Segregation of Duties (SOD) Rules fail during Rule Processing. The Rule Processing Run Details screen (Admin > Monitoring > Run ID) shows a Status of Failedduring Step 6/9: Populate violation data.
The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log😞
09/03/2020 14:56:25.761 WARN (Exec Task Consumer#0 - Sequence)
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] SQL Error: 30926, SQLState: 99999
09/03/2020 14:56:25.761 ERROR (Exec Task Consumer#0 - Sequence)
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] ORA-30926: unable to get a stable set of rows in the source tables
ORA-06512: at "AVUSER.RULE_PROCESS_PKG", line 1132
ORA-06512: at "AVUSER.RULE_PROCESS_PKG", line 319
ORA-06512: at line 1
Please see RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
This is a known issue reported in engineering ticket ACM-107316.
The following versions and patch levels are affected:
RSA Identity Governance & Lifecycle 7.1.1 P07
RSA Identity Governance & Lifecycle 7.2.0 P02
This issue may occur if a Role Member or Entitlement is deleted from a Role and then the same Member or Entitlement is added back to the Role.
This issue is resolved in the following versions and patches.
RSA Identity Governance & Lifecycle 7.1.1 P11
RSA Identity Governance & Lifecycle 7.2.0 P05
RSA Identity Governance & Lifecycle 7.2.1 P01
The fix includes a migration script that identifies and corrects duplicate records in RSA Identity Governance & Lifecycle internal tables.
To resolve this issue, follow the steps below:
Run the following script as AVUSER to identify if there are any duplicate records that need correcting.
entitled_id AS user_id,
entitlement_id AS role_id,
tavue.entitlement_derived_from_type = 'explicit'
AND tavue.entitled_derived_from_type = 'explicit'
AND tavue.entitlement_type = 'global-role'
AND tavue.entitled_type = 'user'
COUNT(*) > 1;
If the query returns no results, you do not have this issue. However, once a patch is available, it is recommended that you upgrade so that you do not encounter this issue in the future.
If the query returns results, until a patch is available, see the Workaround section below.