This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

Change Requests sometimes complete but bypass both AFX and manual fulfillment and fail to modify the endpoint in RSA Identity Governance & Lifecycle

Article Number

000037452

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle 
RSA Version/Condition: 7.0.2, 7.1.0
 

Issue

Intermittently, change requests in RSA Identity Governance & Lifecycle complete but bypass both AFX and manual fulfillment and fail to modify the endpoint. 

When this occurs, the processing workflow of the change request may be missing the sub process nodes as in the example below.

Image descriptionImage description

The same change request using the same workflow sometimes works. In this case, the processing workflow of the change request contains the expected sub process nodes as in the example below.
 

Image descriptionImage description


Sometimes both behaviors may be exhibited in the same change request. That is, two different change request items may show as completed but one change request item provisions to the endpoint and one does not (i.e. skips AFX and manual fulfillment.)

The aveksaserver.log file may show the following exception:
 

06/28/2019 01:40:10.648 ERROR ([ACTIVE] ExecuteThread: '94' for queue: 'weblogic.kernel.Default (self-tuning)') 
[MessageSubscriber] Listener threw during Message notification, for listener AuthorizationServiceProvider
java.util.ConcurrentModificationException

Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the  aveksaServer.log file for your specific deployment.  

Cause

This issue may occur if the first node of the request workflow is a fulfillment node instead of an approval node.   

Although the main workflow items associated with the change request are created immediately, the sub-processes for the workflow are instantiated when Workpoint encounters the fulfillment node in the workflow. In a typical workflow, the request will pause at the approval node before moving on and this allows time for the main workflow to be created before the sub processes are created. In some instances, if there are performance issues, the system may not have time to create all the sub processes correctly. This may affect some or all of the items in the request.
 

Resolution

This issue is resolved in the following versions:
  • RSA Identify Governance & Lifecycle 7.0.2 P08
  • RSA Identify Governance & Lifecycle 7.1.0 P02
  • RSA Identify Governance & Lifecycle 7.1.1 

Workaround

The workaround is to add a non-operational (dummy) approval node as the very first node in your approval workflow.  To do this you would add a normal approval node and set the settings under Behavior to Do Not Process, as shown:

Image descriptionImage description

This will essentially create an auto-approval node. The only downside to this would be that the workflow would have a bit more overhead, but not significantly so. This node may be removed once the appropriate patch is installed.

Tags (85)
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 01:06 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.