000038987 - Provisioning-Termination Rule fails to filter on Custom Attributes that have the same Display Names across Multiple Objects in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 10, 2020Last modified by RSA Customer Support Employee on Aug 25, 2020
Version 18Show Document
  • View in full screen mode

Article Content

Article Number000038987
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0, 7.1.1, 7.2.0
 
IssueWhen the same Custom Attribute display name is defined for multiple object types, the Provisioning-Termination Rule is only able to filter on the first object in the drop-down list that has that attribute defined.

EXAMPLE

In the example, below a Custom Attribute called Technical Source has been created for the Account, Application Role, Entitlement, Group, and User attributes.

Note the Custom Attribute displays under the Admin > Attributes > Account/Application Role/Entitlement/Group/User tabs:
 
User-added image


After a successful Collection, the Custom Attribute Technical Source for the user has been updated with a collected value (Users > Users > {User name}).
 
User-added image


A Provisioning-Termination Rule ( Rules > Definitions > Create Rule > Type: Provisioning-Termination) that revokes entitlements based on the Technical Source user/group attribute is created. Note the drop-down menu has three choices (only the attributes that make sense for the rule filter):
 
User-added image


The filter Technical source(user-group) is chosen:
  
User-added image


After the Rule is saved and exited, the Rule configuration resets the filter to Technical Source ( application-role) which is the first option in the list.
 
User-added image


The following errors are logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log):
 
