000036303 - Entitlements are removed or added to a role when role set is changed in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on May 1, 2018Last modified by RSA Customer Support Employee on Oct 23, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036303
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2
IssueThis is an intermittent issue where in certain scenarios after an unrelated role commit, change requests are generated for adding or removing entitlements for a role that were already committed previously. 


  1. Create a role with a few entitlements and set the role set to Admin Roles. Wait for the role to move to committed state.

User-added image 

User-added image

  1. Edit the role and change the role set to a different role set. 
  2. Click Apply Changes and we can see that a change request gets generated to remove the entitlements from the role. 

User-added image

  1. Wait for the role to move to a committed state.

User-added image

  1. Check the entitlements in the role and we can find there are few entitlements missing in the role. 

User-added image
CauseThis is a known issue in the following versions:
  • RSA Identity Governance & Lifecycle 7.0.1 P04
  • RSA Identity Governance & Lifecycle 7.0.2 P02
  • RSA Identity Governance & Lifecycle 7.1.0 GA (note that current shipping version of 7.1.0 is 7.1.0 P01)

An issue may occur if a Role is moved from one Role set to another.  Although the Role is moved correctly, any change requests pending for the Role at the time the Role is moved may not be updated correctly.  This can cause those change requests to become orphaned and these may not be correctly deleted once the Role commits have been completed. This can cause a variety of symptoms such as change requests being processed multiple times for a Role.
ResolutionThis issue has been resolved in the following version and patches.  Patch to the following version as soon as practicable.
  • RSA Identity Governance & Lifecycle 7.0.1.  Please upgrade to a 7.0.2 or later version.
  • RSA Identity Governance & Lifecycle 7.0.2 P07
  • RSA Identity Governance & Lifecycle 7.1.0 P01.  Note that the current shipping version o 7.1.0 is 7.1.0 P01.
  • RSA Identity Governance & Lifecycle 7.1.1
WorkaroundAvoid moving Roles from one Role Set to another until you can patch to an unaffected version.