|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle|
RSA Version/Condition: 7.0.2, 7.1.0, 7.1.1
|Issue||The Indirect Relationship Processing task for Account Data Collectors (ADCs) shows a status of Failed in the User Interface (Admin > Monitoring > Run ID).|
The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log):
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs).
|Cause||This issue occurs when attempting to resolve Group relationships for Accounts where an Account is a member of a Group through different paths.|
UserA has AccountA that is a member of GroupC through the following paths:
RSA Identity Governance & Lifecycle incorrectly fails to resolve the Account to Group membership as a unique entitlement for this use case. This issue only occurs when multiple Account to Group relationships are resolved in the same Account Data Collector (ADC) run (specifically the same Indirect Relationship Processing step shared by multiple ADC runs.) It does not occur if one Account to Group relationship is resolved in a previous collection and a new relationship is established in a different collection. Normally with the delta collection model, changes to Accounts and/or Groups as well as Account to Group relationships are resolved per collector so the likelihood of a failure is rare, however forcing a Full Refresh on a collector or forcing a Full Refresh on multiple collectors at the same time drastically increases the likelihood of this failure.
|Resolution||This issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:|
To determine if you have this issue, run the following SQL script as avuser. The script identifies if there are any duplicates but does not uniquely identify the type of duplicate. If the script returns a count greater than zero, the issue exists and patching to one of the above versions is required.
|Workaround||Avoid the use of Full Refresh for Account Data Collection.|
There is no cleanup script for this issue. The issue must be resolved through a patch.
|Notes||Related RSA Knowledge Base Articles:|