ERROR (TerminationActionThread_29) [com.aveksa.server.core.MasterEnterpriseUser] Persistence exception while getting user entitlementscom.aveksa.server.db.PersistenceException: Executing JDBC query failed [SELECT ENT_TYPES as ENTITLEMENT_TYPE, ENTITLEMENT_ID, IS_SHARED_ACCOUNT, ACCOUNT_IS_SERVICE FROM (SELECT * FROM (selectxue.ID as XUE_ID,xue.ENTITLED_TYPE,xue.ENTITLED_ID,case when xue.ENTITLED_DERIVED_FROM_TYPE in ('explicit','account') and xue.ENTITLEMENT_DERIVED_FROM_TYPE ='explicit' AND MODEL.ENTITLEMENT_ID IS NULL then '1' else '0' end as ACTIONABLE,xue.ENTITLEMENT_TYPE as ENT_TYPES,xue.ENTITLEMENT_ID,nvl( ent.ALT_NAME, RESOURCE_NAME || ' : ' || ACTION_NAME) as ENTITLEMENT_NAME,ent.SHORT_DESC as ENTITLEMENT_SHORT_DESC,ent.LONG_DESC as ENTITLEMENT_LONG_DESC,ent.URL_REF as ENTITLEMENT_URL_REF,(RESOURCE_NAME || ' : ' || ACTION_NAME) as ENTITLEMENT_RAW_NAME,ent.RESOURCE_NAME,ent.ACTION_NAME,replace(regexp_substr(concat(xue.ENTITLED_PATH,xue.ENTITLEMENT_PATH),'[^'||unistr('\0001')||'].[^'||unistr('\0001')||']'),unistr('\0001'),' > ') as ENTITLEMENT_PATH,case when dc.ID > 0 THEN dc.ID ELSE NULL END as DC_ID,case when dc.ID > 0 THEN dc.NAME ELSE NULL END as DC_NAME,app.ID AS APPLICATION_ID,nvl( app.ALT_NAME, app.NAME ) AS APPLICATION_NAME,app.DESCRIPTION as APP_DESCRIPTION,app.SHORT_DESC as APPLICATION_SHORT_DESC,app.LONG_DESC as APPLICATION_LONG_DESC,app.URL_REF as APPLICATION_URL_REF,app.NAME as APPLICATION_RAW_NAME,app.BUSINESS_UNIT_ID as BUSINESS_UNIT_ID,BU.NAME as BUSINESS_UNIT_NAME,acc.ID as ACCOUNT_ID,acc.NAME as ACCOUNT_NAME,acc.IS_SHARED as IS_SHARED_ACCOUNT,case when acc.DELETION_DATE is null then 0 else 1 end as ACCOUNT_IS_DELETED,case when acc.ORPHANED_DATE is null then 0 else 1 end as ACCOUNT_IS_ORPHANED,acc.IS_DISABLED as ACCOUNT_IS_DISABLED,acc.IS_LOCKED as ACCOUNT_IS_LOCKED,acc.IS_SERVICE as ACCOUNT_IS_SERVICE,app.CLASSIFICATION as APP_CLASSIFICATION,app.LOCALITY as APP_LOCALITY,app.SENSITIVITY as APP_SENSITIVITY,app.OWNERSHIP as APP_OWNERSHIP,app.BUSINESS_USE as APP_BUSINESS_USE,xue.VIOLATION_COUNT as VIOLATION_COUNT,xue.EXCEPTION_COUNT as EXCEPTION_COUNT,app.BUSINESS_OWNER as BUSINESS_OWNER_ID,case when app.BUSINESS_OWNER is null then null else usr.last_name||', '||usr.first_name end as BUSINESS_OWNER,app.TECHNICAL_OWNER as TECHNICAL_OWNER_ID,case when app.TECHNICAL_OWNER is null then null else usr1.last_name||', '||usr1.first_name end as TECHNICAL_OWNER,app.EXCEPTION_MANAGER as VIOLATION_MANAGER_ID,case when app.EXCEPTION_MANAGER is null then null else usr2.last_name||', '||usr2.first_name end as VIOLATION_MANAGER,coalesce(ent.CAS3,NULL,NULL,NULL) as MS_EXTERNAL_ID,coalesce(ent.CAS8,NULL,NULL,NULL) as MS_TECHNICAL_SOURCE,NULL as EATTR_APPROLE_CAS6,coalesce(NULL,NULL,NULL,xue.LAST_REVIEWED_DATE) as MD_LAST_REVIEWED_DATE,NULL as EATTR_GROUPS_CAU1,NULL as EATTR_GROUPS_CAU1_NAME,coalesce(NULL,NULL) as MS_DN,NULL as EATTR_ACCOUNT_CAS4,res.CAS10 as EATTR_RESOURCES_CAS10,coalesce(app.CAU1,bu.CAU1) as MU_BACKUP_BUSINESS_OWNER,coalesce(app.CAU1_NAME,bu.CAU1_NAME) as MU_BACKUP_BUSINESS_OWNER_NAME,coalesce(app.CAU2,bu.CAU2) as MU_BACKUP_TECHNICAL_OWNER,coalesce(app.CAU2_NAME,bu.CAU2_NAME) as MU_BACKUP_TECHNICAL_OWNER_NAME,app.CAS9 as EATTR_APPS_CAS9from T_AV_EXPLODEDUSERENTITLEMENTS xuejoin T_ENTITLEMENTS ent on ent.id=xue.entitlement_idjoin T_RESOURCES res on res.id=ent.RESOURCE_IDjoin T_APPLICATIONS app on app.id=xue.APPLICATION_IDjoin T_DATA_COLLECTORS dc on dc.ID = xue.DC_IDLEFT OUTER JOIN t_master_enterprise_users usr on (usr.id=app.business_owner )LEFT OUTER JOIN t_master_enterprise_users usr1 on ( usr1.id=app.technical_owner )LEFT OUTER JOIN t_master_enterprise_users usr2 on (usr2.id = app.exception_manager)left outer join T_AV_BUSINESS_UNITS BU ON BU.ID = app.BUSINESS_UNIT_IDleft outer join T_AV_ACCOUNTS acc on acc.id=xue.acc_idleft outer join (select distinct entitlement_id, entitled_id as entitledId from (    select entitlement_id, entitled_id    from t_av_explodeduserentitlements x    where entitlement_type='ent'    and entitled_type='user' and ENTITLED_ID=108556    and (entitlement_derived_from_type not in ('explicit') or entitled_derived_from_type not in ('explicit','account'))    and x.deletion_date is null    union all    select entitlement_id, entitled_id from V_AV_INROLEENTITLEMENTS where entitlement_type='ent' and ENTITLED_ID=108556    )) model on model.entitlement_id = xue.entitlement_id and model.entitledId = xue.entitled_id
where xue.ENTITLED_DERIVED_FROM_TYPE in ('explicit','account')and xue.ENTITLEMENT_DERIVED_FROM_TYPE in ('explicit')and xue.entitlement_type='ent'and xue.entitled_type='user' and ENTITLED_ID=108556and xue.deletion_date is nulland model.entitlement_id is null
union allselectxue.ID as XUE_ID,xue.ENTITLED_TYPE,xue.ENTITLED_ID,case when xue.ENTITLED_DERIVED_FROM_TYPE in ('explicit','account') and xue.ENTITLEMENT_DERIVED_FROM_TYPE='explicit' AND MODEL.ENTITLEMENT_ID IS NULL then '1' else '0' end as ACTIONABLE,xue.ENTITLEMENT_TYPE as ENT_TYPES,xue.ENTITLEMENT_ID,nvl( ar.ALT_NAME, ar.NAME ) AS ENTITLEMENT_NAME,ar.SHORT_DESC as ENTITLEMENT_SHORT_DESC,ar.LONG_DESC as ENTITLEMENT_LONG_DESC,ar.URL_REF as ENTITLEMENT_URL_REF,ar.NAME as ENTITLEMENT_RAW_NAME,null as RESOURCE_NAME,null as ACTION_NAME,replace(regexp_substr(concat(xue.ENTITLED_PATH,xue.ENTITLEMENT_PATH),'[^'||unistr('\0001')||'].[^'||unistr('\0001')||']'),unistr('\0001'),' > ') as ENTITLEMENT_PATH,case when dc.ID > 0 THEN dc.ID ELSE NULL END as DC_ID,case when dc.ID > 0 THEN dc.NAME ELSE NULL END as DC_NAME,app.ID AS APPLICATION_ID,nvl( app.ALT_NAME, app.NAME ) AS APPLICATION_NAME,app.DESCRIPTION as APP_DESCRIPTION,app.SHORT_DESC as APPLICATION_SHORT_DESC,app.LONG_DESC as APPLICATION_LONG_DESC,app.URL_REF as APPLICATION_URL_REF,app.NAME as APPLICATION_RAW_NAME,app.BUSINESS_UNIT_ID as BUSINESS_UNIT_ID,BU.NAME as BUSINESS_UNIT_NAME,acc.ID as ACCOUNT_ID,acc.NAME as ACCOUNT_NAME,acc.IS_SHARED as IS_SHARED_ACCOUNT,case when acc.DELETION_DATE is null then 0 else 1 end as ACCOUNT_IS_DELETED,case when acc.ORPHANED_DATE is null then 0 else 1 end as ACCOUNT_IS_ORPHANED,acc.IS_DISABLED as ACCOUNT_IS_DISABLED,acc.IS_LOCKED as ACCOUNT_IS_LOCKED,acc.IS_SERVICE as ACCOUNT_IS_SERVICE,app.CLASSIFICATION as APP_CLASSIFICATION,app.LOCALITY as APP_LOCALITY,app.SENSITIVITY as APP_SENSITIVITY,app.OWNERSHIP as APP_OWNERSHIP,app.BUSINESS_USE as APP_BUSINESS_USE,xue.VIOLATION_COUNT as VIOLATION_COUNT,xue.EXCEPTION_COUNT as EXCEPTION_COUNT,app.BUSINESS_OWNER as BUSINESS_OWNER_ID,case when app.BUSINESS_OWNER is null then null else usr.last_name||', '||usr.first_name end as BUSINESS_OWNER,app.TECHNICAL_OWNER as TECHNICAL_OWNER_ID,case when app.TECHNICAL_OWNER is null then null else usr1.last_name||', '||usr1.first_name end as TECHNICAL_OWNER,app.EXCEPTION_MANAGER as VIOLATION_MANAGER_ID,case when app.EXCEPTION_MANAGER is null then null else usr2.last_name||', '||usr2.first_name end as VIOLATION_MANAGER,coalesce(NULL,ar.CAS3,NULL,NULL) as MS_EXTERNAL_ID,coalesce(NULL,ar.CAS8,NULL,NULL) as MS_TECHNICAL_SOURCE,ar.CAS6 as