on 2014 Mar 10 2:15 PM
Hello There,
I am new to SAP IDM. I need a help here, We are using 7.2V and we have an issue where there are two views in our DB with all user details.
We observed that the users who are in idmv_valink_basic are not in idmv_valink_basic_active. Due to this when we delete any user who is not in active view, we receive an error stating that mskey doesn't exist. Do we have any option to move users from basic to active view or any way to resolve this issue.
Thanks,
Bhanusri
If the user is not in the active view then its most likely inactive. The views are this way by concept and design, and are part of the difference between inactive/active accounts. If I recall correctly it's not possible to directly delete an inactive account in SP8, it has to be reactivated first. This is controlled by the MX_INACTIVE attribute.
Br,
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Chris,
Thanks for the reply.
I understood the concept of active view but here the case is very peculiar. The users who are all in Basic and Active are both active and inactive and has a difference of 90 users. So that is the problem when any of these 90 users need to be deleted, it checks in active view and thus it throws error.
I want to know, whether we have any script that deletes all these users who are not in active view.
Hi Bhanu,
I am assuming you are running IdM 7.2 latest patches.
Please confirm whether the Housekeeping Jobs are running properly?
Check for dirty entries and reconcile or repair entries.
The views you mentioned excludes the expired entries from mxi_values.
Please check the query implementation for both views.
Hope these helps!.
Regards,
Ridouan
I've tried to summarize this from the database table point of view. This you can find just by looking at the view definitions as well. The Web UI is also capable of showing users and assignments in both active and inactive states..
This means that
Case 1:
Check the entry state using one of these (replace ADMINISTRATOR with your users mskeyvalue)
select mcMskey,mcMskeyValue, mcEntryState,mcLastModified
from mxi_entry where mcMSKEYVALUE='ADMINISTRATOR'
Or for a textual state translation:
select mcMskey,mcMskeyValue,mcLastModified, mcEntryState,
case
when mcEntryState = 0 then 'Active'
when mcEntryState = 1 then 'Inactive (MX_INACTIVE is set)'
when mcEntryState = 2 then 'Deleted'
when mcEntryState = 3 then 'Pending Delete'
else 'you did something unexpected'
end EntryState
from mxi_entry where mcMSKEYVALUE='ADMINISTRATOR'
Then check if the entry has mx_inactive set (replace 23 with the mcmskey value retrieved above):
select mskey,mcAttrName,mcSearchValue from idmv_vallink_basic
where mcattrname = 'MX_INACTIVE' and mcmskey = 23
If this attribute is set then the entry has been Inactivated and must be reactivated. See the helpfile for the MX_INACTIVE topic.
Case 2:
Check if the value is shown in a view that lists all active and expired attribute values for an entry
select mskey,Attr_ID,AttrName,ExpiryTime from idmv_value_basic_all
where attrname = '<missing attribute>' and mskey = 23
If the expiration date of the attribute value is in the past then you're not supposed to see it and all is as designed.
Case 3:
Check if the link assignment is shown in the link table completely unfiltered:
select L.mcThisMSKEY,L.mcOtherMSKEY, L.mcLinkState, E.mcMSKEYVALUE mcthismskeyvalue, A.mcMSKEYVALUE mcothermskeyvalue
from mxi_link L
inner join mxi_entry E on L.mcThisMskey = E.mcMskey
inner join mxi_entry A on L.mcOtherMskey = A.mcMskey
where L.mcThisMskey = 23
Linkstate 0=active, 1=inactive, 2=deleted, 3=disabled (version 8+ only)
Some typos and mistakes are probably present, but it should be a fairly correct summary.
Br,
Chris
Hi Per,
Many many Thanks for reply with such a nice explanation.
I have followed the above procedure and found that mxi_values.ExpiryTime IS NULL OR mxi_values.ExpiryTime > GETDATE() for those users(who are in idmv_vallink_basic view but not in idmv_vallink_basic_active view).
then again i executed the following query by putting the right mskey instead of 23
select mskey,mcAttrName,mcSearchValue from idmv_vallink_basic
where mcattrname = 'MX_INACTIVE' and mcmskey = 23
and got result as blank
from this i understood that user is Active in idmv_vallink_basic view.
Then i tried to execute the Query
select mskey,Attr_ID,AttrName,ExpiryTime from idmv_value_basic_all
where attrname = '<missing attribute>' and mskey = 23
but i am not getting which attribute i should use in place of Missing Attribute ?
after executing the Query(with proper mcThismskey)
select L.mcThisMSKEY,L.mcOtherMSKEY, L.mcLinkState, E.mcMSKEYVALUE mcthismskeyvalue, A.mcMSKEYVALUE mcothermskeyvalue
from mxi_link L
inner join mxi_entry E on L.mcThisMskey = E.mcMskey
inner join mxi_entry A on L.mcOtherMskey = A.mcMskey
where L.mcThisMskey = 23
i got many rows which include mclinkState as 0,1 and 2.
even there are many mcOtherMSKEY whose mclinkState value as 2.
