SecurID® Governance & Lifecycle Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.
Article Number
000038625
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.1, 7.2.0
RSA Version/Condition: 7.1.1, 7.2.0
Issue
The Web Service API createChangeRequest command fails when called from an RSA Identity Governance & Lifecycle workflow.
The aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) shows the following INFO level log message:
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
The aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) shows the following INFO level log message:
02/08/2020 10:55:54.351 INFO (Worker_actionq#Normal#jdbc/avdb_1) [com.aveksa.server.workflow.webservices.rest.client.RestClient]
REST Request Completed with status code: 401 and Message: Unauthorized
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
Cause
This issue occurs when the security on the createChangeRequest Web Service command is set to Request Forms and Workflows (no token). In the user interface go to Admin > Web Services > Request tab > Configure button for createChangeRequest.
Image description
Admin Web Services API calls typically require an authentication token to allow access to the API commands. The Web Service loginUser command (Admin > Web Services > Admin tab) accepts an RSA Identity Governance & Lifecycle username and password value for a particular user and then creates a user session token that impersonates that user. Subsequent Admin Web Service API calls then use the user session token and are identified as the user that was authenticated.
The createChangeRequest (Admin > Web Services > Request tab) API command is an example of an Admin Web Services API call that requires an authenticated user in order to complete the call. When a createChangeRequest call is made, the change request is generated as the user session token user. When the createChangeRequest call is made from a workflow, it needs to be configured so that a user session token is not required. As a result, when the createChangeRequest is called from a workflow, the createChangeRequest call fails because there is no user associated with the command.
This is a known issue reported in engineering ticket ACM-103573.
Image descriptionAdmin Web Services API calls typically require an authentication token to allow access to the API commands. The Web Service loginUser command (Admin > Web Services > Admin tab) accepts an RSA Identity Governance & Lifecycle username and password value for a particular user and then creates a user session token that impersonates that user. Subsequent Admin Web Service API calls then use the user session token and are identified as the user that was authenticated.
The createChangeRequest (Admin > Web Services > Request tab) API command is an example of an Admin Web Services API call that requires an authenticated user in order to complete the call. When a createChangeRequest call is made, the change request is generated as the user session token user. When the createChangeRequest call is made from a workflow, it needs to be configured so that a user session token is not required. As a result, when the createChangeRequest is called from a workflow, the createChangeRequest call fails because there is no user associated with the command.
This is a known issue reported in engineering ticket ACM-103573.
Resolution
This issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:
- RSA Identity Governance & Lifecycle 7.1.1 P07
- RSA Identity Governance & Lifecycle 7.2.0 P01
Workaround
The only workaround to this issue is to pass a user session token with the request. which is not practical for use within a workflow.
Notes
Other Admin API Web Services requests that require a user reference may also fail including but not limited to.
cancelChangeActivity, updateReviewItems, cancelChangeActivity, etc...
cancelChangeActivity, updateReviewItems, cancelChangeActivity, etc...
In this article
