• State Suggested Answer
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 95 subscribers
  • Views 3647 views
  • Users 0 members are here
Options
Related

NO FORCE_FIRST_PASSWORD_CHANGE frozen job UNSBAccount (Native DB Cconnector as SAP HANA DB connector)

samet guney
over 3 years ago

Dear All,

One Identity Manager version 8.1.4

I have created Native DB connector for SAP HANA DB to user manage, I can able to create HANA DB user with Full Managed UNSB account, everything fine. But when remove account defination means when I want to disable account, I have got following error. Frozen Job > NO FORCE_FIRST_PASSWORD_CHANGE 

In ADSAccount Sync mapping table, there is an option "UserMustChangePassword" but Native DB connector (UNSBaacount mapping) there is no similar option.

support.oneidentity.com/.../user-must-change-password-getting-set-to-true-upon-user-creation

-------------------------------------------------------------------

[System.Reflection.TargetInvocationException] Exception has been thrown by the target of an invocation.
[2415015] Error executing the following statement.

CREATE USER "abcdusername" PASSWORD "xyz" NO FORCE_FIRST_PASSWORD_CHANGE
[Sap.Data.Hana.HanaException] user name already exists: abcdusername: line 1 col 13 (at pos 12)

at VI.Projector.JobComponent.ProjectorComponent._AdHocProjection()

-------------------------------------------------------------------

Could you please help me about this issue?

Thank you

Best regards

Samet Güney

  • 0 over 3 years ago

    Did you consider using the Database Systems Integration Module? https://support.oneidentity.com/pt-br/technical-documents/identity-manager/8.1.4/database-systems-integration-module-release-notes

    It contains the ability to create and change SAP HANA users, so no need to customize this.

    SAP HANA database

    • Read all user accounts and their attributes
    • Read all user roles
    • Read all user role membership
    • Read role membership
    • Create and delete operations for users
    • Change password
    • Lock or unlock user
    • Change role membership
    • Change user role membership
  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    Hello Markus,

    Thank you for quick answer. Yes this is what I'm using I guess. 
    When I build a Sync project to HANA DB, I used DSI module which is "**\OneIdentity.8.1.4\Modules\DSI\configuration\DSI_SAPSQL_Configuration.xml". Is that correct for HANA DB connection?

    In this configuration file, I can see that following script. Maybe we could change because of frozen job?

    ---DSI_SAPSQL_Configuration.xml---

    tring query = "";

    if(restriction == "RESTRICTED" )
    {
    query = "CREATE RESTRICTED USER {0} PASSWORD \"{1}\" NO FORCE_FIRST_PASSWORD_CHANGE";
    }
    else
    {
    query = "CREATE USER {0} PASSWORD \"{1}\" NO FORCE_FIRST_PASSWORD_CHANGE";
    }
    string selectQuery = "SELECT USER_ID FROM SYS.USERS where {0}='{1}'";
    connection.ExecuteSqlNonQuery(string.Format(query,username,password));

    Thank you

    Best regards

    Samet

  • 0 over 3 years ago in reply to samet guney

    I suggest you contact support. What I am not understanding is, that you are removing an account definition and this removal seems to lead to a user creation for SAP HANA.

  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    Maybe there is misunderstanding. Here is summarize but you could be right, during account removal process "DSI_UNSAccountB_Update/(De-)Activate", Job sending INSERT command to target system. 
    I will contact with our Support, if you have a comments, very welcome.


    1- I assigned account definition and HANA user created on target system No issue or no frozen job with user creation process.
    2- As simulation, let's say user left the company and I removed account definition. 

    2a- Process started "Created by QBMDBQueueProcess: handle object delete for object type PersonHasTSBAccountDef" > succesfully

    2b- Process started TCH_TSB_PersonHasTSBAccountDef_Autodelete_Account > succesfully

    2c- Frozen Job "DSI_UNSAccountB_Update/(De-)Activate" > frozen

    Frozen Job > "DSI_UNSAccountB_Update/(De-)Activate"

    [1777124] Error executing projection step (UserMappings) of projection configuration (Provisioning (Provisioning)).
    [1777219] Error executing synchronization step (UserMappings)!
    [1777004] Method (Insert object (Insert)) could not be executed successfully.
    [2415018] Error executing script for the data operation.
    [System.Reflection.TargetInvocationException] Exception has been thrown by the target of an invocation.
    [2415015] Error executing the following statement.

    CREATE USER "username" PASSWORD "xxxxxxx" NO FORCE_FIRST_PASSWORD_CHANGE
    [Sap.Data.Hana.HanaException] user name already exists: xxxxxx: line 1 col 13 (at pos 12)


    at VI.Projector.JobComponent.ProjectorComponent._AdHocProjection()
    at VI.Projector.Database.ProjectorExecutor.Project(ISession session, IProjectionConfiguration configuration, ProjectionOption options, ISystemObject adHocObject, CancellationToken cancellationToken)
    at VI.Projector.Projection.Extensions.Execute(IProjectorEngine engine, IProjectionConfiguration configuration, ProjectionOption options, ISystemObject adHocObject, CancellationToken cancellationToken)
    at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
    at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)

    Thank you very much