on Mar 24, 2020Article Content
| Article Number | 000038621 |
| Applies To | RSA Product Set: RSA Identity Governance & Lifecycle RSA Version/Condition: 6.x, 7.x |
| Issue | Objects previously collected by Account Collectors (ADCs) and Entitlement Collectors (EDCs) in 6.x are rejected in 7.x of RSA Identity Governance & Lifecycle. The following example illustrates this issue. Application XYZ has two Account Collectors: ADC1 and ADC2. ADC1 collects a group name called Group_RSA. ADC2 also collects a group name called Group_RSA. The first collector to run (ADC1), will collect the group Group_RSA. The second collector to run (ADC2), will reject group Group_RSA. The data run for the ADC2 collector has the following admin error:
Prior to RSA Identity Governance & Lifecycle 7.0, the second collector would not reject the duplicate group name. As a result, there would be a duplicate group name in Application XYZ called Group_RSA, one group collected by ADC1 and one group collected by ADC2. |
| Cause | This was an intentional design change introduced in RSA Identity Governance & Lifecycle 7.0 to avoid duplicate object names (accounts, groups, and entitlements) within the same application. Each collector within the same application space must collect unique object names. This behavior is documented on page 26 of the RSA Via Lifecycle and Governance V7.0 Release Notes under Data Quality Enhancements, Duplicate Objects: In previous versions, two collectors could collect the same object, for instance an entitlement with the same name could be collected for an application. The system would then show duplicate entitlements. A collector can now only collect an object for an application if there is no other existing object of the same name and same type that already has been collected for the application. This behavior is also referred to in the RSA Identity Governance & Lifecycle Upgrade and Migration Guide for each 7.x version as a Pre-Upgrade Task under Changes to Data Collections: Duplicate objects are no longer allowed within an application namespace. Previously, duplicate objects were not allowed within a collector, and as a result more than one collector was allowed to collect the same entitlement for an application. |
| Resolution | The resolution depends on whether the duplicate objects (accounts/groups/entitlements), are actually the same object being collected by more than one collector or whether the duplicate objects are different physical objects with the same name. If the same object is being collected by more than one collector:
If the duplicate objects are different physical objects with the same name:
EXAMPLEUsing the example above:
Solution 1 Create Application XYZ_2 and move the ADC2 collector to Application XYZ_2. Solution 2 Rename Group_RSA that is collected by ADC2. For example, Group_RSA2 or Group_RSA_ADC2. Or, rename Group_RSA in both data sources. For example, Group_RSA_ADC1 and Group_RSA_ADC2. The important point here is that duplicate object names cannot be collected into the same application. |