000037982 - A role in RSA Identity Governance & Lifecycle is stuck in the Applied state and no changes to the role can be made

Document created by RSA Customer Support Employee on Sep 26, 2019Last modified by RSA Customer Support Employee on Sep 27, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000037982
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0,  7.1.1
IssueSometimes when committing a role in RSA Identity Governance & Lifecycle, the role becomes stuck in the Applied or Applied New state and does not move to the Committed state. This situation prevents other role management activities from occurring with this role. 
User-added image

Under the General tab of the role the following message is displayed:
Additional changes cannot be made to this role until the change request is complete or rejected.

User-added image

The aveksaServer.log files show the following ERROR level log message.
04/03/2019 18:04:28.516 ERROR (Role) [com.aveksa.server.core.globalroleset.ChangeRequestCreator] Error method=run subTask=Ignoring Exception while Processing Event 04/03/2019 18:04:28.516 ERROR (Role) [com.aveksa.server.core.globalroleset.ChangeRequestCreator] Error method=run subTask=Ignoring Exception while Processing Event java.lang.NullPointerException at com.aveksa.server.core.cr.UserChangeRequestData.<init>(UserChangeRequestData.java:128) at com.aveksa.server.core.globalroleset.RoleManagementServiceProvider.getChangeItems(RoleManagementServiceProvider.java:2670) at com.aveksa.server.core.globalroleset.RoleManagementServiceProvider.getChangeItems(RoleManagementServiceProvider.java:2444) at com.aveksa.server.core.globalroleset.ChangeRequestCreator$CRCreationData.createChangeRequest(ChangeRequestCreator.java:383) at com.aveksa.server.core.globalroleset.ChangeRequestCreator$Worker.run(ChangeRequestCreator.java:279) at java.lang.Thread.run(Thread.java:748)

Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the log files for your specific deployment.

This is a normal state for a role that is completing the change request process that ensues from selecting Apply Changes. However, when this state never changes, the role is considered stuck and intervention is required.

The Role may get into this state if one (or more) of the entitlements or users being committed to the role has been deleted since the role was created.

For example,

  1. Add an entitlement to the role but do not Apply Changes to the role.
  2. Delete the entitlement from the endpoint and run a collection to remove the entitlement from RSA Identity Governance & Lifecycle. 
  3. Apply Changes to the role. 

The issue occurs because RSA Identity Governance & Lifecycle is unable to create the change request for the entitlement required to modify the role since it has been deleted. 

This is a known issue reported in engineering ticket ACM-97179.

ResolutionThis issue will be resolved in a future version of the product. 

The following techniques may be used to change the state of the role to a Committed state allowing changes to be made to the role. The actual technique that is appropriate may depend on what other items are in the role.

  • Cancel the change request associated with the role change

A change request may not always be successfully created in every instance, but if you can identify the change request generated for this role change, you can cancel it from the Requests page in the User Interface (RequestsRequests.)

  • Delete the Role.

Warning: Deleting the Role is a permanent change and will cause a change request to be created to remove all entitlements and members from the role.

In some instances if you understand the implications, deleting the role may be a valid choice. 

  • Force the Role into a state where it can be reverted back to a previous state.

Note: This only works if the role has a previously committed state.  This does not work for a newly created role.

If you attempt to manage the role by selecting the role from the Roles page and navigating to the Members or Entitlements tab, you will see that editing the role in the Applied New state is not allowed. However, you can work around this restriction with the following technique:

  1. From the Roles page under the Roles menu (Roles > Roles), select the problematic role by enabling the checkbox in the left hand column.  
  2. From the Actions menu, select Add Entitlements
  3. Add an arbitrary entitlement to the role. 
  4. Note that the role is now in a Changed state.
  5. From the Actions menu, select Revert Changes to Roles.
  6. Revert back to the last committed state.  

This will revert all changes you made to the role since the last commit, including the change that includes the deleted entitlement or user and including the arbitrary entitlement you created to force the change.  

Warning: This will also revert any other uncommitted changes to the role. You must make those changes again manually.