|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle|
RSA Version/Condition: 7.0.1, 7.0.2, 7.1.0, 7.2.0
|Issue||After moving a role to a different role setting and committing the role change, additional (and unexpected) change requests are generated to add or remove entitlements from the role. |
|Cause||This issue may occur when a role is moved from one role set to another. Although the role is correctly moved to the new role set, any change requests pending for the role at the time the role is moved may not be updated correctly. This can cause those change requests to become orphaned and these may not be correctly deleted once the role commits have been completed. This can cause a variety of symptoms such as change requests being processed multiple times for a role, existing entitlements re-added to the role, and existing entitlements being removed from the role.|
This is a known issue in the following versions and has been reported in engineering tickets ACM-86112 and ACM-83273:
|Resolution||This issue is resolved in RSA Identity Governance & Lifecycle 7.2.0 P03. This version prevents the issue from occurring again and has a cleanup script that runs when the patch is applied to cleanup any existing occurrences of this issue.|
NOTE: This issue is also resolved in the following older RSA Identity Governance & Lifecycle versions and patch levels. However, the necessary cleanup scripts are not available in these older versions. These versions will prevent this issue from recurring but will not cleanup what has already occurred.
|Workaround||Avoid moving roles from one role set to another until you can patch.|
The following script may be used to identify if you have change requests associated with a role set change that need to be corrected.
If this script identifies any records, contact RSA Identity Governance & Lifecycle Support and mention this RSA Knowledge Base Article ID 36303 for reference.RSA Identity Governance & Lifecycle Support can provide guidance on cleanup and remediation.