000038621 - Objects previously collected by Account Collectors and Entitlement Collectors in 6.x are rejected in 7.x of RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Mar 24, 2020Last modified by RSA Customer Support Employee on Aug 14, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000038621
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 6.x, 7.x
 
IssueObjects previously collected by Account Collectors (ADCs) and Entitlement Collectors (EDCs) in 6.x are rejected in 7.x of RSA Identity Governance & Lifecycle.

The following example illustrates this issue.

Application XYZ has two Account Collectors: ADC1 and ADC2. ADC1 collects a group name called Group_RSA. ADC2 also collects a group name called Group_RSA. The first collector to run (ADC1), will collect the group Group_RSA. The second collector to run (ADC2), will reject group Group_RSA. The data run for the ADC2 collector has the following admin error:
 

EC[251] Context[RunID=25294, ADC(Name=ADC2, ID=68)] Message[Reference resolutions failed.]


Prior to RSA Identity Governance & Lifecycle 7.0, the second collector would not reject the duplicate group name. As a result, there would be a duplicate group name in Application XYZ called Group_RSA, one group collected by ADC1 and one group collected by ADC2.
 
CauseThis was an intentional design change introduced in RSA Identity Governance & Lifecycle 7.0 to avoid duplicate object names (accounts, groups, and entitlements) within the same application.
 

Each collector within the same application space must collect unique object names.


This behavior is documented on page 26 of the RSA Via Lifecycle and Governance V7.0 Release Notes under Data Quality Enhancements, Duplicate Objects:


In previous versions, two collectors could collect the same object, for instance an entitlement with
the same name could be collected for an application. The system would then show duplicate
entitlements.


A collector can now only collect an object for an application if there is no other existing object of the
same name and same type that already has been collected for the application.



This behavior is also referred to in the RSA Identity Governance & Lifecycle Upgrade and Migration Guide for each 7.x version as a Pre-Upgrade Task under Changes to Data Collections:  
 


Duplicate objects are no longer allowed within an application namespace. Previously, duplicate objects
were not allowed within a collector, and as a result more than one collector was allowed to collect the
same entitlement for an application
.


 
ResolutionThe resolution depends on whether the duplicate objects (accounts/groups/entitlements), are actually the same object being collected by more than one collector or whether the duplicate objects are different physical objects with the same name.

If the same object is being collected by more than one collector:
  1. Decide on one collector to collect the object, or
  2. Create separate applications for the duplicate objects.

If the duplicate objects are different physical objects with the same name:
  1. Create separate applications for the duplicate objects or
  2. Rename the duplicate objects so that they may be collected into the same application space.
 

EXAMPLE 


Using the example above:

  • Application XYZ with two Account Collectors (ADC1 and ADC2.)
  • ADC1 collects Group_RSA.
  • ADC2 collects Group_RSA.
  • Run both collections (ADC1 followed by ADC2.)
  • Collection of Group_RSA by ADC2 fails because Group_RSA already exists in the application having been collected by ADC1.

Solution 1


Create Application XYZ_2 and move the ADC2 collector to Application XYZ_2.
 


Solution 2


Rename Group_RSA that is collected by ADC2. For example, Group_RSA2 or Group_RSA_ADC2.
Or, rename Group_RSA in both data sources. For example, Group_RSA_ADC1 and Group_RSA_ADC2.

 

The important point here is that duplicate object names cannot be collected into the same application.



 

Attachments

    Outcomes