000038826 - Indirect Relationship Processing fails with ORA-30926 and 'ORA-06512: at "AVUSER.CE_USERS" ' errors when collecting Groups in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 2, 2020
Version 1Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000038826
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2, 7.1.0, 7.1.1
 
IssueThe Indirect Relationship Processing task for Account Data Collectors (ADCs) shows a status of Failed in the User Interface (Admin > Monitoring > Run ID).

The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log):
 

04/15/2020 01:21:45.636 ERROR (Exec Task Consumer#0) [com.aveksa.server.xfw.TaskExecutor] Failed method=Execute 
ExecutionTask[TaskID=3027914 RunID=2159883 Source=68 Type=EntitlementExplosionProcessing Status=InProgress]
com.aveksa.server.xfw.ExecutionException: com.aveksa.server.db.PersistenceException: java.sql.SQLException: 
ORA-30926: unable to get a stable set of rows in the source tables
ORA-06512: at "AVUSER.CE_USERS", line 1036
ORA-06512: at "AVUSER.CE_USERS", line 1882
ORA-06512: at "AVUSER.COMMON_EXPLODER", line 335
ORA-06512: at "AVUSER.COMMON_EXPLODER", line 129
ORA-06512: at line 1


Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs).
 
CauseThis issue occurs when attempting to resolve Group relationships for Accounts where an Account is a member of a Group through different paths.

For example:



UserA has AccountA that is a member of GroupC through the following paths:


  • AccountA is a member of GroupA which is a member of GroupC
  • AccountA is a member of GroupB which is a member of GroupC

RSA Identity Governance & Lifecycle incorrectly fails to resolve the Account to Group membership as a unique entitlement for this use case. This issue only occurs when multiple Account to Group relationships are resolved in the same Account Data Collector (ADC) run (specifically the same Indirect Relationship Processing step shared by multiple ADC runs.) It does not occur if one Account to Group relationship is resolved in a previous collection and a new relationship is established in a different collection. Normally with the delta collection model, changes to Accounts and/or Groups as well as Account to Group relationships are resolved per collector so the likelihood of a failure is rare, however forcing a Full Refresh on a collector or forcing a Full Refresh on multiple collectors at the same time drastically increases the likelihood of this failure.
 
ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:
  • RSA Identity Governance & Lifecycle 7.0.2 P14
  • RSA Identity Governance & Lifecycle 7.1.0 P08
  • RSA Identity Governance & Lifecycle 7.1.1 P02
  • RSA Identity Governance & Lifecycle 7.2.0

To determine if you have this issue, run the following SQL script as avuser. The script identifies if there are any duplicates but does not uniquely identify the type of duplicate. If the script returns a count greater than zero, the issue exists and patching to one of the above versions is required.
 

FROM t_ce_explicit_relations
WHERE
    ( entitled_id, entitled_type, entitlement_id, entitlement_type ) IN (
        SELECT
            entitled_id, entitled_type, entitlement_id, entitlement_type
        FROM t_ce_explicit_relations
        GROUP BY
            entitled_id, entitled_type, entitlement_id, entitlement_type
        HAVING COUNT(1) > 1
    );

SELECT *
FROM t_ce_explicit_relations
WHERE
    ( entitled_name, entitled_type, entitlement_name, entitlement_type ) IN (
        SELECT
            entitled_name, entitled_type, entitlement_name, entitlement_type
        FROM t_ce_explicit_relations
        GROUP BY
            entitled_name, entitled_type, entitlement_name, entitlement_type
        HAVING COUNT(1) > 1
    );

SELECT COUNT(1)
FROM t_ce_explicit_relations
WHERE
    dc_id IN (
        SELECT id
        FROM t_data_collectors
        WHERE is_deleted = 'TRUE'
    );

SELECT *
FROM t_group_memberships
WHERE
    ( dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id ) IN (
        SELECT
            dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id
        FROM t_group_memberships
        GROUP BY
            dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id
        HAVING COUNT(1) > 1
    );


 
WorkaroundAvoid the use of Full Refresh for Account Data Collection.

There is no cleanup script for this issue.  The issue must be resolved through a patch.
 
NotesRelated RSA Knowledge Base Articles:
 

Attachments

    Outcomes