|Applies To||RSA Product Set: Identity Governance & Lifecycle|
RSA Version/Condition: 7.1.0, 7.1.1
|Issue||Sometimes when committing a role in RSA Identity Governance & Lifecycle, the role becomes stuck in the Applied or Applied New state and does not move to the Committed state. This situation prevents other role management activities from occurring with this role. |
Under the General tab of the role the following message is displayed:
Additional changes cannot be made to this role until the change request is complete or rejected.
The aveksaServer.log files show the following ERROR level log message.
04/03/2019 18:04:28.516 ERROR (Role) [com.aveksa.server.core.globalroleset.ChangeRequestCreator] Error method=run subTask=Ignoring Exception while Processing Event 04/03/2019 18:04:28.516 ERROR (Role) [com.aveksa.server.core.globalroleset.ChangeRequestCreator] Error method=run subTask=Ignoring Exception while Processing Event java.lang.NullPointerException at com.aveksa.server.core.cr.UserChangeRequestData.<init>(UserChangeRequestData.java:128) at com.aveksa.server.core.globalroleset.RoleManagementServiceProvider.getChangeItems(RoleManagementServiceProvider.java:2670) at com.aveksa.server.core.globalroleset.RoleManagementServiceProvider.getChangeItems(RoleManagementServiceProvider.java:2444) at com.aveksa.server.core.globalroleset.ChangeRequestCreator$CRCreationData.createChangeRequest(ChangeRequestCreator.java:383) at com.aveksa.server.core.globalroleset.ChangeRequestCreator$Worker.run(ChangeRequestCreator.java:279) at java.lang.Thread.run(Thread.java:748)
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the log files for your specific deployment.
This is a normal state for a role that is completing the change request process that ensues from selecting Apply Changes. However, when this state never changes, the role is considered stuck and intervention is required.
The Role may get into this state if one (or more) of the entitlements or users being committed to the role has been deleted since the role was created.
|Resolution||This issue will be resolved in a future version of the product.|
The following techniques may be used to change the state of the role to a Committed state allowing changes to be made to the role. The actual technique that is appropriate may depend on what other items are in the role.
A change request may not always be successfully created in every instance, but if you can identify the change request generated for this role change, you can cancel it from the Requests page in the User Interface (Requests > Requests.)
Warning: Deleting the Role is a permanent change and will cause a change request to be created to remove all entitlements and members from the role.
In some instances if you understand the implications, deleting the role may be a valid choice.
Note: This only works if the role has a previously committed state. This does not work for a newly created role.
This will revert all changes you made to the role since the last commit, including the change that includes the deleted entitlement or user and including the arbitrary entitlement you created to force the change.