000037841 - Create Account fails if previous Create Account is pending in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Aug 14, 2019Last modified by RSA Customer Support Employee on Dec 18, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000037841
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2, 7.1.0, 7.1.1

The RSA Identity Governance & Lifecyle Entitlement Requires Account feature is a feature that automatically creates an account when adding an entitlement related to the account and the account does not exist. For example, when adding a User to a Group, this feature will create the account for the user before adding the account to the group. The first time an entitlement is requested, the system will identify that an account does not exist and will automatically create the account.  For subsequent entitlements there is no need to create the account.

If there is a problem with the initial request that creates the account, subsequent change requests for entitlements that require that account may fail. 

CauseThis issue can occur if, during the process of requesting access, an entitlement is selected from an application that has entitlements require accounts enabled and:
  • before clicking on the Finish button, the requester closes out of the browser or navigates away from the submission page through anything other than the Cancel or Back buttons, or
  • the browser times out before the request has been completed (i.e before the Finish button has been pressed.)
In both cases, the change request is not created but the account is created in the background and is basically pending as there is no associated change request to fulfill the creation of the account.

The existence of this pending account prevents future entitlement requests because the account is required and yet does not actually exist but looks like it exists due to its pending status.

This is a known issue reported in engineering ticket ACM-89679.

ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle patches:
  • RSA Identity Governance & Lifecycle 7.0.2 P14
  • RSA Identity Governance & Lifecycle 7.1.0 P07
  • RSA Identity Governance & Lifecycle 7.1.1 P02

To handle this issue, a new section in the RSA Identity Governance & Lifecycle user interface has been added called Pending Submissions under Requests > Requests, which will display the change requests which were left in the Pending Submission State

New change requests for access are prevented from being generated if requests already exist in the Pending Submission State for the account associated with the requested access.

The Request Form will not allow the user to submit the request and instead will display the following warning message under Dependencies:
The changes for the account ##### depends on the request XXXXX which was not successfully submitted. Please cancel the request before taking further actions by navigating to Pending Submissions tab.


User-added image


User-added image
NotesPlease see RSA Knowledge Base Article 000038249 -- Check for Pending Account dependency is skipped in RSA Identity Governance & Lifecycle for related information on this issue.