Showing results for 
Search instead for 
Did you mean: 

SAP IDM 8.0 Provisioning of group privilege assignments

0 Kudos


I set up Active Directory as a target system. I imported the new packages for Eclipse and did the initial load for AD (System privileges were created).

When I assign the PRIV:AD:ONLY privilege to an identity, the identity gets provisioned to AD.

When I assign the PRIV:AD:ONLY privilege to a group, the group gets provisioned to AD.

So far so good.

But when I assign the group to the identity I get the error in the execution log:

Cannot obtain mskey for group privilege PRIV:GROUP:AD:CN\=MY AD GROUP\,CN\=GROUPS\, DC\=DUMMY\, DC\=COM

The CN represents my CN in the Active Directory, but, I have no PRIV:GROUP:AD privilege?

so I can not provision group assignments to AD and I used only the default packages with no modifications.

And an additional question, when does the RDS for 8.0 comes out?

Are there some predefined approval processes like in 7.2?

Thanks, Patrick

Accepted Solutions (1)

Accepted Solutions (1)

Active Contributor
0 Kudos

Hi Patrick,

Were you able to confirm that this group priv is available in the system?

check if the SQL gives any hit,

select * from idmv_entry_simple with (nolock) where mcmskeyvalue = 'PRIV:GROUP:AD:CN\=MY AD GROUP\,CN\=GROUPS\, DC\=DUMMY\, DC\=COM'

By default, the initial load job in IDM 7.2 have "WriteGroupPrivileges" enabled. Hope this is the case in IDM 8.0 as well.

Kind regards,


0 Kudos

Hi Jai,


Thank you! you pointed me in the right direction, I disabled a few actions in the initial load job, including "WriteGroupPrivileges".

I had to disable the following Attributes: MX_INHERIT, MX_GROUP_INHERITANCE

I got the following error:

Value not legal for this attribute:Attribute: MX_GROUP_INHERITANCE" when storing attribute 'MX_GROUP_INHERITANCE=ONE'

Thanks for the fast help!


Edit: Do I need for every Group in IDM a privilege for the target system?

Answers (0)