is not there, fix. Problem can be solved.

Regards,

Jay

alexanderbrietz
Active Contributor
0 Kudos

Hi Jay,

I prefer Lamberts answer for he stated more correct that ACCOUNT%$rep.$NAME% has to be set to the corresponding logon ID in the system. This does not necessarily mean MSKEYVALUE but in implementations of SAP IdM connected to mainly ABAP systems often is the case.

Regards,

Alex