Article Number
000042573
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.1 P07+, 7.2.0 P02+
Issue
Role Review Results display incorrect count totals for Members and/or Entitlements. The actual number of Members and/or Entitlements in the Review are correct but the total counts are wrong.
In addition the Review Status bar does not go to 100% once all the items have been reviewed preventing the Review from being completed.
In the following example, note the total
Members under the
All Roles tab (
Reviews >
Results > {
Role review name} >
General tab >
Review Items >
All Roles tab >
show all items) indicates that Role
MyGlobalRole2 has four members.
Image description
The Role details page (MyGlobalRole2 > Members tab) lists only two Members for Role MyGlobalRole2 which is the correct number of Members.
Image description
Cause
This is a known issue reported in engineering ticket ACM-107348.
The following versions and patch levels are affected:
- RSA Identity Governance & Lifecycle 7.1.1 P07
- RSA Identity Governance & Lifecycle 7.2.0 P02
This issue may occur if a Role Member or Entitlement is deleted from a Role and then the same Member or Entitlement is added back to the Role. Following this action the Role Review incorrectly includes the deleted Members and Entitlements in the count.
Resolution
This issue resolved in the following versions
- RSA Identity Governance & Lifecycle 7.1.1 P11
- RSA Identity Governance & Lifecycle 7.2.0 P04
- RSA Identity Governance & Lifecycle 7.2.1 P01
The fix includes a code change that prevents deleted Member and Entitlement counts from being counted incorrectly. It also includes a migration script that identifies and corrects duplicate records in RSA Identity Governance & Lifecycle internal tables.
To resolve this issue, follow the steps below:
- Run the following script as AVUSER to identify if there are any duplicate records that need correcting.
SELECT
entitled_id AS user_id,
entitlement_id AS role_id,
COUNT(*)
FROM
t_av_explodeduserentitlements tavue
WHERE
tavue.entitlement_derived_from_type = 'explicit'
AND tavue.entitled_derived_from_type = 'explicit'
AND tavue.entitlement_type = 'global-role'
AND tavue.entitled_type = 'user'
GROUP BY
entitled_id,
entitlement_id
HAVING
COUNT(*) > 1;
- If the query returns no results, you do not have this issue. However, it is recommended that you upgrade so that you do not encounter this issue in the future.
- If the query returns results, and you are unable to apply a patch where this issue is fixed, see the Workaround section below.
Workaround
Please contact
RSA Identity Governance & Lifecycle Customer Support for a workaround and mention this RSA Knowledge Base Article ID 000042573 for reference.
Notes