Could you please also tell which mcOtherMSKEY mclinkstate value i should make as 0 to copy the user in to idmv_vallink_basic_active view.
When i executed the same above query for one user who is active in IDM and in Both table idmv_vallink_basic and idmv_vallink_basic_active then i also got the result as many mclinkState value as 2.
hence, i am confused.
Please guide me.
BR,
C Kumar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kumar,
That's possible as you may have deleted/amended some assignment such as MXREF_MX_ROLE, MX_MANAGER, etc (Reference attributes).
LinkState means:
0 - Active Reference
1 - Inactive Reference
2- Deleted Reference
In case you have removed a role (mcOtherMSKEY) from a user on the UI, this will be shown here with state 2 as the reference was removed and is not valid.
I would strongly recommend you to go through the available help in the IdM Console.
If you type Views you will see many topics that explains the Views, attributes and how they are constructed in IdM. This will give you a good understanding of your problem.
I know you are frustrated but in SAP IdM many times it's just a small thing that causes huge issues.
Please ensure that all the housekeeping Jobs are running correctly without any errors.
What version (SP release) of IdM are you using?
Is this a production or Dev environment?
Regards,
Ridouan
Thanks for reply Taibi,
I am using Management Colsole 3.0 and SP 7.2
I am facing this issue in Production environment and i have access to Production Database only.
you might be right Taibi that some how some assignement may be got deleted from IDM but to know that which particular assignment has been deleted i follow below procedure.
I have taken Two users, one which exist in both view Idmv_vallink_basic view and Idmv_vallink_basic_active view while another which exist in only view Idmv_vallink_basic_active view.
Afterthat i run the following query by passing the proper mskey of each of two user one by one
select L.mcThisMSKEY,L.mcOtherMSKEY, L.mcLinkState, E.mcMSKEYVALUE mcthismskeyvalue, A.mcMSKEYVALUE mcothermskeyvalue
from mxi_link L
inner join mxi_entry E on L.mcThisMskey = E.mcMskey
inner join mxi_entry A on L.mcOtherMskey = A.mcMskey
where L.mcThisMskey = 23
I found that for both users many mcOtherMSKEY whose mclinkState value as 2.
Again, i got many rows which include mclinkState as 0,1 and 2.
hence i am confused which mclinkState of mcOtherMSKEY i should make 0 to copy user in active view and how to change the mclinkstate.
I have tried to search in IDM Console but could not got the point what i am searching.
All housekeeping jobs are running fine.
Looking forward for your Help
Regards,
C Kumar
Hi Kumar,
This sounds like the identity is inactive.
Could you run the below query or add the attribute MX_INACTIVE to your UI Search&Display Task so you can filter on inactive identities when searching for Persons. "select MSKEY from idmv_vallink_basic_active where mcAttrName = 'MX_INACTIVE'"
If not, you can try to repair the identity using the internal function uIS_RepairEntry.
Be careful using this function as it rebuild all assignment and could take some time to complete.
Finally, I wouldn't recommend to update any entry as this could cause data inconsistency.
Try to find the cause of your problem and fix it.
Regards,
Ridouan
Thanks for your continuous help Taibi,
i have run the query:
select MSKEY from idmv_vallink_basic_active where mcAttrName = 'MX_INACTIVE'
but i have not got any MSKEY
Could you please tell me Details how to repair the identity using the internal function uIS_RepairEntry and what would be its impact.
If you have any documentation related to this then kindly share with me.
Regards.
C Kumar
An inactive user is not listed in the ACTIVE views, so when you ran this query
select MSKEY from idmv_vallink_basic_active where mcAttrName = 'MX_INACTIVE'
It will not list anything for an INACTIVE user. Please read my previous answer and run the SQLs in CASE 1 and attach the result from the MXI_ENTRY.
Br,
Chris
Hi Per,
many many Thanks for reply
I have followed the complete procedure what you commented on 13th may 2014 and i commented the output which i got on 14th may 2014. Please check once.
I could not run one query.
select mskey,Attr_ID,AttrName,ExpiryTime from idmv_value_basic_all
where attrname = '<missing attribute>' and mskey = 23
as i am not getting which attribute i should use in place of Missing Attribute ?
Please check my comment which i commented on 14th may 2014 and guide me.
Regards,
C kumar
I'm not able to find the results of either of the two followinfg queries in your reply
Br,
Chris
select mcMskey,mcMskeyValue, mcEntryState,mcLastModified
from mxi_entry where mcMSKEYVALUE='ADMINISTRATOR'
select mcMskey,mcMskeyValue,mcLastModified, mcEntryState,
case
when mcEntryState = 0 then 'Active'
when mcEntryState = 1 then 'Inactive (MX_INACTIVE is set)'
when mcEntryState = 2 then 'Deleted'
when mcEntryState = 3 then 'Pending Delete'
else 'you did something unexpected'
end EntryState
from mxi_entry where mcMSKEYVALUE='ADMINISTRATOR'
User | Count |
---|---|
66 | |
10 | |
10 | |
10 | |
10 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.