EATTR_APPROLE_CAS6,coalesce(NULL,NULL,NULL,xue.LAST_REVIEWED_DATE) as MD_LAST_REVIEWED_DATE,NULL as EATTR_GROUPS_CAU1,NULL as EATTR_GROUPS_CAU1_NAME,coalesce(NULL,NULL) as MS_DN,NULL as EATTR_ACCOUNT_CAS4,NULL as EATTR_RESOURCES_CAS10,coalesce(app.CAU1,bu.CAU1) as MU_BACKUP_BUSINESS_OWNER,coalesce(app.CAU1_NAME,bu.CAU1_NAME) as MU_BACKUP_BUSINESS_OWNER_NAME,coalesce(app.CAU2,bu.CAU2) as MU_BACKUP_TECHNICAL_OWNER,coalesce(app.CAU2_NAME,bu.CAU2_NAME) as MU_BACKUP_TECHNICAL_OWNER_NAME,app.CAS9 as EATTR_APPS_CAS9from T_AV_EXPLODEDUSERENTITLEMENTS xuejoin T_ENTITLEMENT_GROUPS ar on ar.id=xue.entitlement_id and ar.deletion_date is nulljoin T_APPLICATIONS app on app.id=xue.APPLICATION_IDLEFT OUTER JOIN t_master_enterprise_users usr on (usr.id=app.business_owner )LEFT OUTER JOIN t_master_enterprise_users usr1 on ( usr1.id=app.technical_owner )LEFT OUTER JOIN t_master_enterprise_users usr2 on (usr2.id = app.exception_manager)join T_DATA_COLLECTORS dc on dc.ID = xue.DC_IDleft outer join T_AV_BUSINESS_UNITS BU ON BU.ID = app.BUSINESS_UNIT_IDleft outer join T_AV_ACCOUNTS acc on acc.id=xue.acc_idleft outer join (select distinct entitlement_id, entitled_id as entitledId from (    select entitlement_id, entitled_id    from t_av_explodeduserentitlements x    where entitlement_type='app-role'    and entitled_type='user' and ENTITLED_ID=108556    and (entitlement_derived_from_type not in ('explicit') or entitled_derived_from_type not in ('explicit','account'))    and x.deletion_date is null    union all    select entitlement_id, entitled_id from V_AV_INROLEENTITLEMENTS where entitlement_type='app-role' and ENTITLED_ID=108556    )) model on model.entitlement_id = xue.entitlement_id and model.entitledId = xue.entitled_id
where xue.ENTITLED_DERIVED_FROM_TYPE in ('explicit','account')and xue.ENTITLEMENT_DERIVED_FROM_TYPE in ('explicit')and xue.entitlement_type='app-role'and xue.entitled_type='user' and ENTITLED_ID=108556and xue.deletion_date is nulland model.entitlement_id is null
union allselectxue.ID as XUE_ID,xue.ENTITLED_TYPE,xue.ENTITLED_ID,case when xue.ENTITLED_DERIVED_FROM_TYPE in ('explicit','account') and xue.ENTITLEMENT_DERIVED_FROM_TYPE='explicit' and r.MEMBERSHIP_TYPE = 0 AND MODEL.ENTITLEMENT_ID IS NULL then '1' else '0' end as ACTIONABLE,case r.TYPE when 'BR' then 'business-role' when 'TR' then 'technical-role' else 'global-role' end as ENT_TYPES,xue.ENTITLEMENT_ID,nvl( r.ALT_NAME, r.NAME ) AS ENTITLEMENT_NAME,r.SHORT_DESC as ENTITLEMENT_SHORT_DESC,r.LONG_DESC as ENTITLEMENT_LONG_DESC,r.URL_REF as ENTITLEMENT_URL_REF,r.NAME as ENTITLEMENT_RAW_NAME,null as RESOURCE_NAME,null as ACTION_NAME,replace(regexp_substr(concat(xue.ENTITLED_PATH,xue.ENTITLEMENT_PATH),'[^'||unistr('\0001')||'].[^'||unistr('\0001')||']'),unistr('\0001'),' > ') as ENTITLEMENT_PATH,case when dc.ID > 0 THEN dc.ID ELSE NULL END as DC_ID,case when dc.ID > 0 THEN dc.NAME ELSE NULL END as DC_NAME,app.id AS APPLICATION_ID,nvl( app.ALT_NAME, app.NAME ) AS APPLICATION_NAME,null as APP_DESCRIPTION,null as APPLICATION_SHORT_DESC,null as APPLICATION_LONG_DESC,null as APPLICATION_URL_REF,null as APPLICATION_RAW_NAME,null as BUSINESS_UNIT_ID,null as BUSINESS_UNIT_NAME,acc.ID as ACCOUNT_ID,acc.NAME as ACCOUNT_NAME,acc.IS_SHARED as IS_SHARED_ACCOUNT,case when acc.DELETION_DATE is null then 0 else 1 end as ACCOUNT_IS_DELETED,case when acc.ORPHANED_DATE is null then 0 else 1 end as ACCOUNT_IS_ORPHANED,acc.IS_DISABLED as ACCOUNT_IS_DISABLED,acc.IS_LOCKED as ACCOUNT_IS_LOCKED,acc.IS_SERVICE as ACCOUNT_IS_SERVICE,null