000014006 - AXM-For specific groups  the users are not able to login.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014006
Applies ToRSA Access Manager Authorization Server 6.0.2
Sun Solaris 2.8
Oracle 10g
IssueAXM-For specific groups, the users are not able to login.

Summary of Problem: For specific groups, the users are not able to login. The following error was observed at the aserver.

sequence_number=34346,remote_client=AuthServer-BM,2009-01-30 13:49:18:636 GMT,messageID=2003,user=bunbt01,webserver=www.omgeo.net,URI=/cleartrust/*,Resource=/cleartrust/ct_home.html,client_ip_address=172.27.18.148,client_port=53355,browser_ip_address=72.247.64.14,result_code=10,result_action=Authorization Success,result_reason=Group Entitlement

sequence_number=34347,remote_client=AuthServer-BM,2009-01-30 13:49:18:637 GMT,messageID=-2,internal_error,description='Unable to send data to receiver.',details='java.io.IOException: Unable to send data to receiver.


Large number of groups ~ 32 thousand
select count(*) from groups
31912
select count(*) from group_subgroup
36536
select count(*) from user_group
16691
select count(*) from explicit_entitlement
11152
11k entitlements.
There are ~12 groups that are members(sub groups) of thousands of groups.  It is one of these subgroupds that is experiencing the problem.

The query causing the problem, searched 134 gig of data  on a machine  with 20 meg of database

SELECT G.ID AS ID, G.ADMIN_GROUP_ID, G.NAME, G.DESCRIPTION, G.PUBLIC_STATE, G.CREATION_DATE, GP.PROPERTY_DEF_ID, GP.BOOLEAN_VALUE, GP.DATE_VALUE, GP.FLOAT_VALUE, GP.INT_VALUE, GP.STRING_VALUE FROM GROUPS G, GROUP_PROPERTY GP, GROUP_SUBGROUP GS WHERE
(G.ID = GS.PARENT_GROUP_ID) AND (G.ID=GP.GROUP_ID(+)) AND (GS.CHILD_GROUP_ID = 1223696) ORDER BY NAME

1223696 is an internal support group  who is a subgroup of 2700 thousand groups

CauseA bad GROUP SUBGROUP relation was causing the problem.  A 3rd level was added erroneously which was causing full-table scans and queries timing out.
ResolutionWith this many groups, keep nesting levels at two levels deep.
Legacy Article IDa44443

Attachments

    Outcomes