000037903 - Checking the data dependencies of a security domain in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Sep 4, 2019Last modified by RSA Customer Support Employee on Sep 4, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000037903
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2 and higher
IssueWhen an administrator deletes a security domain, the following message is seen:

Cannot delete a security domain that includes objects. Before you delete a security domain, you must move or delete all associated objects, such as
users, groups, and administrative roles.

User-added image


An administrator needs to further investigate which data objects are associated with the security domain being deleted.

RSA Customer Support has a shell script called Check_SecDom.sh (attached to this article) which can generate a report on the data dependencies of a security domain and, where necessary, move the data from the lower level security domain to SystemDomain (the top-level security domain).

Before moving the data from the security domain, please generate a backup of the Authentication Manager database.



  1. Launch an SSH client, such as PuTTY.
  2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

  1. Copy the Check_SecDom.sh shell script into the /tmp folder on the Authentication Manager primary instance.  You may need to Enable Secure Shell on the Appliance to copy the shell script to /tmp.
  2. Update the file permissions on the shell script:

chmod 755 /tmp/Check_SecDom.sh

  1. Ensure the owner and group is rsaadmin: 

chown rsaadmin:rsaadmin /tmp/Check_SecDom.sh


  1. Logon to the Authentication Manager primary instance using the rsaadmin account.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

  1. Change the account privileges using the command:

sudo su -

  1. Navigate to /tmp:

cd /tmp

  1. Run the shell script :


This example shows that a security domain called Obsoleted has data dependencies from tables am_attr_definitions, am_token and ims_principal_data. The parent security domain is BWO and no sub-security domains were found:

am84p:/tmp # ./Check_SecDom.sh
Checking OC credentials....missing OC credentials!

Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
OC credentials validated... redirecting to menu..

RSA Customer Support (Asia Pacific)

Security Domain program..

1) Check the dependencies of a Security Domain
2) Generate a dependency report on a Security Domain
3) Move objects from a Security Domain to SystemDomain (top-level)
9) Exit

Please select an option

Enter Security Domain name: Obsoleted
Checking for data dependencies for Security Domain: Obsoleted
2019-08-28 04:27:57.711,scadmin,0,38483d4d2e1f3e0a17558a9f12ade947,f
2026-07-06 00:00:00,2006-07-11 00:00:00,f,f,0,2019-08-26 02:39:45.487,
2019-08-26 02:39:45.487,000000000000000000002000f0026001,2019-08-26 02:38:04.663,f,,0,,0,,f,f,0,t,f,-1610612735,0,0,
2019-08-26 02:38:04.663,AAAAAqlCO60H/F2mXZBB5NBk7+TSYqEvkrVURQ4AwXHZ3c2SSwCStj09u4jxFG4DfQuuaqhSWUPJ9PnQXL9c7BI/
2019-03-31 23:04:45.12,,,,,,,,000000000000000000002001f0050014,,0,f,,,f,6,scadmin,
2019-08-28 04:27:22.907,,38483d4d2e1f3e0a17558a9f12ade947,,0,,,
2019-08-28 04:26:37.579,000000000000000000001000d0011000,c6791b752e1f3e0a01a2753510103431,38483d4d2e1f3e0a17558a9f12ade947,
2019-08-26 02:37:00.812,,t,rsatest,t,f,f,0,,0,,f,2019-08-26 02:37:55.893,f,,f,,,1001000,f,,,3,,,,5,,-1,f,,
Parent security domain: BWO
No dependent sub_security domains found.

Back to menu? (Y/N):