Objects previously collected by Account Collectors and Entitlement Collectors in 6.x are rejected in 7.x of RSA Identity Governance & Lifecycle

2 years ago

Originally Published: 2020-03-23

Article Number

000042606

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 6.x, 7.x

Issue

Objects previously collected by Account Collectors (ADCs) and Entitlement Collectors (EDCs) in 6.x are rejected in 7.x of RSA Identity Governance & Lifecycle.

The following example illustrates this issue.

Application XYZ has two Account Collectors: ADC1 and ADC2. ADC1 collects a group name called Group_RSA. ADC2 also collects a group name called Group_RSA. The first collector to run (ADC1), will collect the group Group_RSA. The second collector to run (ADC2), will reject group Group_RSA. The data run for the ADC2 collector has the following admin error:

EC[251] Context[RunID=25294, ADC(Name=ADC2, ID=68)] Message[Reference resolutions failed.]

Prior to RSA Identity Governance & Lifecycle 7.0, the second collector would not reject the duplicate group name. As a result, there would be a duplicate group name in Application XYZ called Group_RSA, one group collected by ADC1 and one group collected by ADC2.

Cause

This was an intentional design change introduced in RSA Identity Governance & Lifecycle 7.0 to avoid duplicate object names (accounts, groups, and entitlements) within the same application.

Each collector within the same application space must collect unique object names.

This behavior is documented on page 26 of the RSA Via Lifecycle and Governance V7.0 Release Notes under Data Quality Enhancements, Duplicate Objects:

In previous versions, two collectors could collect the same object, for instance an entitlement with
the same name could be collected for an application. The system would then show duplicate
entitlements.

A collector can now only collect an object for an application if there is no other existing object of the
same name and same type that already has been collected for the application.

This behavior is also referred to in the RSA Identity Governance & Lifecycle Upgrade and Migration Guide for each 7.x version as a Pre-Upgrade Task under Changes to Data Collections:

Duplicate objects are no longer allowed within an application namespace. Previously, duplicate objects
were not allowed within a collector, and as a result more than one collector was allowed to collect the
same entitlement for an application.

Resolution

The resolution depends on whether the duplicate objects (accounts/groups/entitlements), are actually the same object being collected by more than one collector or whether the duplicate objects are different physical objects with the same name.

If the same object is being collected by more than one collector:

Decide on one collector to collect the object, or
Create separate applications for the duplicate objects.

If the duplicate objects are different physical objects with the same name:

Create separate applications for the duplicate objects or
Rename the duplicate objects so that they may be collected into the same application space.

EXAMPLE

Using the example above:

Application XYZ with two Account Collectors (ADC1 and ADC2.)
ADC1 collects Group_RSA.
ADC2 collects Group_RSA.
Run both collections (ADC1 followed by ADC2.)
Collection of Group_RSA by ADC2 fails because Group_RSA already exists in the application having been collected by ADC1.

Solution 1

Create Application XYZ_2 and move the ADC2 collector to Application XYZ_2.

Solution 2

Rename Group_RSA that is collected by ADC2. For example, Group_RSA2 or Group_RSA_ADC2.
Or, rename Group_RSA in both data sources. For example, Group_RSA_ADC1 and Group_RSA_ADC2.

The important point here is that duplicate object names cannot be collected into the same application.

Don't see what you're looking for?

EXAMPLE

Related Articles

Trending Articles