000030542 - ORA-30004 error when collecting Groups from AD that contain the tilde character(~)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030542
Applies ToRSA Product Set: Identity Management and Governance
RSA Product/Service Type: Appliance
RSA Version/Condition: 6.9
Platform: Linux
Platform (Other): null
O/S Version: Suse Linux
Product Name: RSA-0018000
Product Description: Access Certification Manager
IssueThe Identity Management and Governance (IMG) server Account Data Collection failes in the step "Account Data Processing"
The IMG server.log shows the following error:
2015-06-11 15:03:31,481 ERROR [com.aveksa.server.db.persistence.PersistenceServiceProvider] Executing Procedure: java.sql.SQLException: ORA-30004: when using SYS_CONNECT_BY_PATH function, cannot have separator as part of column value
ORA-06512: at "AVUSER.ADC_GROUPS", line 428
ORA-06512: at "AVUSER.ADC_GROUPS", line 89
CauseThe Account Data Collection may fail during the collection of the Group Data on Microsoft Active Directory(AD) datastore if the group names contain the tilde character(~) (ASCII character 126).   This occurs because the tilde character(~) is used internally as a column delimiter in a temporary query used to validate nested AD groups. 


WorkaroundIdentify the AD group that contains the problem tilde character(`) and rename the group so that it does not contain this character.

Alternately, modify the query for the collected groups to exclude collection of groups with this character.

Rerun the collection.