After moving a role to a different role setting and committing the role change, additional (and unexpected) change requests are generated to add or remove entitlements from the role.
Create a role with a few entitlements and add the role to the Admin Roles role set. Wait for the role to move to a committed state.
Edit the role and change the role set to a different role set.
Click Apply Changes and note that a change request is generated to remove some entitlements from the role and add already existing entitlements to the role.
Wait for the role to move to a committed state.
Check the entitlements in the role and note that there are missing entitlements from the role.
This issue may occur when a role is moved from one role set to another. Although the role is correctly moved to the new role set, any change requests pending for the role at the time the role is moved may not be updated correctly. This can cause those change requests to become orphaned and these may not be correctly deleted once the role commits have been completed. This can cause a variety of symptoms such as change requests being processed multiple times for a role, existing entitlements re-added to the role, and existing entitlements being removed from the role.
This is a known issue in the following versions and has been reported in engineering tickets ACM-86112 and ACM-83273:
RSA Identity Governance & Lifecycle 7.0.1 P04
RSA Identity Governance & Lifecycle 7.0.2 P02
RSA Identity Governance & Lifecycle 7.1.0
This issue is resolved in RSA Identity Governance & Lifecycle 7.2.0 P03. This version prevents the issue from occurring again and has a cleanup script that runs when the patch is applied to cleanup any existing occurrences of this issue.
NOTE: This issue is also resolved in the following older RSA Identity Governance & Lifecycle versions and patch levels. However, the necessary cleanup scripts are not available in these older versions. These versions will prevent this issue from recurring but will not cleanup what has already occurred.
RSA Identity Governance & Lifecycle 7.0.2 P07
RSA Identity Governance & Lifecycle 7.1.0 P01
RSA Identity Governance & Lifecycle 7.1.1
Avoid moving roles from one role set to another until you can patch.
The following script may be used to identify if you have change requests associated with a role set change that need to be corrected.
SELECT RV.ROLEVERSION_ID AS ID
FROM AVUSER.T_AV_ROLEVERSIONS RVER
JOIN AVUSER.T_AV_CHANGE_REQUESTS CR ON RVER.CR_ID = CR.ID
WHERE CR.CURRENT_STATE IN ('ER','RJ','CA','CO')
JOIN AVUSER.T_AV_ROLEVERSIONS RV ON RV.ROLE_ID = AFFECTED_ROLES.ROLE_ID;