000039271 - Role Review Member and/or Entitlement counts are incorrect preventing Role Review completion in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Aug 31, 2020Last modified by RSA Customer Support Employee on Sep 3, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000039271
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.1 P07+, 7.2.0 P02+
IssueRole Review Results display incorrect count totals for Members and/or Entitlements. The actual number of Members and/or Entitlements in the Review are correct but the total counts are wrong.

In addition the Review Status bar does not go to 100% once all the items have been reviewed preventing the Review from being completed.

In the following example, note the total Members under the All Roles tab (Reviews > Results > {Role review name} > General tab > Review Items > All Roles tab > show all items) indicates that Role MyGlobalRole2 has four members.
User-added image

The Role details page (MyGlobalRole2 > Members tab) lists only two Members for Role MyGlobalRole2 which is the correct number of Members.

User-added image

CauseThis is a known issue reported in engineering ticket ACM-107348.

The following versions and patch levels are affected:
  • RSA Identity Governance & Lifecycle 7.1.1 P07
  • RSA Identity Governance & Lifecycle 7.2.0 P02

This issue may occur if a Role Member or Entitlement is deleted from a Role and then the same Member or Entitlement is added back to the Role. Following this action the Role Review incorrectly includes the deleted Members and Entitlements in the count. 
ResolutionThis issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release. 

The fix will include a code change that prevents deleted Member and Entitlement counts from being counted incorrectly. It will also include a migration script that identifies and corrects duplicate records in RSA Identity Governance & Lifecycle internal tables. 

To resolve this issue, follow the steps below:
  1.   Run the following script as AVUSER to identify if there are any duplicate records that need correcting.

    entitled_id      AS user_id,
    entitlement_id   AS role_id,
    t_av_explodeduserentitlements tavue
    tavue.entitlement_derived_from_type = 'explicit'
    AND tavue.entitled_derived_from_type = 'explicit'
    AND tavue.entitlement_type = 'global-role'
    AND tavue.entitled_type = 'user'
    COUNT(*) > 1;

  1. If the query returns no results, you do not have this issue. However, once a patch is available, it is recommended that you upgrade so that you do not encounter this issue in the future.
  2. If the query returns results, until a patch is avaiilable, see the Workaround section below.

WorkaroundPlease contact RSA Identity Governance & Lifecycle Customer Support for a workaround and mention this RSA Knowledge Base Article ID 000039271 for reference.
NotesSee related RSA Knowledge Base Article 000039281 -- Segregation of Duties (SOD) Rule fails with error 'ORA-30926: unable to get a stable set of rows in the source tables' error for other failures associated with this same issue.