I recently started a new project and one of the first things I ran into was privilages assigned to a user that weren’t showing up in the UI. When you did a search of their complete record in the Identity Store, their MSKEYs were listed on the user’s record but you couldn’t see them in the UI.

Having never encountered this before, I went into investigative mode. I’m the kind of person where unanswered questions bore holes in my brain so, I had to know what was happening here! In short, as it turns out, these PRIVs were inherited from someplace else and the parent was removed but, for whatever reason, the child remained; they were orphans, like Batman. So now, they hide in the shadows, granting their users the rights they shouldn’t have but still do because of this failed removal process.

Why doesn’t the UI show these PRIVs? The user still has it even though he/she shouldn’t. Shouldn’t it at least still show up if even with some kind of status that shows that it’s an orphan? Apparently the UI, when deciding what PRIVs to show on a user’s record in the UI, looks at two columns on the IDMV_LINK_EXT view, mcAssignedDirect and mcAssignedInheritCount. If those two columns are both less than or equal to 0, the mcOrphan column goes to 1 and the PRIV stops being shown on the UI. Here’s a screenshot to show what I’m talking about:

File Apr 28, 9 16 44 AM.png

So if you’re ever in a spot where the UI isn’t showing PRIVs that your user clearly has, this might be why. The clean up? Well, that’s up to you to figure out.  🙂

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Brandon Bollin Post author

    Hey all, feel free to like, comment, give a rating, etc. My content will improve based on the community’s feelings so please, feedback; even if that feedback contains critizism!  🙂

    (0) 
  2. Matt Pollicove

    Well done Brandon.  Would have been nice to see some ideas on how we fix this if it happens to us.  Maybe that’s another blog for you 🙂

    Matt

    (0) 
    1. Brandon Bollin Post author

      I wanted to say you could just use a job targeting the users’ records via MSKEY or MSKEYVALUE then remove any privilages where the MSKEY is in the list of MSKEYs you pull from my sample screen shot of orphaned PRIVs but, since I’m not sure how my current shop is handling this problem, I honestly don’t know if that would work. Once I find out how they do clean up, I’ll update this blog.

      (0) 

Leave a Reply