as APP_CLASSIFICATION,null as APP_LOCALITY,null as APP_SENSITIVITY,null as APP_OWNERSHIP,null as APP_BUSINESS_USE,xue.VIOLATION_COUNT as VIOLATION_COUNT,xue.EXCEPTION_COUNT as EXCEPTION_COUNT,app.BUSINESS_OWNER as BUSINESS_OWNER_ID,case when app.BUSINESS_OWNER is null then null else usr.last_name||', '||usr.first_name end as BUSINESS_OWNER,app.TECHNICAL_OWNER as TECHNICAL_OWNER_ID,case when app.TECHNICAL_OWNER is null then null else usr1.last_name||', '||usr1.first_name end as TECHNICAL_OWNER,app.EXCEPTION_MANAGER as VIOLATION_MANAGER_ID,case when app.EXCEPTION_MANAGER is null then null else usr2.last_name||', '||usr2.first_name end as VIOLATION_MANAGER,coalesce(NULL,NULL,NULL,NULL) as MS_EXTERNAL_ID,coalesce(NULL,NULL,NULL,NULL) as MS_TECHNICAL_SOURCE,NULL as EATTR_APPROLE_CAS6,coalesce(r.LAST_REVIEWED_DATE,NULL,NULL,xue.LAST_REVIEWED_DATE) as MD_LAST_REVIEWED_DATE,NULL as EATTR_GROUPS_CAU1,NULL as EATTR_GROUPS_CAU1_NAME,coalesce(NULL,NULL) as MS_DN,NULL as EATTR_ACCOUNT_CAS4,NULL as EATTR_RESOURCES_CAS10,coalesce(app.CAU1,NULL) as MU_BACKUP_BUSINESS_OWNER,coalesce(app.CAU1_NAME,NULL) as MU_BACKUP_BUSINESS_OWNER_NAME,coalesce(app.CAU2,NULL) as MU_BACKUP_TECHNICAL_OWNER,coalesce(app.CAU2_NAME,NULL) as MU_BACKUP_TECHNICAL_OWNER_NAME,app.CAS9 as EATTR_APPS_CAS9from T_AV_EXPLODEDUSERENTITLEMENTS xuejoin T_AV_ROLES r on r.ID=xue.ENTITLEMENT_IDjoin t_applications app on r.roleset_id=app.id LEFT OUTER JOIN t_master_enterprise_users usr on (usr.id=app.business_owner )LEFT OUTER JOIN t_master_enterprise_users usr1 on ( usr1.id=app.technical_owner )LEFT OUTER JOIN t_master_enterprise_users usr2 on (usr2.id = app.exception_manager)LEFT OUTER JOIN t_master_enterprise_users usr3 on (usr3.id = r.owner_id)join T_DATA_COLLECTORS dc on dc.ID = xue.DC_IDleft outer join T_AV_ACCOUNTS acc on acc.id=xue.acc_id
left outer join (select distinct entitlement_id, entitled_id as entitledId from (    select entitlement_id, entitled_id    from t_av_explodeduserentitlements x    where entitlement_type='global-role'    and entitled_type='user' and ENTITLED_ID=108556    and (entitlement_derived_from_type not in ('explicit') or entitled_derived_from_type not in ('explicit','account'))    and x.deletion_date is null    union all    select entitlement_id, entitled_id from V_AV_INROLEENTITLEMENTS where entitlement_type='global-role' and ENTITLED_ID=108556    )) model on model.entitlement_id = xue.entitlement_id and model.entitledId = xue.entitled_idwhere xue.ENTITLED_DERIVED_FROM_TYPE in ('explicit','account')and xue.ENTITLEMENT_DERIVED_FROM_TYPE in ('explicit')and xue.entitlement_type='global-role'and xue.entitled_type='user' and ENTITLED_ID=108556and xue.deletion_date is nulland r.is_disabled='FALSE' and r.deletion_date is nulland model.entitlement_id is null
union allselectDISTINCT null as XUE_ID,'user' AS ENTITLED_TYPE,108556 AS ENTITLED_ID,case when gm.MEMBER_DERIVED_FROM_TYPE in ('A','E') and (member_path is null or instr(member_path,chr(1),-1)=1) then '1' else '0' end as ACTIONABLE,'group' as ENT_TYPES,g.ID AS ENTITLEMENT_ID,nvl( g.ALT_NAME, g.NAME ) AS ENTITLEMENT_NAME,g.SHORT_DESC as ENTITLEMENT_SHORT_DESC,g.LONG_DESC as ENTITLEMENT_LONG_DESC,g.URL_REF as ENTITLEMENT_URL_REF,g.NAME as ENTITLEMENT_RAW_NAME,null as RESOURCE_NAME,null as ACTION_NAME,replace(regexp_substr(gm.MEMBER_PATH,'[^'||unistr('\0001')||'].