Title	Indirect Relationship Processing fails with ORA-30926 and 'ORA-06512: at "AVUSER.CE_USERS" ' errors when collecting Groups in RSA Identity Governance & Lifecycle

URL Name	Indirect-Relationship-Processing-fails-with-ORA-30926-and-ORA-06512-at-AVUSER-CE-USERS-errors-when-collecting-Groups-in-RSA-Identity-Governance-Lifecycle

Summary	Indirect Relationship Processing fails with ORA-30926 and 'ORA-06512: at "AVUSER.CE_USERS" ' errors when collecting Groups in RSA Identity Governance & Lifecycle.

Validation Status	Work in Progress

Age	1,445.96

Translate To

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2, 7.1.0, 7.1.1

Issue

The Indirect Relationship Processing task for Account Data Collectors (ADCs) shows a status of Failed in the User Interface (Admin > Monitoring > Run ID).

The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log):

04/15/2020 01:21:45.636 ERROR (Exec Task Consumer#0) [com.aveksa.server.xfw.TaskExecutor] Failed method=Execute 
ExecutionTask[TaskID=3027914 RunID=2159883 Source=68 Type=EntitlementExplosionProcessing Status=InProgress]
com.aveksa.server.xfw.ExecutionException: com.aveksa.server.db.PersistenceException: java.sql.SQLException: 
ORA-30926: unable to get a stable set of rows in the source tables
ORA-06512: at "AVUSER.CE_USERS", line 1036
ORA-06512: at "AVUSER.CE_USERS", line 1882
ORA-06512: at "AVUSER.COMMON_EXPLODER", line 335
ORA-06512: at "AVUSER.COMMON_EXPLODER", line 129
ORA-06512: at line 1

Please see RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs).

Cause

This issue occurs when attempting to resolve Group relationships for Accounts where an Account is a member of a Group through different paths.

For example:

UserA has AccountA that is a member of GroupC through the following paths:

AccountA is a member of GroupA which is a member of GroupC
AccountA is a member of GroupB which is a member of GroupC

RSA Identity Governance & Lifecycle incorrectly fails to resolve the Account to Group membership as a unique entitlement for this use case. This issue only occurs when multiple Accountss to Group relationships are resolved in the same Account Data Collector (ADC) run (specifically the same Indirect Relationship Processing step that is shared by multiple ADC runs.) It does not occur if one Account to Group relationship is resolved in a previous collection and a new relationship is established in a different collection. Normally with the delta collection model, changes to Accounts and/or Groups as well as Account to Group relationships are resolved per collector so the likelihood of a failure is rare, however forcing a Full Refresh on a collector or forcing a Full Refresh on multiple collectors at the same time drastically increases the likelihood of this failure.

Resolution

This issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:

RSA Identity Governance & Lifecycle 7.0.2 P14
RSA Identity Governance & Lifecycle 7.1.0 P08
RSA Identity Governance & Lifecycle 7.1.1 P02
RSA Identity Governance & Lifecycle 7.2.0

To determine if you have this issue, run the following SQL script as avuser. The script identifies if there are any duplicates but does not uniquely identify the type of a duplicate. If the script returns a count greater than zero, the issue exists and patching to one of the above versions is required.

SELECT *
FROM t_ce_explicit_relations
WHERE
    ( entitled_id, entitled_type, entitlement_id, entitlement_type ) IN (
        SELECT
            entitled_id, entitled_type, entitlement_id, entitlement_type
        FROM t_ce_explicit_relations
        GROUP BY
            entitled_id, entitled_type, entitlement_id, entitlement_type
        HAVING COUNT(1) > 1
    );

SELECT COUNT(1)
FROM t_ce_explicit_relations
WHERE
    dc_id IN (
        SELECT id
        FROM t_data_collectors
        WHERE is_deleted = 'TRUE'
    );

SELECT *
FROM t_group_memberships
WHERE
    ( dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id, member_path ) IN (
        SELECT
            dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id, member_path
        FROM t_group_memberships
        GROUP BY
            dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id, member_path
        HAVING COUNT(1) > 1
    );

Workaround

Avoid the use of Full Refresh for Account Data Collection.

There is no cleanup script for this issue. The issue must be resolved through a patch.

Notes

Audience	External

Article Source	Case

Original Article Author	Ian Staines

Original Created Date	5/4/2020 7:20 PM

Owner	Ian Staines

Assigned To

Assigned By

Assignment Note

Assignment Due Date

Publication Status	Published

Article Type	Knowledge

Article Number	000044277

Created By	Ian Staines

Last Modified By	Venkata SamanthKumarAtchuta

Language	English

Indirect Relationship Processing fails with ORA-30926 and 'ORA-06512: at "AVUSER.CE_USERS" ' errors when collecting Groups in RSA Identity Governance & Lifecycle