Hello Michael,
for your questions, below is my reply. :-)
If the reconcile and repair jobs are not actually cleaning the entries from a user, is there anyway to remove all entries from a users table and have that reflect to the web admin screen.
-> All required user/privilege/role entries can be removed from IDM table MXI_LINK .
-> Can you tell what status privileges/roles(which need to be removed) have for the users.
you can get the list using below query
select mcthismskeyvalue, mcothermskeyvalue, mcorphan, mcexecstate, mcassigneddirect, mclinkstate from idmv_link_ext where mcthismskeyvalue in ('<user1mskeyvalue>', '<user1mskeyvalue>',...)
you can narrow down list by putting more into where condition.
Normally entries with mcexectstate = 1/2/1026/4 and mcorphan = 0 can be removed via UI or custom job.
other mcexecstate (ex. 1536/1537/1025 etc.) can be removed after changing their status to 1026 and then removing it.
Also, is there a change that can be made on the provisioning jobs that if an account already exists in the backend that it will not through the whole provisioning process into a failed state and just over write the account or just continue on with the rest of the tasks (this is our biggest problem by far).
-> I think this you would mean for user creation provisioning job.
-> If so, then kindly check if createabapuser prov job does not have "changetype" attribute in its pass.
Regards,
Pradeep