[^'||unistr('\0001')||']'),unistr('\0001'),' > ') as ENTITLEMENT_PATH,dc.ID as DC_ID,dc.NAME as DC_NAME,app.ID AS APPLICATION_ID,nvl( app.ALT_NAME, app.NAME ) AS APPLICATION_NAME,app.DESCRIPTION as APP_DESCRIPTION,app.SHORT_DESC as APPLICATION_SHORT_DESC,app.LONG_DESC as APPLICATION_LONG_DESC,app.URL_REF as APPLICATION_URL_REF,app.NAME as APPLICATION_RAW_NAME,bu.ID as BUSINESS_UNIT_ID,bu.NAME as BUSINESS_UNIT_NAME,acc.id as ACCOUNT_ID,acc.name as ACCOUNT_NAME,null as IS_SHARED_ACCOUNT,case when acc.DELETION_DATE is null then 0 else 1 end as ACCOUNT_IS_DELETED,case when acc.ORPHANED_DATE is null then 0 else 1 end as ACCOUNT_IS_ORPHANED,acc.IS_DISABLED as ACCOUNT_IS_DISABLED,acc.IS_LOCKED as ACCOUNT_IS_LOCKED,acc.IS_SERVICE as ACCOUNT_IS_SERVICE,app.CLASSIFICATION as APP_CLASSIFICATION,app.LOCALITY as APP_LOCALITY,app.SENSITIVITY as APP_SENSITIVITY,app.OWNERSHIP as APP_OWNERSHIP,app.BUSINESS_USE as APP_BUSINESS_USE,gm.VIOLATION_COUNT as VIOLATION_COUNT,gm.EXCEPTION_COUNT as EXCEPTION_COUNT,app.BUSINESS_OWNER as BUSINESS_OWNER_ID,case when app.BUSINESS_OWNER is null then null else usr.last_name||', '||usr.first_name end as BUSINESS_OWNER,app.TECHNICAL_OWNER as TECHNICAL_OWNER_ID,case when app.TECHNICAL_OWNER is null then null else usr1.last_name||', '||usr1.first_name end as TECHNICAL_OWNER,app.EXCEPTION_MANAGER as VIOLATION_MANAGER_ID,case when app.EXCEPTION_MANAGER is null then null else usr2.last_name||', '||usr2.first_name end as VIOLATION_MANAGER,coalesce(NULL,NULL,g.CAS9,acc.CAS3) as MS_EXTERNAL_ID,coalesce(NULL,NULL,g.CAS8,acc.CAS8) as MS_TECHNICAL_SOURCE,NULL as EATTR_APPROLE_CAS6,coalesce(NULL,gm.LAST_REVIEWED_DATE,g.LAST_REVIEWED_DATE,acc.LAST_REVIEWED_DATE,NULL) as MD_LAST_REVIEWED_DATE,g.CAU1 as EATTR_GROUPS_CAU1,g.CAU1_NAME as EATTR_GROUPS_CAU1_NAME,coalesce(g.CAS1,acc.CAS1) as MS_DN,acc.CAS4 as EATTR_ACCOUNT_CAS4,NULL as EATTR_RESOURCES_CAS10,coalesce(app.CAU1,bu.CAU1) as MU_BACKUP_BUSINESS_OWNER,coalesce(app.CAU1_NAME,bu.CAU1_NAME) as MU_BACKUP_BUSINESS_OWNER_NAME,coalesce(app.CAU2,bu.CAU2) as MU_BACKUP_TECHNICAL_OWNER,coalesce(app.CAU2_NAME,bu.CAU2_NAME) as MU_BACKUP_TECHNICAL_OWNER_NAME,app.CAS9 as EATTR_APPS_CAS9from T_GROUP_MEMBERSHIPS gminner join t_groups g on g.id=gm.group_idleft outer join t_av_accounts acc on gm.member_derived_from_type='A' and gm.member_derived_from_id=acc.idinner join T_DATA_COLLECTORS dc on dc.ID = g.DC_IDinner join T_APPLICATIONS app on app.id=g.APPLICATION_IDLEFT OUTER JOIN t_master_enterprise_users usr on (usr.id=app.business_owner )LEFT OUTER JOIN t_master_enterprise_users usr1 on ( usr1.id=app.technical_owner )LEFT OUTER JOIN t_master_enterprise_users usr2 on (usr2.id = app.exception_manager)left outer join T_AV_BUSINESS_UNITS BU ON BU.ID = app.BUSINESS_UNIT_IDleft outer join (select distinct entitlement_id, entitled_id from (    select entitlement_id, entitled_id    from t_av_explodeduserentitlements x    where entitlement_type='group'    and entitled_type='user' and ENTITLED_ID=108556    and (entitlement_derived_from_type not in ('explicit') or entitled_derived_from_type not in ('explicit','account'))    and x.deletion_date is null    union all    select entitlement_id, entitled_id from V_AV_INROLEENTITLEMENTS where entitlement_type='group' and ENTITLED_ID=108556    )) model on model.entitlement_id = g.id and model.entitled_id = gm.member_id
where g.DELETION_DATE IS NULL and gm.DELETION_DATE IS NULL and gm.MEMBER_TYPE='user' and gm.MEMBER_ID=108556and gm.deletion_date is nulland model.entitlement_id is nulland gm.MEMBER_DERIVED_FROM_TYPE in ('A','E') and (member_path is null or instr(member_path,chr(1),-1)=1)
