000037100 - Role commit fails for roles with membership rules in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jan 24, 2019Last modified by RSA Customer Support Employee on Feb 11, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000037100
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0

When attempting to commit a role change for an RSA Identity Governance & Lifecycle role that contains a membership rule the role commit fails.  The failure occurs no matter what type of change is made to the role.

The change request shows the change request for the role change in an error state and both the approval phase and fulfillment phase show as failed, but there is no detailed error.

User-added image

The aveksaServer.log file shows the following error relating to the Membership Rule.

01/14/2019 12:42:46.096 ERROR (Worker_actionq#Normal#WPDS_277) [com.aveksa.server.core.GlobalRole] Error saving the out of constraint rule for MyRoleWithRule1 com.aveksa.server.core.rule.RuleServiceException: com.aveksa.server.runtime.ServerException: Cannot create rule MyRoleWithRule1_UOOC. Rule set Default Rule Set - All Users not found.

Followed by a generic Workpoint failure.

01/14/2019 12:42:46.136 ERROR (Worker_actionq#Normal#WPDS_277) [com.aveksa.server.workflow.scripts.nodes.FulfillmentPhaseNode] Error Fulfilling by System com.aveksa.server.db.PersistenceException: Commit failed to proceed because the transaction was marked for rollback. Reverting the changes...

CauseThis issue is due to a incorrect reference in the database to an old role set ID that prevents the role from updating the rule associated with the role.

This is a known issue if the role was created on 7.1.0 GA version and the role was moved from one role set to another (the role set was edited).  

This issue is resolved in RSA Identity Governance & Lifecycle 7.1.0 P02.  

See article 000036303 - Entitlements are removed or added to a role when role set is changed in RSA Identity Governance & Lifecycle.

This corrects the issue that causes the incorrect role set ID to be used for the reference to the role rule.   This issue will still occur however even in later versions if the role set was changed before patching.   If this issue still occurs after patching you should use the Workaround below to correct the problem role. 

  • Roll back any pending commits for the problem role.
  • Manually delete the role membership rules associated with the role from the Rules menu.
  • Edit the role and add back in the membership rule.
  • Commit the role changes.

This removes the corrupted association with the old rule and will allow you to commit new changes to the role.