RSA Identity Governance and Lifecycle 7.0+ Data Access Collector(DAC) Run shows Admin Error:The resource Fully Qualified Name should be unique within an application
2 years ago
Originally Published: 2017-06-22
Article Number
000065207
Applies To
RSA Product Set: RSA Identity Governance and Lifecycle
RSA Version/Condition: 7.0 and up


 
Issue
In RSA Identity Governance and Lifecycle 7.0 and up, you have configured multiple Data Access Collectors (DAC) with different Data Resource Sets and following error is observed under the Admin Errors for the one of the collection's Data Run. 
EC[180] Context[RunID=173152, DADC(Name=SC Fileshare Resource DAC - Inherited, ID=1957, APP=)] 
Message[Entitlement Data Validation: The resource Fully Qualified Name should be unique within an application].

The collector is configured with the following settings:
 
Mapping for Data Resoure Attribute Page

This error is observed even if these DACs are using different Data Resource Sets. 
Cause
Version 6.x allowed multiple collectors to collect data with the same Data Resource Fully Qualified Names by using two different resource sets. For example, in the Data Access Collector's configuration under the Edit Collector: <Collector Name> > Mapping for data resource attributes section, if the checkbox for the setting "This data collector can define new data resources" is checked for more than one Data Access Collector AND these DACs are collecting data with the same Data Resource Fully Qualified Names, all those DACs ran successfully with different resource sets.
 
Create-New-Resource-Setting

However, this behavior is changed in version 7.0 and higher.  As mentioned in the RSA Identity Governance and Lifecycle 7.0.2 Upgrade and Migration GuideData Access Collectors are no longer able to collect duplicate Resources based on the Fully Qualified Name between Primary collectors.

Let's say you created the two Data Access Collectors we see below:

The first, Quest-Share-New, uses Data Resource Set: DS-Share-New:
 
DAC-Quest-Share-New

The second, named Share-Owners-New, uses Data Resource Set: DS-Share-Owners-New:
 
DAC-Share-Owners-New

The source file named t_quest_shares_new.csv contains the following entries: 
​SharePath7
\\db07.aveksa.local\BugzillaBackup
\\db07.aveksa.local\dzehme
\\db07.aveksa.local\Export
\\db07.aveksa.local\jducharme
\\db07.aveksa.local\ofcscan\Web_SMB\Web_console
\\db07.aveksa.local\ofcscan\wss\isapi
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)
\\db07.aveksa.local\FinanceShare
\\PDC7.aveksa.local\HOME\abeaudoin
\\PDC7.aveksa.local\HOME\anguyen
\\PDC7.aveksa.local\HOME\ao
\\PDC7.aveksa.local\HOME\apolnicki
\\PDC7.aveksa.local\HOME\bchang
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)

Source file "t_quest_share_owners_new.csv" contains the following entries: 
​SharePath7.OwnerNew
\\db08.aveksa.local\BugzillaBackup,bzbackup
\\db08.aveksa.local\dzehme,dzhame
\\db08.aveksa.local\Export
\\db08.aveksa.local\SYSVOL\aveksa.local\Policies\(CEAD4878-0149-4963-B42A-01742B1F5F98)
\\PCD08.aveksa.local\FinanceShare,jodonnell
\\PCD08.aveksa.local\HOME\abeaudoin,abeaudoin
\\PCD08.aveksa.local\HOME\angyuyen, abguyen
\\PDC08.aveksa.local\SYSVOL\aveksa.local\Policies\
\\PDC08.aveksa.local\SYSVOL\aveksa.local\Policies\(25CA04C9-E54A-4B04-8B47-414B57C76E0F)
\\db07.aveksa.local\BugzillaBackup
\\db07.aveksa.local\dzehme
\\db07.aveksa.local\Export
\\db07.aveksa.local\jducharme
\\db07.aveksa.local\ofcscan\Web_SMB\Web_console
\\db07.aveksa.local\ofcscan\wss\isapi
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)
\\db07.aveksa.local\FinanceShare
\\PDC7.aveksa.local\HOME\abeaudoin
\\PDC7.aveksa.local\HOME\anguyen
\\PDC7.aveksa.local\HOME\ao
\\PDC7.aveksa.local\HOME\apolnicki
\\PDC7.aveksa.local\HOME\bchang
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)

