IGL 7.1.1 P03 introduces new functionality for the "Entitlements Require Account" option. This option allows the administrator to define whether a user requires an account for access in a connected application (for example, if they need an Active Directory account before they can have an Active Directory group). This was previously set to one of two values:
- Yes - the user requires an account to receive this access via IGL
- No - the user does not require and account to receive this access via IGL
This has been updated in version 7.1.1 P03 to reflect a third state - "Sometimes". Thanks to Mostafa Helmy for the following description of the new behaviour (Original Thread):
- If set to Always, then the changes will always be Account Changes.
- If set to Sometimes and the User has at least one or more accounts within the application, then the changes will be Account Changes.
- Otherwise (Never or Sometimes but the user does not have an account within the application), the changes will be User Changes.
However, the import script for business sources and rule sets have not been updated to reflect this. In the metadata export for a business source, the following line is present:
<Property name="entsRequireAccountStr" type="java.lang.String">$VALUE</Property>
This line holds the value of whether the business source requires accounts to be present before providing access. The metadata was previously exported in one of two forms: 'TRUE' or 'false'.
There is now a constraint upon the AVUSER.T_APPLICATIONS table (ENTS_REQUIRE_ACCOUNT_CHK) which checks for one of three values: 'TRUE', 'FALSE' or 'NEVER'. As SQL is case sensitive on strings, 'false' does not match 'FALSE' and as such, fails the constraint integrity check. The import then fails.
To workaround this, perform the following replace on the business source files:
Original: <Property name="entsRequireAccountStr" type="java.lang.String">false</Property>
New: <Property name="entsRequireAccountStr" type="java.lang.String">FALSE</Property>
This issue may be indicated in your logs by the following error:
ORA-02290: check constraint (AVUSER.ENTS_REQUIRE_ACCOUNT_CHK) violated