000039281 - Segregation of Duties (SOD) Rule fails with error 'ORA-30926: unable to get a stable set of rows in the source tables' error in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Sep 3, 2020Last modified by RSA Customer Support Employee on Oct 28, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000039281
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.1 P07, 7.2.0 P02
Segregation of Duties (SOD) Rules fail during Rule Processing. The Rule Processing Run Details screen (Admin > Monitoring Run ID) shows a Status of Failed during Step 6/9: Populate violation data.

User-added image

The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log):


09/03/2020 14:56:25.761 WARN  (Exec Task Consumer#0 - Sequence)
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] SQL Error: 30926, SQLState: 99999
09/03/2020 14:56:25.761 ERROR (Exec Task Consumer#0 - Sequence)
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] ORA-30926: unable to get a stable set of rows in the source tables
ORA-06512: at "AVUSER.RULE_PROCESS_PKG", line 1132
ORA-06512: at "AVUSER.RULE_PROCESS_PKG", line 319
ORA-06512: at line 1

Please see RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle  to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
CauseThis is a known issue reported in engineering ticket ACM-107316.

The following versions and patch levels are affected:
  • RSA Identity Governance & Lifecycle 7.1.1 P07
  • RSA Identity Governance & Lifecycle 7.2.0 P02

This issue may occur if a Role Member or Entitlement is deleted from a Role and then the same Member or Entitlement is added back to the Role.
ResolutionThis issue is resolved in the following versions and patches.
  • RSA Identity Governance & Lifecycle 7.1.1 P11
  • RSA Identity Governance & Lifecycle 7.2.0 P04
  • RSA Identity Governance & Lifecycle 7.2.1 P01
The fix includes a migration script that identifies and corrects duplicate records in RSA Identity Governance & Lifecycle internal tables. 

To resolve this issue, follow the steps below:
  1.   Run the following script as AVUSER to identify if there are any duplicate records that need correcting.

    entitled_id      AS user_id,
    entitlement_id   AS role_id,
    t_av_explodeduserentitlements tavue
    tavue.entitlement_derived_from_type = 'explicit'
    AND tavue.entitled_derived_from_type = 'explicit'
    AND tavue.entitlement_type = 'global-role'
    AND tavue.entitled_type = 'user'
    COUNT(*) > 1;

  1. If the query returns no results, you do not have this issue. However, once a patch is available, it is recommended that you upgrade so that you do not encounter this issue in the future.
  2. If the query returns results, until a patch is available, see the Workaround section below.

WorkaroundPlease contact RSA Identity Governance & Lifecycle Customer Support for a workaround and mention this RSA Knowledge Base Article ID 000039281 for reference.
NotesSee related RSA Knowledge Base Article 000039271 -- Role Review Member and/or Entitlement counts are incorrect preventing Role Review completion in RSA Identity Governance & Lifecycle for other failures that are associated with this same issue.