on Mar 25, 2020Article Content
| Article Number | 000038625 |
| Applies To | RSA Product Set: RSA Identity Governance & Lifecycle RSA Version/Condition: 7.1.1, 7.2.0 |
| Issue | The Web Service API createChangeRequest command fails when called from an RSA Identity Governance & Lifecycle workflow. The aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) shows the following INFO level log message:
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.) |
| Cause | This issue occurs when the security on the createChangeRequest Web Service command is set to Request Forms and Workflows (no token). In the user interface go to Admin > Web Services > Request tab > Configure button for createChangeRequest. Admin Web Services API calls typically require an authentication token to allow access to the API commands. The Web Service loginUser command (Admin > Web Services > Admin tab) accepts an RSA Identity Governance & Lifecycle username and password value for a particular user and then creates a user session token that impersonates that user. Subsequent Admin Web Service API calls then use the user session token and are identified as the user that was authenticated. The createChangeRequest (Admin > Web Services > Request tab) API command is an example of an Admin Web Services API call that requires an authenticated user in order to complete the call. When a createChangeRequest call is made, the change request is generated as the user session token user. When the createChangeRequest call is made from a workflow, it needs to be configured so that a user session token is not required. As a result, when the createChangeRequest is called from a workflow, the createChangeRequest call fails because there is no user associated with the command. This is a known issue reported in engineering ticket ACM-103573. |
| Resolution | This issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:
|
| Workaround | The only workaround to this issue is to pass a user session token with the request. which is not practical for use within a workflow. |
| Notes | Other Admin API Web Services requests that require a user reference may also fail including but not limited to. cancelChangeActivity, updateReviewItems, cancelChangeActivity, etc... |