RSA Identity Governance & Lifecycle unification fails with the following error in the aveksaServer.log file:
05/03/2018 14:10:51.048 INFO (Exec Task Consumer#1) [com.aveksa.server.xfw.UnificationExecutor] Failed method=Process subTask=CompleteMergeTasks Default User Population, 1026095 com.aveksa.server.db.PersistenceException: java.sql.SQLException: ORA-30926: unable to get a stable set of rows in the source tables ORA-06512: at "AVUSER.UNFC_PROCESSOR", line 47 ORA-06512: at line 1 at com.aveksa.server.db.persistence.PersistenceServiceProvider.runStoredProcedure(PersistenceServiceProvider.java:1601) at com.aveksa.server.db.persistence.PersistenceServiceProvider.runStoredProcedure(PersistenceServiceProvider.java:1459) at com.aveksa.server.db.PersistenceManager.runStoredProcedure(PersistenceManager.java:267) at com.aveksa.server.xfw.UnificationExecutor.executeTask(UnificationExecutor.java:122) at com.aveksa.server.xfw.TaskExecutor.execute(TaskExecutor.java:99) at com.aveksa.server.xfw.ExecutionTaskQueue$Worker.run(ExecutionTaskQueue.java:116) at java.lang.Thread.run(Thread.java:745)
This issue may occur if the attribute used for the joins in the unification are not able to uniquely resolve the user resulting in a duplicate user entry.
This issue is resolved in the following RSA Identity Governance & Lifecycle patches:
RSA Identity Governance & Lifecycle 7.0.2 P07
RSA Identity Governance & Lifecycle 7.1.0 P01
The fix works as follows:
In versions where the patch has been applied, if the Identity Data Collectors (IDCs) have been collected before configuring the unification, then the unification screen will prevent the join from being created. If the IDCs have not been collected before the unification join has been created, the unification change will be allowed, but duplicate users will be rejected during unification.
This issue may be resolved by identifying and removing the duplicate users from the source data. Contact RSA Customer Support for assistance if you are unable to identify which users are not uniquely identified.
Alternatively, you may change the unification configuration to use a different unique identifier for the user join.