SecurID® Governance & Lifecycle Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.
Article Number
000036303
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.1, 7.0.2, 7.1.0, 7.2.0
RSA Version/Condition: 7.0.1, 7.0.2, 7.1.0, 7.2.0
Issue
After moving a role to a different role setting and committing the role change, additional (and unexpected) change requests are generated to add or remove entitlements from the role.
Image description
Image description
Image description
Image description
Example
- Create a role with a few entitlements and add the role to the Admin Roles role set. Wait for the role to move to a committed state.
Image description Image description- Edit the role and change the role set to a different role set.
- Click Apply Changes and note that a change request is generated to remove some entitlements from the role and add already existing entitlements to the role.
Image description
Image description- Wait for the role to move to a committed state.
Image description- Check the entitlements in the role and note that there are missing entitlements from the role.
Image descriptionCause
This issue may occur when a role is moved from one role set to another. Although the role is correctly moved to the new role set, any change requests pending for the role at the time the role is moved may not be updated correctly. This can cause those change requests to become orphaned and these may not be correctly deleted once the role commits have been completed. This can cause a variety of symptoms such as change requests being processed multiple times for a role, existing entitlements re-added to the role, and existing entitlements being removed from the role.
This is a known issue in the following versions and has been reported in engineering tickets ACM-86112 and ACM-83273:
This is a known issue in the following versions and has been reported in engineering tickets ACM-86112 and ACM-83273:
- RSA Identity Governance & Lifecycle 7.0.1 P04
- RSA Identity Governance & Lifecycle 7.0.2 P02
- RSA Identity Governance & Lifecycle 7.1.0
Resolution
This issue is resolved in RSA Identity Governance & Lifecycle 7.2.0 P03. This version prevents the issue from occurring again and has a cleanup script that runs when the patch is applied to cleanup any existing occurrences of this issue.
NOTE: This issue is also resolved in the following older RSA Identity Governance & Lifecycle versions and patch levels. However, the necessary cleanup scripts are not available in these older versions. These versions will prevent this issue from recurring but will not cleanup what has already occurred.
NOTE: This issue is also resolved in the following older RSA Identity Governance & Lifecycle versions and patch levels. However, the necessary cleanup scripts are not available in these older versions. These versions will prevent this issue from recurring but will not cleanup what has already occurred.
- RSA Identity Governance & Lifecycle 7.0.2 P07
- RSA Identity Governance & Lifecycle 7.1.0 P01
- RSA Identity Governance & Lifecycle 7.1.1
Workaround
Avoid moving roles from one role set to another until you can patch.
The following script may be used to identify if you have change requests associated with a role set change that need to be corrected.
If this script identifies any records, contact RSA Identity Governance & Lifecycle Support and mention this RSA Knowledge Base Article ID 36303 for reference.RSA Identity Governance & Lifecycle Support can provide guidance on cleanup and remediation.
The following script may be used to identify if you have change requests associated with a role set change that need to be corrected.
SELECT RV.ROLEVERSION_ID AS ID
FROM (
SELECT RVER.ROLE_ID
FROM AVUSER.T_AV_ROLEVERSIONS RVER
JOIN AVUSER.T_AV_CHANGE_REQUESTS CR ON RVER.CR_ID = CR.ID
WHERE CR.CURRENT_STATE IN ('ER','RJ','CA','CO')
) AFFECTED_ROLES
JOIN AVUSER.T_AV_ROLEVERSIONS RV ON RV.ROLE_ID = AFFECTED_ROLES.ROLE_ID;
If this script identifies any records, contact RSA Identity Governance & Lifecycle Support and mention this RSA Knowledge Base Article ID 36303 for reference.RSA Identity Governance & Lifecycle Support can provide guidance on cleanup and remediation.
In this article
