This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

RSA Identity Governance and Lifecycle 7.0+ Data Access Collector(DAC) Run shows Admin Error:The resource Fully Qualified Name should be unique within an application

Article Number

000035305

Applies To

RSA Product Set: RSA Identity Governance and Lifecycle
RSA Version/Condition: 7.0 and up


 

Issue

In RSA Identity Governance and Lifecycle 7.0 and up, you have configured multiple Data Access Collectors (DAC) with different Data Resource Sets and following error is observed under the Admin Errors for the one of the collection's Data Run. 
EC[180] Context[RunID=173152, DADC(Name=SC Fileshare Resource DAC - Inherited, ID=1957, APP=)] 
Message[Entitlement Data Validation: The resource Fully Qualified Name should be unique within an application].

The collector is configured with the following settings:
 
Image descriptionImage description

This error is observed even if these DACs are using different Data Resource Sets. 

Cause

Version 6.x allowed multiple collectors to collect data with the same Data Resource Fully Qualified Names by using two different resource sets. For example, in the Data Access Collector's configuration under the Edit Collector: <Collector Name> > Mapping for data resource attributes section, if the checkbox for the setting "This data collector can define new data resources" is checked for more than one Data Access Collector AND these DACs are collecting data with the same Data Resource Fully Qualified Names, all those DACs ran successfully with different resource sets.
 
Image descriptionImage description

However, this behavior is changed in version 7.0 and higher.  As mentioned in the RSA Identity Governance and Lifecycle 7.0.2 Upgrade and Migration GuideData Access Collectors are no longer able to collect duplicate Resources based on the Fully Qualified Name between Primary collectors.

Let's say you created the two Data Access Collectors we see below:

The first, Quest-Share-New, uses Data Resource Set: DS-Share-New:
 
Image descriptionImage description

The second, named Share-Owners-New, uses Data Resource Set: DS-Share-Owners-New:
 
Image descriptionImage description

The source file named t_quest_shares_new.csv contains the following entries: 
​SharePath7
\\db07.aveksa.local\BugzillaBackup
\\db07.aveksa.local\dzehme
\\db07.aveksa.local\Export
\\db07.aveksa.local\jducharme
\\db07.aveksa.local\ofcscan\Web_SMB\Web_console
\\db07.aveksa.local\ofcscan\wss\isapi
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)
\\db07.aveksa.local\FinanceShare
\\PDC7.aveksa.local\HOME\abeaudoin
\\PDC7.aveksa.local\HOME\anguyen
\\PDC7.aveksa.local\HOME\ao
\\PDC7.aveksa.local\HOME\apolnicki
\\PDC7.aveksa.local\HOME\bchang
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)

Source file "t_quest_share_owners_new.csv" contains the following entries: 
​SharePath7.OwnerNew
\\db08.aveksa.local\BugzillaBackup,bzbackup
\\db08.aveksa.local\dzehme,dzhame
\\db08.aveksa.local\Export
\\db08.aveksa.local\SYSVOL\aveksa.local\Policies\(CEAD4878-0149-4963-B42A-01742B1F5F98)
\\PCD08.aveksa.local\FinanceShare,jodonnell
\\PCD08.aveksa.local\HOME\abeaudoin,abeaudoin
\\PCD08.aveksa.local\HOME\angyuyen, abguyen
\\PDC08.aveksa.local\SYSVOL\aveksa.local\Policies\
\\PDC08.aveksa.local\SYSVOL\aveksa.local\Policies\(25CA04C9-E54A-4B04-8B47-414B57C76E0F)
\\db07.aveksa.local\BugzillaBackup
\\db07.aveksa.local\dzehme
\\db07.aveksa.local\Export
\\db07.aveksa.local\jducharme
\\db07.aveksa.local\ofcscan\Web_SMB\Web_console
\\db07.aveksa.local\ofcscan\wss\isapi
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)
\\db07.aveksa.local\FinanceShare
\\PDC7.aveksa.local\HOME\abeaudoin
\\PDC7.aveksa.local\HOME\anguyen
\\PDC7.aveksa.local\HOME\ao
\\PDC7.aveksa.local\HOME\apolnicki
\\PDC7.aveksa.local\HOME\bchang
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)

