000037982 - Roles get stuck in the Applied or Applied New State and cannot be modified in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Sep 26, 2019Last modified by RSA Customer Support Employee on Sep 2, 2020
Version 26Show Document
  • View in full screen mode

Article Content

Article Number000037982
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0,  7.1.1, 7.2.0
IssueSometimes when committing a role in RSA Identity Governance & Lifecycle, the role becomes stuck in the Applied or Applied New state and does not move to the Committed state. This situation prevents other role management activities from occurring with this role. 
User-added image

Under the  Roles > Roles > {role name} > General tab of the role the following message is displayed:
Additional changes cannot be made to this role until the change request is complete or rejected.

User-added image

The aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) shows the following ERROR level log message:
04/03/2019 18:04:28.516 ERROR (Role) [com.aveksa.server.core.globalroleset.ChangeRequestCreator] Error method=run subTask=Ignoring Exception while Processing Event 04/03/2019 18:04:28.516 ERROR (Role) [com.aveksa.server.core.globalroleset.ChangeRequestCreator] Error method=run subTask=Ignoring Exception while Processing Event java.lang.NullPointerException at com.aveksa.server.core.cr.UserChangeRequestData.<init>(UserChangeRequestData.java:128) at com.aveksa.server.core.globalroleset.RoleManagementServiceProvider.getChangeItems(RoleManagementServiceProvider.java:2670) at com.aveksa.server.core.globalroleset.RoleManagementServiceProvider.getChangeItems(RoleManagementServiceProvider.java:2444) at com.aveksa.server.core.globalroleset.ChangeRequestCreator$CRCreationData.createChangeRequest(ChangeRequestCreator.java:383) at com.aveksa.server.core.globalroleset.ChangeRequestCreator$Worker.run(ChangeRequestCreator.java:279) at java.lang.Thread.run(Thread.java:748)

Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the log files for your specific deployment.

This is a normal state for a role that is completing the change request process that ensues from selecting Apply Changes. However, when this state never changes, the role is considered stuck and intervention is required.

The Role may get into this state if one (or more) of the entitlements or users being committed to the role has been deleted since the role was created.

For example,

  1. Add an entitlement to the role but do not Apply Changes to the role.
  2. Delete the entitlement from the endpoint and run a collection to remove the entitlement from RSA Identity Governance & Lifecycle. 
  3. Apply Changes to the role. 

The issue occurs because RSA Identity Governance & Lifecycle is unable to create the change request for the entitlement required to modify the role since it has been deleted. 

This is a known issue reported in engineering ticket ACM-97179.

ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle patches:
  • RSA Identity Governance & Lifecycle 7.1.1 P07
  • RSA Identity Governance & Lifecycle 7.2.0 P02

When a Role commit contains a reference to a deleted user or a deleted entitlement, the item will be shown with a strike-through. The tool tip will display a message indicating that the resource was deleted. The Role commit will be allowed to complete without errors. 

The tool tip message is:

This user has been deleted and will not be added as a member in the committed role.

and shows up as follows in the user interface (Roles > Roles > {Role name} > Members tab).
User-added image


The following techniques may be used to change the state of the role to a Committed state allowing changes to be made to the role. The actual technique that is appropriate may depend on what other items are in the role.

  • Cancel the change request associated with the role change

A change request may not always be successfully created in every instance, but if you can identify the change request generated for this role change, you can cancel it from the Requests page in the User Interface (RequestsRequests.)

  • Delete the Role.

Warning: Deleting the Role is a permanent change and will cause a change request to be created to remove all entitlements and members from the role.

In some instances if you understand the implications, deleting the role may be a valid choice. 

  • Force the Role into a state where it can be reverted back to a previous state.

Note: This only works if the role has a previously committed state.  This does not work for a newly created role.

If you attempt to manage the role by selecting the role from the Roles page and navigating to the Members or Entitlements tab, you will see that editing the role in the Applied New state is not allowed. However, you can work around this restriction with the following technique:

  1. From the Roles page under the Roles menu (Roles > Roles), select the problematic role by enabling the checkbox in the left hand column.  
  2. From the Actions menu, select Add Entitlements
  3. Add an arbitrary entitlement to the role. 
  4. Note that the role is now in a Changed state.
  5. From the Actions menu, select Revert Changes to Roles.
  6. Revert back to the last committed state.  

This will revert all changes you made to the role since the last commit, including the change that includes the deleted entitlement or user and including the arbitrary entitlement you created to force the change.  

Warning: This will also revert any other uncommitted changes to the role. You must make those changes again manually.