none
Objects occasionally not being deleted RRS feed

  • Question

  • I sometimes experience a problem with objects not being deleted from the MV, and remaining in FIM after a successful delete operation.

    MV deletion rule is configured to delete the object from the MV when the connector from FIM is disconnected:

    MV deletion rule

    Deprovisioning on non-FIM MAs is configured with "stage a delete on the object for the next export run":

    MA deprovisioning config

    Here is an example of the problem.
    These are the requests:

    requests

    As you can see, there is a successful delete request for the object at some point, but the object is still present in the metaverse:

    mv object properties

    This does not happen all the time, but only occasionally.

    Has someone experienced this problem?

    Is there anything I should check?

    Thanks,
    Paolo

     

    Paolo Tedesco - http://cern.ch/idm


    Tuesday, August 18, 2015 8:18 AM

All replies

  • What is this MA, AD?  We usually see this when the object has restricted access, Admin accounts in AD for instance, which means the user account for that MA has no rights to delete the object. Check the FIM Synchronization Service Client and see if there are errors during the export.

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, August 18, 2015 12:56 PM
  • Hi Nosh,

    No, this is not an AD MA, but a custom one.
    I've seen this also with some AD objects, but please note that this behavior is occasional, so I really don't think it could be a permissions issue.


    Paolo Tedesco - http://cern.ch/idm

    Tuesday, August 18, 2015 1:05 PM
  • Paolo,

    What I described is sporadic too, because only Admin Users have this restriction, so it may appear sporadic. With Custom MA, I cant tell how that works.  I would still check for errors in the RunCycle History.


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, August 18, 2015 1:17 PM
  • In the run history, I see the delete operation at some point:

    Delete operation

    After that, instead of deleting the object, FIM tries to update it deleting one property:

    Then the same error repeats at every export run on the custom MA.

    I don't understand why the object was not deleted from the metaverse. 


    Paolo Tedesco - http://cern.ch/idm

    Tuesday, August 18, 2015 1:33 PM
  • I cant see it, but are there any errors?

    Do you have a provisioning rules somewhere, that recreates the object?  It is possible that FIM MA is deleting it, but another rule creates it right back.  You see those 5 Adds.  Are there any of the ones that should have been deleted. 


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, August 18, 2015 1:48 PM
  • There are no errors (except the error that is being reported by the custom MA because it cannot update the object as requested).

    There are no sync rules with the "create resource in FIM" option.

    The adds you see in the picture were DREs, 2 of which actually related to the object that's giving this error.


    Paolo Tedesco - http://cern.ch/idm

    Tuesday, August 18, 2015 1:55 PM
  • Ok, so can you show one of the objects that is not deleted that should have otherwise? what is its status in MV.

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, August 18, 2015 2:03 PM
  • That's the object I'm showing in the original post...

    Paolo Tedesco - http://cern.ch/idm

    Tuesday, August 18, 2015 2:42 PM
  • I sometimes experience a problem with objects not being deleted from the MV, and remaining in FIM after a successful delete operation.

    MV deletion rule is configured to delete the object from the MV when the connector from FIM is disconnected:

    MV deletion rule

    Deprovisioning on non-FIM MAs is configured with "stage a delete on the object for the next export run":

    MA deprovisioning config

    Here is an example of the problem.
    These are the requests:

    requests

    As you can see, there is a successful delete request for the object at some point, but the object is still present in the metaverse:

    mv object properties

    This does not happen all the time, but only occasionally.

    Has someone experienced this problem?

    Is there anything I should check?

    Thanks,
    Paolo

     

    Paolo Tedesco - http://cern.ch/idm



    If you click the tab Connectors, please send me screen shot of that view.

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, August 18, 2015 2:46 PM
  • Here they are...


    Paolo Tedesco - http://cern.ch/idm

    Tuesday, August 18, 2015 3:02 PM
  • Thanks for that. I am sorry, but I am failing to understand the source of this object. Is this object created in FIM Portal or is it imported from somewhere else?  from the screen shot, seems that it is created in FIM Portal and provisioned to the ORA2 and R_WEB2.  If you have deleted the object in FIM Portal and the deletion was captured as part of those 25, the only thing I can say is to run a full Sync and see what happens. Sorry, I am out of options.

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, August 18, 2015 3:11 PM
  • Yes, the object was created in FIM.

    Then it was deleted in the portal (you can see a "completed" delete in the requests screenshot), but for some reason the object was not deleted.

    The object is still present in FIM and in the MV.

    I don't think a full sync would change anything here.

    Possibly a bug?


    Paolo Tedesco - http://cern.ch/idm

    Tuesday, August 18, 2015 3:14 PM
  • A BUG is quit possible.

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, August 18, 2015 3:16 PM