Role changes are not accurately reflected under the User Access tab or in a User Access Review in RSA Identity Governance & Lifecycle
Originally Published: 2019-12-13
Article Number
Applies To
RSA Version/Condition: 7.1.0, 7.1.1
Issue
Symptoms manifest in several ways:
- A member of a business role (as seen in the role definition) does not show the business role as a direct entitlement under their user access tab.
- A member of a business role (as seen in the role definition) with a technical role as an entitlement shows the business role as a direct entitlement but does not show the technical role or the technical role entitlements as indirect entitlements under their user access tab.
- A member of a business role (as seen in the role definition) with a technical role as an entitlement shows the business role as a direct entitlement and the technical role as an indirect entitlement under their user access tab but does not show the technical role entitlements as indirect entitlements.
- Entitlements granted via roles show as direct entitlements on user access reviews.
- After a user is terminated, the user's access tab shows entitlements even though a user access review does not show these entitlements.
- The Compare With User feature (Users > Users > Access tab > Other Changes) shows that a user is still is a member of a business role even though the user has been removed from the role (as seen in the role definition.)
The following ERROR level log messages are logged to the aveksaServer.log file:
09/26/2019 08:55:46.012 INFO (Thread-288) [com.aveksa.server.db.persistence.PersistenceServiceProvider]
executeCallableStatement giving up after hitting SQLException:
ORA-01427: single-row subquery returns more than one row
ORA-06512: at "AVUSER.ROLE_MANAGEMENT_PKG", line 4550
ORA-06512: at line 1
09/26/2019 08:55:46.012 WARN (Thread-288) [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] SQL Error: 1427, SQLState: 21000
09/26/2019 08:55:46.012 ERROR (Thread-288) [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
ORA-01427: single-row subquery returns more than one row
ORA-06512: at "AVUSER.ROLE_MANAGEMENT_PKG", line 4550
ORA-06512: at line 1
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment.
Cause
- RSA Identity Governance & Lifecycle 7.1.0
- RSA Identity Governance & Lifecycle 7.1.1
The duplicate items can occur under the following circumstances:
- If a role import was done for an existing role, some entitlement relationships were duplicated instead of overwriting existing relationships.
- If a role import was done for an existing role, some entitlement relationships that were absent from the role were deleted instead of being marked as inactive.
- If a role import was done for an existing role where a previously deleted version of the role existed, the changes were applied to the deleted role.
- If an attempt was made to import a role with the same name as a collected role, the collected role and associated entitlements would be overwritten.
- If a role is deleted and recreated with the same name.
Resolution
- RSA Identity Governance & Lifecycle 7.1.1 P05
- RSA Identity Governance & Lifecycle 7.2.0
IMPORTANT: A manual step is required after applying one of the above patches to remove existing duplicate role names.
Summary of fixes required for this issue:
- A code change to prevent duplicate role names. (Available in RSA Identity Governance & Lifecycle 7.2.0 and 7.1.1 P05.)
- A cleanup script to finish the explosion of role entitlements into the user access table. (Available in RSA Identity Governance & Lifecycle 7.2.0 and 7.1.1 P05.)
- Removal of duplicate role names. (Manual step required after applying one of the above patches or as part of the workaround outlined below.)
- A cleanup script to remove deleted roles that have the same name as active roles.
- Deletion of any active roles with the same name as other active roles to be performed in the user interface.
To fully resolve this issue:
- Upgrade/patch to RSA Identity Governance & Lifecycle 7.2.0 or 7.1.1 P05.
- After patching to 7.2.0 or 7.1.1 P05, modifications to existing roles that result in duplicate role names will be prevented. If an attempt is made to import a role that has the same name as an existing collected role, the following exception will be generated.
Cannot import over an existing collected role
- The patch will run a cleanup script file that will finish the explosion of role entitlements into the user access table as part of the migration process.
- Cleanup duplicate role names. This is a manual step required after patching your system to RSA Identity Governance & Lifecycle 7.2.0 or 7.1.1 P05. The patch does not cleanup existing duplicate role names. The patch only prevents future duplicate role names from being created. See section below entitled Cleanup Duplicate Role Names for instructions. NOTE: This step is also required if you are implementing the workaround below.
Cleanup Duplicate Role Names
Run the following scripts to identify and correct (or advise) on duplicate role names that need to be corrected.- Run the following SQL query as AVUSER to identify if there are any deleted roles that have the same name as active roles.
select rl.* from t_av_roles rl where deletion_date is not null and (name, roleset_id) in (select name, roleset_id from t_av_roles group by name, roleset_id having count(*) > 1) order by rl.name;
If the query above returns a result, please contact RSA Identity Governance & Lifecycle Cutomer Support for a cleanup script and mention this RSA Knowledge Base Article ID 000038236 for reference.
- Run the following SQL query as AVUSER to identity any active roles that have the same name as other active roles:
select rl.* from t_av_roles rl where deletion_date is null and (name, roleset_id) in (select name, roleset_id from t_av_roles group by name, roleset_id having count(*) > 1) order by rl.name;
If the query above returns a result, then identify and manually delete one of the active roles by selecting it from the Roles page (Roles > Roles > check the box next to the Role Name) and select Delete Roles under the Actions drop down menu.
Workaround
- Contact RSA Identity Governance & Lifecycle Customer Support for a cleanup script that will finish the explosion of role entitlements into the user access table and mention this RSA Knowledge Base Article ID 000038236 for reference.
- Cleanup duplicate role names as described in the Resolution section above under Cleanup Duplicate Role Names.
IMPORTANT: Until you upgrade/patch to 7.2.0 or 7.1.1 P05, you may encounter this issue again. Repeat steps #1 and #2 of this workaround every time there is a recurrence of this issue.
Related Articles
Role Review Member and/or Entitlement counts are incorrect preventing Role Review completion in RSA Identity Governance & … Number of Views Review email defined with the Review URL {$reviewDetailURL} shows no review items to be monitored in RSA Identity Governan… Number of Views Review results are removed from the system after deleting a review definition in RSA Identity Governance & Lifecycle Number of Views Role and Group Review Result behavior when members/entitlements are added to the underlying review items in RSA Identity G… Number of Views How the Pending Revoke category functions in the default reviewer interface style of the User Access Review in RSA Identit… Number of Views
Trending Articles
An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process
Don't see what you're looking for?
