Indirect Relationship Processing fails with ORA-30926 and 'ORA-06512: at "AVUSER.CE_USERS" ' errors when collecting Groups in RSA Identity Governance & Lifecycle
Originally Published: 2020-05-04
Article Number
Applies To
RSA Version/Condition: 7.0.2, 7.1.0, 7.1.1
Issue
The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log):
04/15/2020 01:21:45.636 ERROR (Exec Task Consumer#0) [com.aveksa.server.xfw.TaskExecutor] Failed method=Execute
ExecutionTask[TaskID=3027914 RunID=2159883 Source=68 Type=EntitlementExplosionProcessing Status=InProgress]
com.aveksa.server.xfw.ExecutionException: com.aveksa.server.db.PersistenceException: java.sql.SQLException:
ORA-30926: unable to get a stable set of rows in the source tables
ORA-06512: at "AVUSER.CE_USERS", line 1036
ORA-06512: at "AVUSER.CE_USERS", line 1882
ORA-06512: at "AVUSER.COMMON_EXPLODER", line 335
ORA-06512: at "AVUSER.COMMON_EXPLODER", line 129
ORA-06512: at line 1
Please see RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs).
Cause
For example:
UserA has AccountA that is a member of GroupC through the following paths:
- AccountA is a member of GroupA which is a member of GroupC
- AccountA is a member of GroupB which is a member of GroupC
RSA Identity Governance & Lifecycle incorrectly fails to resolve the Account to Group membership as a unique entitlement for this use case. This issue only occurs when multiple Accountss to Group relationships are resolved in the same Account Data Collector (ADC) run (specifically the same Indirect Relationship Processing step that is shared by multiple ADC runs.) It does not occur if one Account to Group relationship is resolved in a previous collection and a new relationship is established in a different collection. Normally with the delta collection model, changes to Accounts and/or Groups as well as Account to Group relationships are resolved per collector so the likelihood of a failure is rare, however forcing a Full Refresh on a collector or forcing a Full Refresh on multiple collectors at the same time drastically increases the likelihood of this failure.
Resolution
- RSA Identity Governance & Lifecycle 7.0.2 P14
- RSA Identity Governance & Lifecycle 7.1.0 P08
- RSA Identity Governance & Lifecycle 7.1.1 P02
- RSA Identity Governance & Lifecycle 7.2.0
To determine if you have this issue, run the following SQL script as avuser. The script identifies if there are any duplicates but does not uniquely identify the type of a duplicate. If the script returns a count greater than zero, the issue exists and patching to one of the above versions is required.
SELECT *
FROM t_ce_explicit_relations
WHERE
( entitled_id, entitled_type, entitlement_id, entitlement_type ) IN (
SELECT
entitled_id, entitled_type, entitlement_id, entitlement_type
FROM t_ce_explicit_relations
GROUP BY
entitled_id, entitled_type, entitlement_id, entitlement_type
HAVING COUNT(1) > 1
);
SELECT COUNT(1)
FROM t_ce_explicit_relations
WHERE
dc_id IN (
SELECT id
FROM t_data_collectors
WHERE is_deleted = 'TRUE'
);
SELECT *
FROM t_group_memberships
WHERE
( dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id, member_path ) IN (
SELECT
dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id, member_path
FROM t_group_memberships
GROUP BY
dc_id, group_id, member_id, member_type, member_derived_from_type, member_derived_from_id, member_path
HAVING COUNT(1) > 1
);
Workaround
There is no cleanup script for this issue. The issue must be resolved through a patch.
Notes
- 000034893 -- Indirect Relationship Processing fails with ORA-30926 and 'ORA-06512: at "AVUSER.CE_USERS" ' errors after Migration to 7.0.1 P02 of RSA Identity Governance & Lifecycle ORA-30926
- 000034775 -- Indirect Relationship Processing fails with 'ORA-12899 value too large for column' error in RSA Identity Governance & Lifecycle
Related Articles
Data purging fails with ORA-02292: integrity constraint (AVUSER.FK_xxxxxx violated - child record found) in RSA Identity G… Number of Views Button Transition cannot be selected, modified nor deleted in RSA Governance & Lifecycle Number of Views Indirect Relationship Processing slower in Step 11/12 in RSA Governance & Lifecycle Number of Views Indirect Relationship processing slow or fail with ORA-01652 on TEMP table space using Identity Governance and Lifecycle Number of Views System Administrator Accounts Number of Views
Trending Articles
Oracle 12c TEMP_UNDO_ENABLED parameter for managing GTT UNDO activity in RSA Identity Governance & Lifecycle Unable to attach a replica instance due to a configuration error when enabling replication for the RADIUS server for RSA A… RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Troubleshooting RSA MFA Agent for Microsoft Windows
Don't see what you're looking for?