union allselectnull as XUE_ID,'user' as ENTITLED_TYPE,uam.USER_ID as ENTITLED_ID,case when -3 in (acc.adc_id, uam.adc_id) then '0'else '1'end as ACTIONABLE,'account' as ENTITLEMENT_TYPE,uam.ACCOUNT_ID as ENTITLEMENT_ID,acc.name as ENTITLEMENT_NAME,null as ENTITLEMENT_SHORT_DESC,null as ENTITLEMENT_LONG_DESC,null as ENTITLEMENT_URL_REF,acc.name as ENTITLEMENT_RAW_NAME,null as RESOURCE_NAME,null as ACTION_NAME,null as ENTITLEMENT_PATH,case when dc.ID > 0 THEN dc.ID ELSE NULL END as DC_ID,case when dc.ID > 0 THEN dc.NAME ELSE NULL END as DC_NAME,app.ID AS APPLICATION_ID,nvl( app.ALT_NAME, app.NAME ) AS APPLICATION_NAME,app.DESCRIPTION as APP_DESCRIPTION,app.SHORT_DESC as APPLICATION_SHORT_DESC,app.LONG_DESC as APPLICATION_LONG_DESC,app.URL_REF as APPLICATION_URL_REF,app.NAME as APPLICATION_RAW_NAME,app.BUSINESS_UNIT_ID as BUSINESS_UNIT_ID,BU.NAME as BUSINESS_UNIT_NAME,null as ACCOUNT_ID,null as ACCOUNT_NAME,acc.IS_SHARED as IS_SHARED_ACCOUNT,case when acc.DELETION_DATE is null then 0 else 1 end as ACCOUNT_IS_DELETED,case when acc.ORPHANED_DATE is null then 0 else 1 end as ACCOUNT_IS_ORPHANED,acc.IS_DISABLED as ACCOUNT_IS_DISABLED,acc.IS_LOCKED as ACCOUNT_IS_LOCKED,acc.IS_SERVICE as ACCOUNT_IS_SERVICE,app.CLASSIFICATION as APP_CLASSIFICATION,app.LOCALITY as APP_LOCALITY,app.SENSITIVITY as APP_SENSITIVITY,app.OWNERSHIP as APP_OWNERSHIP,app.BUSINESS_USE as APP_BUSINESS_USE,null as VIOLATION_COUNT,null as EXCEPTION_COUNT,app.BUSINESS_OWNER as BUSINESS_OWNER_ID,case when app.BUSINESS_OWNER is null then null else usr.last_name||', '||usr.first_name end as BUSINESS_OWNER,app.TECHNICAL_OWNER as TECHNICAL_OWNER_ID,case when app.TECHNICAL_OWNER is null then null else usr1.last_name||', '||usr1.first_name end as TECHNICAL_OWNER,app.EXCEPTION_MANAGER as VIOLATION_MANAGER_ID,case when app.EXCEPTION_MANAGER is null then null else usr2.last_name||', '||usr2.first_name end as VIOLATION_MANAGER,coalesce(NULL,NULL,NULL,acc.CAS3) as MS_EXTERNAL_ID,coalesce(NULL,NULL,NULL,acc.CAS8) as MS_TECHNICAL_SOURCE,NULL as EATTR_APPROLE_CAS6,coalesce(NULL,NULL,acc.LAST_REVIEWED_DATE,NULL) as MD_LAST_REVIEWED_DATE,NULL as EATTR_GROUPS_CAU1,NULL as EATTR_GROUPS_CAU1_NAME,coalesce(NULL,acc.CAS1) as MS_DN,acc.CAS4 as EATTR_ACCOUNT_CAS4,NULL as EATTR_RESOURCES_CAS10,coalesce(app.CAU1,bu.CAU1) as MU_BACKUP_BUSINESS_OWNER,coalesce(app.CAU1_NAME,bu.CAU1_NAME) as MU_BACKUP_BUSINESS_OWNER_NAME,coalesce(app.CAU2,bu.CAU2) as MU_BACKUP_TECHNICAL_OWNER,coalesce(app.CAU2_NAME,bu.CAU2_NAME) as MU_BACKUP_TECHNICAL_OWNER_NAME,app.CAS9 as EATTR_APPS_CAS9from T_AV_USER_ACCOUNT_MAPPINGS uamjoin T_AV_ACCOUNTS acc on acc.ID=uam.ACCOUNT_IDleft outer join T_APPLICATIONS app on app.id=acc.APPLICATION_IDLEFT OUTER JOIN t_master_enterprise_users usr on (usr.id=app.business_owner )LEFT OUTER JOIN t_master_enterprise_users usr1 on ( usr1.id=app.technical_owner )LEFT OUTER JOIN t_master_enterprise_users usr2 on (usr2.id = app.exception_manager)join T_DATA_COLLECTORS dc on dc.ID = uam.ADC_IDleft outer join T_AV_BUSINESS_UNITS BU ON BU.ID = app.BUSINESS_UNIT_IDwhere uam.USER_ID=108556 AND uam.DELETION_DATE IS NULL AND uam.STATE = 'VA' AND app.IS_DELETED = 'FALSE') unifiedents  where unifiedents.EATTR_GROUPS_CAS8='DIR-AD_OFFICE01-PRD')] at com.aveksa.server.db.persistence.PersistenceServiceProvider.executeJDBCQuery(PersistenceServiceProvider.java:3259) at com.aveksa.server.db.persistence.PersistenceServiceProvider.executeJDBCQueryObjectArray(PersistenceServiceProvider.java:3343) at com.aveksa.server.db.persistence.PersistenceServiceProvider.executeJDBCQueryObjectArray(PersistenceServiceProvider.java:3328) at