Create Account fails if previous Create Account is pending in RSA Identity Governance & Lifecycle
4 years ago
Originally Published: 2019-08-13
Article Number
000041201
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2, 7.1.0, 7.1.1
 
Issue

The RSA Identity Governance & Lifecyle Entitlement Requires Account feature is a feature that automatically creates an account when adding an entitlement related to the account and the account does not exist. For example, when adding a User to a Group, this feature will create the account for the user before adding the account to the group. The first time an entitlement is requested, the system will identify that an account does not exist and will automatically create the account.  For subsequent entitlements there is no need to create the account.

If there is a problem with the initial request that creates the account, subsequent change requests for entitlements that require that account may fail. 

Cause
This issue can occur if, during the process of requesting access, an entitlement is selected from an application that has entitlements require accounts enabled and:
  • before clicking on the Finish button, the requester closes out of the browser or navigates away from the submission page through anything other than the Cancel or Back buttons, or
  • the browser times out before the request has been completed (i.e before the Finish button has been pressed.)
In both cases, the change request is not created but the account is created in the background and is basically pending as there is no associated change request to fulfill the creation of the account.

The existence of this pending account prevents future entitlement requests because the account is required and yet does not actually exist but looks like it exists due to its pending status.

This is a known issue reported in engineering ticket ACM-89679.

 
Resolution
This issue is resolved in the following RSA Identity Governance & Lifecycle patches:
  • RSA Identity Governance & Lifecycle 7.0.2 P14
  • RSA Identity Governance & Lifecycle 7.1.0 P07
  • RSA Identity Governance & Lifecycle 7.1.1 P02

To handle this issue, a new section in the RSA Identity Governance & Lifecycle user interface has been added called Pending Submissions under Requests > Requests, which will display the change requests which were left in the Pending Submission State

New change requests for access are prevented from being generated if requests already exist in the Pending Submission State for the account associated with the requested access.

The Request Form will not allow the user to submit the request and instead will display the following warning message under Dependencies:
   
The changes for the account ##### depends on the request XXXXX which was not successfully submitted. Please cancel the request before taking further actions by navigating to Pending Submissions tab.
 
User-added image
 
User-added image
Notes
Please see RSA Knowledge Base Article 000038249 -- Check for Pending Account dependency is skipped in RSA Identity Governance & Lifecycle for related information on this issue.

Related Articles

Trending Articles

Don't see what you're looking for?