This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

Role commit fails for roles with membership rules in RSA Identity Governance & Lifecycle

Article Number

000037100

Applies To

RSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0

Issue

When attempting to commit a role change for an RSA Identity Governance & Lifecycle role that contains a membership rule the role commit fails.  The failure occurs no matter what type of change is made to the role.

The change request shows the change request for the role change in an error state and both the approval phase and fulfillment phase show as failed, but there is no detailed error.

Image descriptionImage description

The aveksaServer.log file shows the following error relating to the Membership Rule.

01/14/2019 12:42:46.096 ERROR (Worker_actionq#Normal#WPDS_277) [com.aveksa.server.core.GlobalRole] Error saving the out of constraint rule for MyRoleWithRule1 com.aveksa.server.core.rule.RuleServiceException: com.aveksa.server.runtime.ServerException: Cannot create rule MyRoleWithRule1_UOOC. Rule set Default Rule Set - All Users not found.

Followed by a generic Workpoint failure.

01/14/2019 12:42:46.136 ERROR (Worker_actionq#Normal#WPDS_277) [com.aveksa.server.workflow.scripts.nodes.FulfillmentPhaseNode] Error Fulfilling by System com.aveksa.server.db.PersistenceException: Commit failed to proceed because the transaction was marked for rollback. Reverting the changes...

Cause

This issue is due to a incorrect reference in the database to an old role set ID that prevents the role from updating the rule associated with the role.

This is a known issue if the role was created on 7.1.0 GA version and the role was moved from one role set to another (the role set was edited).  

Resolution

This issue is resolved in RSA Identity Governance & Lifecycle 7.1.0 P02.  

See article 000036303 - Entitlements are removed or added to a role when role set is changed in RSA Identity Governance & Lifecycle.
 

This corrects the issue that causes the incorrect role set ID to be used for the reference to the role rule.   This issue will still occur however even in later versions if the role set was changed before patching.   If this issue still occurs after patching you should use the Workaround below to correct the problem role. 

Workaround

  • Roll back any pending commits for the problem role.
  • Manually delete the role membership rules associated with the role from the Rules menu.
  • Edit the role and add back in the membership rule.
  • Commit the role changes.


This removes the corrupted association with the old rule and will allow you to commit new changes to the role. 

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 06:53 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.