Architecting, installing and maintaining your SAS environment

Synchronization code

Reply
Occasional Contributor
Posts: 14

Synchronization code


I get this error when i am running the synchronization code on the metadata server:

'ERROR: The object reference to Person was requested without an identifier'.

So, all the objects which are to be written back to the metadata are written to the failed_objects dataset and the job fails.

Do you have any idea what is causing this error?

23599 - Why do I get an object identity error when I run LoadPortalStructure.sas?

Trusted Advisor
Posts: 3,214

Re: Synchronization code

Posted in reply to akshatadeshpande

Do you mean the synchronization code as documented in Appendix A of the Security Administration guide?

That one is a sample how you van solve user propagation in a RBAC controlled process to LDAP. 
But all exceptions that are not in conforming that own programmed code could cause harming possible required identities only existing in SAS metadata.

---->-- ja karman --<-----
Occasional Contributor
Posts: 14

Re: Synchronization code

Do you have any idea about the error i mentioned?

Trusted Advisor
Posts: 3,214

Re: Synchronization code

Posted in reply to akshatadeshpande

Well you posted a link it is indicating a required indentity is missing. You asked something about synchronization. -> The synchronization did delete the required identity?

You posted very little details on

a/ what you did

b/ what has happened

c/ what your environment is and

d/ what the problem is and

e/ what the messages are (loggings pop-ups) 

---->-- ja karman --<-----
Occasional Contributor
Posts: 14

Re: Synchronization code

The last step in the synchronization job is adding the updates to the metadata. The code worked fine, the metadata has been synchronized but i get an error as below in the log:

'ERROR: The object reference to Person was requested without an identifier'.

ERROR: Errors returned from Proc Metadata prevented objects from being Added, Updated, or Deleted.  Table: work.mduchglb_failedobjs

identifies 79 such objects.  Consult the SAS Log for the specific Metadata Server errors returned.

Even having this error, the objects from the AD group have been added to the metadata.

I am not able to understand this error.

Trusted Advisor
Posts: 3,214

Re: Synchronization code

Posted in reply to akshatadeshpande

That is something more information. Did you review the mentioned Appendix A thoroughly?

There are some details on all relations in the SAS metadata. Aside the login also mail/address/phone etc.

The number of failed objects is relative high. It could be all your identities that are changed. The mentioned objects are not in the same table but a related other one.

The Person (name) is commonly visible as object but as you are reviewing details (SMC) there is actual a identifier used. This construct let you change the name without changing the identifier. All change should at a moment use that identifier.

The message you have got is telling you the lookup name/identifier at some point has failed. It could be a check the record-name is already present. Or referring a field that does not have  been used an therefore is missing.       

---->-- ja karman --<-----
Frequent Contributor
Posts: 134

Re: Synchronization code

Posted in reply to akshatadeshpande

Please, try to provide some more extracts from your MDUCHGLB_FAILEDOBJS table :

- do you spot any LDAP objets attributes (Name, ID, Description etc.) having "unexpected" values ?

For instance, using this synchro code, I had an issue once dealing with Description fields values (extracted from the LDAP directory) which had (balanced) single quotes inside the string (Desc= Profile 'Developers').

This caused a large havoc in the metadata XML request generating code since the code did not protect enough the attributes values (XML attributes use single quotes as boundaries).

BTW, to enable the debugging logs in verbose mode, I had to modify some of the Macros : if you run your code on a Unix/Linux machine, be aware that these technical logs rely only on a backslash delimiter for files location

and were tested on Windows only ... :smileyplain:

Another thing :

- in metadata, in the SMC User Manager, have you checked the synchronized objects - Users AND/OR Groups or Roles "External Identity"  associations ?

More specifically, if you click on "External Identity", do you see any "Identifier" value ? or is it still empty ?

Ask a Question
Discussion stats
  • 6 replies
  • 697 views
  • 0 likes
  • 3 in conversation