Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000036303 - Entitlements are removed from or added to a Role when the Role Set is changed in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support

on May 1, 2018•Last modified by RSA Customer Support

on Aug 25, 2020

Version 22Show Document

Like • Show 1 Like1
Comment • 0
View in full screen mode

Article Content

Article Number	000036303
Applies To	RSA Product Set: RSA Identity Governance & Lifecycle RSA Version/Condition: 7.0.1, 7.0.2, 7.1.0, 7.2.0
Issue	After moving a role to a different role setting and committing the role change, additional (and unexpected) change requests are generated to add or remove entitlements from the role. Example Create a role with a few entitlements and add the role to the Admin Roles role set. Wait for the role to move to a committed state. Edit the role and change the role set to a different role set. Click Apply Changes and note that a change request is generated to remove some entitlements from the role and add already existing entitlements to the role. Wait for the role to move to a committed state. Check the entitlements in the role and note that there are missing entitlements from the role.
Cause	This issue may occur when a role is moved from one role set to another. Although the role is correctly moved to the new role set, any change requests pending for the role at the time the role is moved may not be updated correctly. This can cause those change requests to become orphaned and these may not be correctly deleted once the role commits have been completed. This can cause a variety of symptoms such as change requests being processed multiple times for a role, existing entitlements re-added to the role, and existing entitlements being removed from the role. This is a known issue in the following versions and has been reported in engineering tickets ACM-86112 and ACM-83273: RSA Identity Governance & Lifecycle 7.0.1 P04 RSA Identity Governance & Lifecycle 7.0.2 P02 RSA Identity Governance & Lifecycle 7.1.0
Resolution	This issue is resolved in RSA Identity Governance & Lifecycle 7.2.0 P03. This version prevents the issue from occurring again and has a cleanup script that runs when the patch is applied to cleanup any existing occurrences of this issue. NOTE: This issue is also resolved in the following older RSA Identity Governance & Lifecycle versions and patch levels. However, the necessary cleanup scripts are not available in these older versions. These versions will prevent this issue from recurring but will not cleanup what has already occurred. RSA Identity Governance & Lifecycle 7.0.2 P07 RSA Identity Governance & Lifecycle 7.1.0 P01 RSA Identity Governance & Lifecycle 7.1.1
Workaround	Avoid moving roles from one role set to another until you can patch. The following script may be used to identify if you have change requests associated with a role set change that need to be corrected. SELECT RV.ROLEVERSION_ID AS ID FROM ( SELECT RVER.ROLE_ID FROM AVUSER.T_AV_ROLEVERSIONS RVER JOIN AVUSER.T_AV_CHANGE_REQUESTS CR ON RVER.CR_ID = CR.ID WHERE CR.CURRENT_STATE IN ('ER','RJ','CA','CO') ) AFFECTED_ROLES JOIN AVUSER.T_AV_ROLEVERSIONS RV ON RV.ROLE_ID = AFFECTED_ROLES.ROLE_ID; If this script identifies any records, contact RSA Identity Governance & Lifecycle Support and mention this RSA Knowledge Base Article ID 36303 for reference.RSA Identity Governance & Lifecycle Support can provide guidance on cleanup and remediation.

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links

000037100 - Role commit fails for roles with membership rules in RSA Identity Governance & Lifecycle