When a checkbox for this setting "This data collector can define new data resources" is checked for both Data Access Collectors as shown above, and these two DACs use different resource sets AND they are collecting the same Data Resource Fully Qualified Names, then the DAC that is run second and collects duplicate Data Resource Fully Qualified Names shows the following Admin Error: 
Message[Entitlement Data Validation: The resource Fully Qualified Name should be unique within an application]
 
This error is caused by the 16 duplicate resource names from the source file, as shown below in  blue: 
​SharePath7.OwnerNew
\\db08.aveksa.local\BugzillaBackup,bzbackup
\\db08.aveksa.local\dzehme,dzhame
\\db08.aveksa.local\Export
\\db08.aveksa.local\SYSVOL\aveksa.local\Policies\(CEAD4878-0149-4963-B42A-01742B1F5F98)
\\PCD08.aveksa.local\FinanceShare,jodonnell
\\PCD08.aveksa.local\HOME\abeaudoin,abeaudoin
\\PCD08.aveksa.local\HOME\angyuyen, abguyen
\\PDC08.aveksa.local\SYSVOL\aveksa.local\Policies\
\\PDC08.aveksa.local\SYSVOL\aveksa.local\Policies\(25CA04C9-E54A-4B04-8B47-414B57C76E0F)
\\db07.aveksa.local\BugzillaBackup
\\db07.aveksa.local\dzehme
\\db07.aveksa.local\Export
\\db07.aveksa.local\jducharme
\\db07.aveksa.local\ofcscan\Web_SMB\Web_console
\\db07.aveksa.local\ofcscan\wss\isapi
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)
\\db07.aveksa.local\FinanceShare
\\PDC7.aveksa.local\HOME\abeaudoin
\\PDC7.aveksa.local\HOME\anguyen
\\PDC7.aveksa.local\HOME\ao
\\PDC7.aveksa.local\HOME\apolnicki
\\PDC7.aveksa.local\HOME\bchang
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)

All the duplicate Data Resource Fully Qualified Names shown above are rejected as in the following screen shot: 
 
Rejected Fully Qualified Resource Names

Clicking on of the rejected entries will show the following error:
 
Error In Rejected Entry
Resolution
In RSA Identity Governance and Lifecycle 7.0 and up, two or more Data Access Collectors cannot collect the same Data Resource Fully Qualified Names, even if they are using different resource sets.

To resolve the Admin Error,  only one DAC should set new data resources. This collector is referred to as the Primary Collector. Define a Primary Collector by checking This data collector can define new data resources.  All other collectors should un-check this setting if they are collecting the same data resource names (one or more) as the Primary Collector. 

Alternatively, if you need to have more than one Primary Collector, you need to ensure that two or more Primary DAC Collectors are not collecting the same resource names.  Duplicate resource names must be removed from one of the source files that are used by the Primary DAC collectors for collection.  In the above example, the duplicate entries shown here in blue must be removed from source file "t_quest_share_owners_new.csv". 
\\db07.aveksa.local\BugzillaBackup
\\db07.aveksa.local\dzehme
\\db07.aveksa.local\Export
\\db07.aveksa.local\jducharme
\\db07.aveksa.local\ofcscan\Web_SMB\Web_console
\\db07.aveksa.local\ofcscan\wss\isapi
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies
\\db07.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)
\\db07.aveksa.local\FinanceShare
\\PDC7.aveksa.local\HOME\abeaudoin
\\PDC7.aveksa.local\HOME\anguyen
\\PDC7.aveksa.local\HOME\ao
\\PDC7.aveksa.local\HOME\apolnicki
\\PDC7.aveksa.local\HOME\bchang
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies
\\PDC7.aveksa.local\SYSVOL\aveksa.local\Policies(25CA04C9-E54A-4B04-8B47-414B57C76EOF)
Please refer to the RSA Identity Governance and Lifecycle Upgrade and Migration Guide for 7.0+ for more information. 

The RSA Identity Governance and Lifecycle 7.0.2 Upgrade and Migration Guide  mentions the following: 

Changes to Data Collections

RSA Identity Governance and Lifecycle v7.0.1 and later includes the following data collection changes:
  • Identity Data Collectors no longer collect user groups.
  • Duplicate objects are no longer allowed within an application namespace. Previously, duplicate objects were not allowed within a collector, and as a result more than one collector was allowed to collect the same entitlement for an application.
  • Primary Data Access Collectors are no longer able to collect duplicate resources based on the Fully Qualified Name.
  • Entitlement Data Collectors no longer collect role entitlements. Instead, Role Data Collectors collect all role entitlements.

Related Articles

Trending Articles

Don't see what you're looking for?