Re: Provisioning failing when updating users Business Role

Okay, here we go. ^^

For each repository there are two "main"-privileges created with the initial load-job:

PRIV:%$rep.$NAME%:ONLY

which you can see in the UI and assign to a user to create an account in that system

PRIV:SYSTEM:%$rep.$NAME%

which you can NOT see in the UI, but find through a SQL-query in the views "idmv_link_ext" and "idmv_link_ext2"

The last one should be assigned by IDM automaticly, if the first one is assigned either through the UI or a task or job.

For my purpose I have a job, where the source-query looks like this:

select distinct mcthismskeyvalue from idmv_link_ext2

where mcothermskeyvalue='PRIV:SYSTEM:%$rep.$NAME%'

minus

select distinct mcthismskeyvalue from idmv_link_ext2

where mcothermskeyvalue='PRIV:%$rep.$NAME%:ONLY'

So it should find all mcthismskeyvalues (which are is the MSKEYVALUEs of the users in my use case) that have the system-privilege assigned MINUS those, that have the only-privilege assigned, too. Which leaves those users, that have only the system-privilege assigned.

That's because the account in the backend system was deleted from IDM, but something went a bit wonky and only the account-privilege (ONLY-priv) was deleted from the user in IDM and the system-priv stayed. And THAT starts trouble, once you try to create a new account in one of those systems. ^^

Yeah, that's the base and the pool of users to work with. Now in destination-tab I just have a simple delete of the system-privilege for the found users looking like this:

This way I clean up the system-privileges, that are not supposed to be assigned anymore.

In my understanding, you just need to reverse this (source and destination). Look for the users, that have only the only-privilege assigned and add the system-priv to them.

Though it can't hurt to look for those users, too, that have only the system-priv to clean that up, too. ^^

Since you can easily test that with just one user, too, there shouldn't be any big issue.

So that's it. Like I said before, maybe I'm doing this too complicated or plainly wrong and there is a nice, simple best practise I haven't found and heard of yet. But this works for me so far.

Regards,

Steffi.