SecurID® Governance & Lifecycle Knowledge Base
Article Number
Applies To
RSA Version/Condition: 7.1.0, 7.1.1, 7.2.0
Issue
Image descriptionUnder the Roles > Roles > {role name} > General tab of the role the following message is displayed:
Image description
The aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) shows the following ERROR level log message:
This is a normal state for a role that is completing the change request process that ensues from selecting Apply Changes. However, when this state never changes, the role is considered stuck and intervention is required.
Cause
The Role may get into this state if one (or more) of the entitlements or users being committed to the role has been deleted since the role was created.
For example,
- Add an entitlement to the role but do not Apply Changes to the role.
- Delete the entitlement from the endpoint and run a collection to remove the entitlement from RSA Identity Governance & Lifecycle.
- Apply Changes to the role.
The issue occurs because RSA Identity Governance & Lifecycle is unable to create the change request for the entitlement required to modify the role since it has been deleted.
This is a known issue reported in engineering ticket ACM-97179.
Resolution
- RSA Identity Governance & Lifecycle 7.1.1 P07
- RSA Identity Governance & Lifecycle 7.2.0 P02
When a Role commit contains a reference to a deleted user or a deleted entitlement, the item will be shown with a strike-through. The tool tip will display a message indicating that the resource was deleted. The Role commit will be allowed to complete without errors.
The tool tip message is:
This user has been deleted and will not be added as a member in the committed role.and shows up as follows in the user interface (Roles > Roles > {Role name} > Members tab).
Image descriptionWorkaround
The following techniques may be used to change the state of the role to a Committed state allowing changes to be made to the role. The actual technique that is appropriate may depend on what other items are in the role.
- Cancel the change request associated with the role change
A change request may not always be successfully created in every instance, but if you can identify the change request generated for this role change, you can cancel it from the Requests page in the User Interface (Requests > Requests.)
- Delete the Role.
In some instances if you understand the implications, deleting the role may be a valid choice.
- Force the Role into a state where it can be reverted back to a previous state.
Note: This only works if the role has a previously committed state. This does not work for a newly created role.
If you attempt to manage the role by selecting the role from the Roles page and navigating to the Members or Entitlements tab, you will see that editing the role in the Applied New state is not allowed. However, you can work around this restriction with the following technique:
- From the Roles page under the Roles menu (Roles > Roles), select the problematic role by enabling the checkbox in the left hand column.
- From the Actions menu, select Add Entitlements.
- Add an arbitrary entitlement to the role.
- Note that the role is now in a Changed state.
- From the Actions menu, select Revert Changes to Roles.
- Revert back to the last committed state.
This will revert all changes you made to the role since the last commit, including the change that includes the deleted entitlement or user and including the arbitrary entitlement you created to force the change.
Warning: This will also revert any other uncommitted changes to the role. You must make those changes again manually.
In this article
