Hi Experts,
SAP IDM 7.2, SP8
Sometimes due to inconsistencies, users have assignments (inherited privileges (part of role)) with OK status in IDM but missing in backend systems.
Question 1: Is there any standard way to provision such user's all assignments (with OK status)?
1. I have tried uIS_RepairEntry internal function but it does not touch assignments in OK status if there are no structural changes required.
2. uPrivReconcile only reconcile failed/declined assignments.
3. I have tried uIS_SetDirty internal function but it does not trigger any assignment which is in OK status.
Infact it says that If an MX_PERSON entry is set dirty, this entry is marked dirty and all assignments will be reconciled but assignments in OK status are not provisioned.
Question 2: What does "all assignments will be reconciled" means here if it does not provision all assignments in OK status (mcExecState = 0 or 1).
4. I have created a job and created a script to use uProvision internal function to implement logic to trigger hook task 4 of repo(ABAP/JAVA) for the user.
for ABAP it works fine but for JAVA repo , stored procedure “mxpt_get_privilege_type” checks for audit id and pending privilege mskey and so check fails.
so, executing task “SetJavaRoleForUser&Group” directly via script works fine.
Question 3:
I am interested to know if anyone has implemented anything better than this (point 4) to provision all assignments (with OK status) of user from IDM to backend system.
Kindly assist.
Thanks a lot in advance.
Regards,
Pradeep