Add access unsuccessful due to PS CR behavior in RSA Identity Governance & Lifecycle
3 years ago
Originally Published: 2019-09-05
Article Number
000041462
Applies To
RSA Product Set: Identity Governance and Lifecycle
RSA Product/Service Type: Appliance
RSA Version/Condition: 7.1.0
Platform: UNIX
Platform (Other): null
O/S Version: null
Product Name: null
Product Description: null
Issue
Steps to reproduce: 1. Have an account present in a specific directory/application with a name of a user's USER_ID value but not mapped to the user 2. Have an account template creating temp accounts using user's USER_ID attr and associate it to the directory mentioned in step 1 and configure "Entitlement Requires Account" to true in that directory/application. 3. Add an entitlement to the user who has an account with the same value of his/her user id (account not mapped to user). 4. Witness the creation of 2 CRs: A CR that contains an ADD operation to the entitlement being added to the user with the following CR item: This CR is stuck due to a dependency (item is Pending Action). Another CR in a Pending State as per the bellow screenshot which contains a create operation and an Add as well What relates to this here is that after that 2nd CR that was generated in Pending State now exists, running the following procedure to clean-up pending submission CRs results in constraint dependency error execute ACCESS_REQUEST_PKG.DELETE_PENDINGSUBMISSIONS(sysdate); Error starting at line : 1 in command - execute ACCESS_REQUEST_PKG.DELETE_PENDINGSUBMISSIONS(sysdate) Error report - ORA-02292: integrity constraint (AVUSER.FK_CRDETAIL_DEPENDENCY_CRI_ID) violated - child record found ORA-06512: at "AVUSER.ACCESS_REQUEST_PKG", line 1866 ORA-06512: at "AVUSER.ACCESS_REQUEST_PKG", line 1915 ORA-06512: at line 1 00000 - "integrity constraint (%s.%s) violated - child record found" *Cause: attempted to delete a parent key value that had a foreign dependency. *Action: delete dependencies first then parent or disable constraint. ING were facing this issue because basically the 1st CR was generated 1 day prior to the collection of the user to account mapping for that user.

Related Articles

Trending Articles

Don't see what you're looking for?