• Product: RSA Governance & Lifecycle
• Versions Affected: 7.1.0, 7.1.1, 7.2.0
• Resolved In: 7.1.1 P07, 7.2.0 P02
• Component: Role Management

RSA Identity Governance & Lifecycle cannot create the change request needed to complete the role commit because one or more entitlements or users referenced in the role change have been deleted from the system since the role was last committed. 

After selecting Apply Changes on a role, the role becomes permanently stuck in an Applied or Applied

New state and does not progress to a Committed state. All further role management activities for the affected role are blocked.

The Role may get into this state if one (or more) of the entitlements or users being committed to the role has been deleted since the role was created.

For example:

1. Add an entitlement to the role but do not Apply Changes to the role.
2. Delete the entitlement from the endpoint and run a collection to remove the entitlement from RSA Identity Governance & Lifecycle. 
3. Apply Changes to the role. 

The issue occurs because RSA Governance & Lifecycle is unable to create the change request for the entitlement required to modify the role since it has been deleted. 

The permanent resolution for this issue is to apply the appropriate patch for your RSA Identity Governance & Lifecycle version. After patching, the system will handle deleted entitlement and user references gracefully during role commits — instead of failing silently and leaving the role stuck.

1. Identify the patch applicable to your RSA Identity Governance & Lifecycle version:

   Current Version	Apply This Patch
   7.1.1	RSA Identity Governance & Lifecycle 7.1.1 P07
   7.2.0	RSA Identity Governance & Lifecycle 7.2.0 P02

   NOTE: If you are running version 7.1.0, you must first upgrade to 7.1.1 before applying 7.1.1 P07. Contact RSA Support if you need guidance on the upgrade path.

2. Download the patch for your version. See How to Download RSA Identity Governance & Lifecycle Patches for step-by-step download instructions.
3. Apply the patch following the installation instructions included with the patch download.
4. Verification: After the patch is applied and the system restarts, verify the fix is in effect:
   1. Navigate to Roles > Roles and open the affected role (or create a test role).
   2. Add or modify an entitlement or user membership and select Apply Changes.
   3. Navigate to Roles > Roles > (role name) > Members tab.
   4. Confirm that any deleted user or entitlement references are displayed with a strike-through and the following tooltip is shown:

      This user has been deleted and will not be added as a member in the committed role.

   5. Confirm the role commit completes successfully and the role transitions to a Committed state — without remaining stuck in Applied or Applied New.

NOTE: If the role is currently stuck and patching cannot be applied immediately, see the Workaround section below for three techniques to recover the role to a Committed state without patching.

Workaround

⚠️ CAUTION: These are temporary workarounds that recover the stuck role to a Committed state without applying the patch. They do not prevent the issue from recurring. Apply the patch described in the Resolution section above to permanently resolve this issue.

Use the decision guide below to select the most appropriate technique for your situation:

Technique 1 — Cancel the Change Request

NOTE: A change request is not always successfully created when this issue occurs. Before attempting this technique, confirm a change request exists under Requests > Requests for the affected role. If no change request is listed, proceed to Technique 2 or 3.

1. Navigate to Requests > Requests in the RSA Identity Governance & Lifecycle UI.
2. Search for and locate the change request associated with the stuck role change.
3. Select the change request and click Cancel.
4. Navigate to Roles > Roles and confirm the affected role has returned to a Committed state.

Technique 2 — Delete the Role

CAUTION: Deleting a role is permanent and irreversible. Deleting the role will trigger a change request to remove all entitlements and memberships associated with the role. Only proceed if you understand the full impact and the role can be safely recreated from scratch.

1. Navigate to Roles > Roles.
2. Locate the stuck role and select its checkbox in the left-hand column.
3. From the Actions menu, select Delete.
4. Confirm the deletion when prompted.
5. Recreate the role as needed — ensuring Apply Changes is selected promptly after adding entitlements or users, before any referenced entitlements or users can be deleted.

Technique 3 — Force a Revert to Last Committed State

NOTE: This technique works only if the role has a previously committed state. It does not work for newly created roles that have never been committed. If the role was newly created and has no committed state, use Technique 2 instead.

CAUTION: This technique reverts all uncommitted changes made to the role since its last committed state — including the deleted entitlement or user reference that caused the issue, and any other uncommitted changes you may have made. You must re-apply any legitimate uncommitted changes manually after the revert completes.

1. Navigate to Roles > Roles.
2. Locate the stuck role and enable its checkbox in the left-hand column.
3. From the Actions menu, select Add Entitlements.
4. Add any arbitrary entitlement to the role.
   (Expected result: the role status changes from Applied New to Changed.)
5. From the Actions menu, select Revert Changes to Roles.
6. Confirm the revert when prompted. The system will revert the role to its last committed state — removing the deleted entitlement or user reference, the arbitrary entitlement added in Step 4, and any other uncommitted changes.
7. Navigate to Roles > Roles and confirm the role now shows a Committed state and the message "Additional changes cannot be made to this role..." is no longer displayed.
8. Re-apply any legitimate role changes that were reverted in Step 6.