cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can't able to remove 1026 privilege from user IDM profile by using any operations in MMC.

laxmi275
Explorer

on ‎08-31-2023 9:58 AM

0 Kudos

Hi All,

There are some privilege assignments which are in 1026, 1028 status in user IDM profile.
Some privileges were orphaned some were not.

These status assignments exist in active and disabled user profile. Because of these assignments MX_INACTIVE is not getting set.

I tried using operation {e}, {E}, {d}, {D} the job run successfully but assignment is not getting removed from user IDM profile.


Select mcThisMSKEYVALUE as UserID,mcOtherMSKEYVALUE as Role_Priv from idmv_link_ext with(nolock) where mcThisMSKEYVALUE='user_ID' and mcOtherOcName ='MX_PRIVILEGE' and mcExecState in (1026,1028)

For Orphan privileges I have used 2499697 - Introducing new DB stored procedure for orphan assignments revocation from SAP. It is removing most of the orphan privileges but some are not getting removed.

Please suggest some method to resolve the issue.

Regards,
Laxmibebi

Show replies
Show replies
Answer
View Entire Topic
normann
Advisor
Advisor
‎08-31-2023 4:07 PM
0 Kudos

Hi Laxmibebi,

well, if the un-assignment fails, the assignments remain in state failed.
You can try removing without provisioning (DIRECT_REFERENCE=1): Specifying properties when writing attribute values (To identity store pass)

Cheers

Show replies
Show replies
laxmi275
Explorer
‎09-01-2023 7:32 AM
0 Kudos

Hi Norman,

I'll try and let you know if there is any issue.

Regards,
Laxmibebi

laxmi275
Explorer
‎09-01-2023 9:08 AM
0 Kudos

Hi Norman,

I tried it's not working.

( {e}/{E}/{d}/{D} ) {DIRECT_REFERENCE=1}<%Role_Priv%> with all 4 opt I tried this but there was no change in the data.
then by below screenshot removed the opt and made it direct privilege, after making privilege to direct privilege I tried to remove again its not working.

There are no errors in job log. Job run successfully but no changes happened.



Priv: mcexecstate = 1026 mcorphan=1 mclinkstate=0 mclinktype=2, mcexecstatehierarchy=0 (but after making the privilege as direct it value changed to 1026)

Regards,
Laxmibebi

normann
Advisor
Advisor
‎09-01-2023 10:44 AM
0 Kudos

Hi Laxmibebi,

maybe we should separate the cases:

Direct assignments: MXREF_MX_PRIVILEGE={D}{DIRECT_REFERENCE=1}<%Role_Priv%>

Indirect assignments: You can try MX_AUTOPRIVILEGE={D}{DIRECT_REFERENCE=1}<%Role_Priv%> (but I am not sure whether this works.

If both of the above-mentioned don't work for a link, the only option I think you have left is manually deletion by updating the mcLinkState to 2 in mxi_link (update mxi_link set mcLinkState = 2 where mcUniqueID = ...)

Regards

Norman

Ask a Question