com.aveksa.server.db.PersistenceManager.executeJDBCQueryObjectArray(PersistenceManager.java:476) at com.aveksa.server.core.MasterEnterpriseUser.getChangeRequestItemsToRevoke(MasterEnterpriseUser.java:1875) at com.aveksa.server.core.rule.action.termination.TerminationActionThread.handleUserEntitlementsRevocation(TerminationActionThread.java:226) at com.aveksa.server.core.rule.action.termination.TerminationActionThread.handleTerminationActions(TerminationActionThread.java:120) at com.aveksa.server.core.rule.action.termination.TerminationActionThread.run(TerminationActionThread.java:62) at java.lang.Thread.run(Thread.java:748)Caused by: org.hibernate.exception.SQLGrammarException: error executing work at org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:63) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:95) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.coordinateWork(JdbcCoordinatorImpl.java:337) at org.hibernate.internal.SessionImpl.doWork(SessionImpl.java:2153) at org.hibernate.internal.SessionImpl.doReturningWork(SessionImpl.java:2149) at com.aveksa.server.db.persistence.PersistenceServiceProvider.executeJDBCQuery(PersistenceServiceProvider.java:3240) ... 8 moreCaused by: java.sql.SQLSyntaxErrorException: ORA-00904: "UNIFIEDENTS"."EATTR_GROUPS_CAS8": invalid identifier
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:450)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:399) at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:1059) at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:522) at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:257) at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:587) at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:225) at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:53) at oracle.jdbc.driver.T4CPreparedStatement.executeForDescribe(T4CPreparedStatement.java:774) at oracle.jdbc.driver.OracleStatement.executeMaybeDescribe(OracleStatement.java:925) at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1111) at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:4798) at oracle.jdbc.driver.OraclePreparedStatement.executeQuery(OraclePreparedStatement.java:4845) at oracle.jdbc.driver.OraclePreparedStatementWrapper.executeQuery(OraclePreparedStatementWrapper.java:1501) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504) at com.aveksa.server.db.persistence.PersistenceServiceProvider$6.execute(PersistenceServiceProvider.java:3247) at com.aveksa.server.db.persistence.PersistenceServiceProvider$6.execute(PersistenceServiceProvider.java:3240) at org.hibernate.jdbc.WorkExecutor.executeReturningWork(WorkExecutor.java:55) at org.hibernate.internal.SessionImpl$4.accept(SessionImpl.java:2146) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.coordinateWork(JdbcCoordinatorImpl.java:332) ... 11 more



Please refer to RSA Knowledge Base Article  000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)


 
CauseThis is a known issue reported in engineering ticket ACM-105009.
 
ResolutionThis issue is resolved in RSA Identity Governance & Lifecycle 7.2.0 P03.
 
WorkaroundModify the Attribute Name of each Attribute to make it unique.

For example, to modify the Application Role attribute, go to Admin > Attributes > Application Role tab > Edit.
 
User-added image


Once the Attribute names have been modified, the names in the Rule drop-down menu will be unique and the issue will be resolved:
 
User-added image


 

Attachments

    Outcomes