Indirect Relationship Processing fails with ORA-30926 and 'ORA-06512: at "AVUSER.CE_USERS" ' errors when collecting Groups in RSA Identity Governance & Lifecycle
Originally Published: 2020-05-04
Article Number
Applies To
RSA Version/Condition: 7.0.2, 7.1.0, 7.1.1
Issue
The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log):
04/15/2020 01:21:45.636 ERROR (Exec Task Consumer#0) [com.aveksa.server.xfw.TaskExecutor] Failed method=Execute
ExecutionTask[TaskID=3027914 RunID=2159883 Source=68 Type=EntitlementExplosionProcessing Status=InProgress]
com.aveksa.server.xfw.ExecutionException: com.aveksa.server.db.PersistenceException: java.sql.SQLException:
ORA-30926: unable to get a stable set of rows in the source tables
ORA-06512: at "AVUSER.CE_USERS", line 1036
ORA-06512: at "AVUSER.CE_USERS", line 1882
ORA-06512: at "AVUSER.COMMON_EXPLODER", line 335
ORA-06512: at "AVUSER.COMMON_EXPLODER", line 129
ORA-06512: at line 1
Please see RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs).
Cause
For example:
UserA has AccountA that is a member of GroupC through the following paths:
- AccountA is a member of GroupA which is a member of GroupC
- AccountA is a member of GroupB which is a member of GroupC
RSA Identity Governance & Lifecycle incorrectly fails to resolve the Account to Group membership as a unique entitlement for this use case. This issue only occurs when multiple Accountss to Group relationships are resolved in the same Account Data Collector (ADC) run (specifically the same Indirect Relationship Processing step that is shared by multiple ADC runs.) It does not occur if one Account to Group relationship is resolved in a previous collection and a new relationship is established in a different collection. Normally with the delta collection model, changes to Accounts and/or Groups as well as Account to Group relationships are resolved per collector so the likelihood of a failure is rare, however forcing a Full Refresh on a collector or forcing a Full Refresh on multiple collectors at the same time drastically increases the likelihood of this failure.
Resolution
- RSA Identity Governance & Lifecycle 7.0.2 P14
- RSA Identity Governance & Lifecycle 7.1.0 P08
- RSA Identity Governance & Lifecycle 7.1.1 P02
- RSA Identity Governance & Lifecycle 7.2.0
To determine if you have this issue, run the following SQL script as avuser. The script identifies if there are any duplicates but does not uniquely identify the type of a duplicate. If the script returns a count greater than zero, the issue exists and patching to one of the above versions is required.
SELECT *
FROM t_ce_explicit_relations
WHERE
( entitled_id, entitled_type, entitlement_id, entitlement_type ) IN (
SELECT
entitled_id, entitled_type, entitlement_id, entitlement_type
FROM t_ce_explicit_relations
GROUP BY
entitled_id, entitled_type, entitlement_id, entitlement_type
HAVING COUNT(1) > 1
);
SELECT COUNT(1)
FROM t_ce_explicit_relations
WHERE
dc_id IN (
SELECT id
FROM t_data_collectors
WHERE is_deleted = 'TRUE'
);
SELECT *
FROM t_group_memberships
WHERE
( dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id, member_path ) IN (
SELECT
dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id, member_path
FROM t_group_memberships
GROUP BY
dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id, member_path
HAVING COUNT(1) > 1
);
Workaround
There is no cleanup script for this issue. The issue must be resolved through a patch.
Notes
- 000034893 -- Indirect Relationship Processing fails with ORA-30926 and 'ORA-06512: at "AVUSER.CE_USERS" ' errors after Migration to 7.0.1 P02 of RSA Identity Governance & Lifecycle ORA-30926
- 000034775 -- Indirect Relationship Processing fails with 'ORA-12899 value too large for column' error in RSA Identity Governance & Lifecycle
Related Articles
Indirect Relationship Processing fails with ORA-30926 and 'ORA-06512: at "AVUSER.CE_USERS" ' errors after Migration to 7.0… Number of Views Duplicate users in RSA Identity Governance & Lifecycle Number of Views Duplicate User ID error when running All Users report in RSA Authentication Manager 8.x Number of Views Member of User Groups showing <unavailable> in All Users report Number of Views Netskope Security Cloud - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) Artifacts to gather in RSA Identity Governance & Lifecycle RSA Governance & Lifecycle 8.0.0 Administrators Guide RSA Governance & Lifecycle 8.0.0 Installation Guide
Don't see what you're looking for?