When a checkbox for this setting "This data collector can define new data resources" is checked for both Data Access Collectors as shown above, and these two DACs use different resource sets AND they are collecting the same Data Resource Fully Qualified Names, then the DAC that is run second and collects duplicate Data Resource Fully Qualified Names shows the following Admin Error: 
Message[Entitlement Data Validation: The resource Fully Qualified Name should be unique within an application]
 
This error is caused by the 16 duplicate resource names from the source file, as shown below in  blue: 
​SharePath7.OwnerNew
\\db08.aveksa.local\BugzillaBackup,bzbackup
\\db08.aveksa.local\dzehme,dzhame
\\db08.aveksa.local\Export
\\db08.aveksa.local\SYSVOL\aveksa.local\Policies\(CEAD4878-0149-4963-B42A-01742B1F5F98)
\\PCD08.aveksa.local\FinanceShare,jodonnell
\\PCD08.aveksa.local\HOME\abeaudoin,abeaudoin
\\PCD08.aveksa.local\HOME\angyuyen, abguyen
\\PDC08.aveksa.local\SYSVOL\aveksa.local\Policies\
\\PDC08.aveksa.local\SYSVOL\aveksa.local\Policies\(25CA04C9-E54A-4B04-8B47-414B57C76E0F)
\\db07.aveksa.local\BugzillaBackup
\\db07.aveksa.local\dzehme
\\db07.aveksa.local\Export
\\db07.aveksa.local\jducharme
\\db07.aveksa.local\ofcscan\Web_SMB\Web_console
\\db07.aveksa.local\ofcscan\wss\isapi
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)
\\db07.aveksa.local\FinanceShare
\\PDC7.aveksa.local\HOME\abeaudoin
\\PDC7.aveksa.local\HOME\anguyen
\\PDC7.aveksa.local\HOME\ao
\\PDC7.aveksa.local\HOME\apolnicki
\\PDC7.aveksa.local\HOME\bchang
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)

All the duplicate Data Resource Fully Qualified Names shown above are rejected as in the following screen shot: 
 
Image descriptionImage description

Clicking on of the rejected entries will show the following error:
 
Image descriptionImage description

Resolution

In RSA Identity Governance and Lifecycle 7.0 and up, two or more Data Access Collectors cannot collect the same Data Resource Fully Qualified Names, even if they are using different resource sets.

To resolve the Admin Error,  only one DAC should set new data resources. This collector is referred to as the Primary Collector. Define a Primary Collector by checking This data collector can define new data resources.  All other collectors should un-check this setting if they are collecting the same data resource names (one or more) as the Primary Collector. 

Alternatively, if you need to have more than one Primary Collector, you need to ensure that two or more Primary DAC Collectors are not collecting the same resource names.  Duplicate resource names must be removed from one of the source files that are used by the Primary DAC collectors for collection.  In the above example, the duplicate entries shown here in blue must be removed from source file "t_quest_share_owners_new.csv". 
\\db07.aveksa.local\BugzillaBackup
\\db07.aveksa.local\dzehme
\\db07.aveksa.local\Export
\\db07.aveksa.local\jducharme
\\db07.aveksa.local\ofcscan\Web_SMB\Web_console
\\db07.aveksa.local\ofcscan\wss\isapi
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)
\\db07.aveksa.local\FinanceShare
\\PDC7.aveksa.local\HOME\abeaudoin
\\PDC7.aveksa.local\HOME\anguyen
\\PDC7.aveksa.local\HOME\ao
\\PDC7.aveksa.local\HOME\apolnicki
\\PDC7.aveksa.local\HOME\bchang
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)
Please refer to the RSA Identity Governance and Lifecycle Upgrade and Migration Guide for 7.0+ for more information. 

The RSA Identity Governance and Lifecycle 7.0.2 Upgrade and Migration Guide  mentions the following: 

Changes to Data Collections

RSA Identity Governance and Lifecycle v7.0.1 and later includes the following data collection changes:
  • Identity Data Collectors no longer collect user groups.
  • Duplicate objects are no longer allowed within an application namespace. Previously, duplicate objects were not allowed within a collector, and as a result more than one collector was allowed to collect the same entitlement for an application.
  • Primary Data Access Collectors are no longer able to collect duplicate resources based on the Fully Qualified Name.
  • Entitlement Data Collectors no longer collect role entitlements. Instead, Role Data Collectors collect all role entitlements.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 10:37 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.