Hello All,
After having a support ticket open for 2 weeks and still not getting any type of response or feed back from SAP I am again coming to the community for some insight.
background: Because of multiple issues with IDM resources not cleaning injesting users from our backend repositories and merging them with the acccounts that were loaded via HCM during go-live as well as jobs being set up incorrectly that caused failures that crashed the provisioning process we have a large number of users that are constantly failing to be assigned privs and business roles because their identities do not match what is not only in the IDSTORE but also the backend.
I have had a couple of discussions here about how to update missing privs in the database and though those have been successful on the database side they still have not resolve what is displayed in the web gui for the user and thus items still fail to provision.
I have a couple of types of issues:
1. When I Role or Privalage is removed via the web admin it does not fully remove the associated privs on the users table associated with the mskey and thus does not remove the backend access. Even though the process states completed items are still there. This causes issue when we try to re-apply the acccess it fails as accounts or pivs are already there.
2. backend access is not correct with whats in the users table and also whats listed in the user admin screen. When you go to remove assocaited Business roles and readd to see if it will correct itself the business role shows completed but if you go to the change screen of the user the BR is there but none of the sub roles are listed (failed, pending, ok...nothing is listed)
I have tried running the reconcile and repairentry stored procedures but so far they just run for hours, start up multiple Runtime tasks that dedlock each other and crash the dispatchers and then finally fail and don't fix the users. (note the msdirty key table has been filling up and we have a nightly job that is sceduled to run but nothing happens and yes we have a housekeeping dispatcher set up)
We are now in a position where we have 100's of users in PRD that can't get access because of provisioning problems from the go-live and with SAP Support ignoring us I am not sure what else to do.
If the reconcile and repair jobs are not actually cleaning the entries from a user, is there anyway to remove all entries from a users table and have that reflect to the web admin screen. Also, is there a change that can be made on the provisioning jobs that if an account already exists in the backend that it will not through the whole provisioning process into a failed state and just over write the account or just continue on with the rest of the tasks (this is our biggest problem by far).
I thought we had a solution in a previous topic for the users having an account in the ECC system but not listed in IDM failed (updated the ECC only and system only objects on the MSKEY) but even with that being updated for all users that had the issue, IDM still will not process fully when I perform a retry.
Not sure where to start but looking for some input from the community on what to provide from my end to help me work through this situation. (please note I have no SQL and Java scripting background)
post screen shots next