Remove groups from multiple disabled Accounts fails with error: "Expected 1 account associated with the ChangeRequestItem. There were 2" in RSA Identity Governance and Lifecycle
2 years ago
Originally Published: 2017-10-05
Article Number
000041048
Applies To
RSA Product Set: RSA Identity Governance and Lifecycle
RSA Version/Condition: 6.9.1, 7.0.1, 7.0.2
 
Issue
When a User has two or more disabled Active Directory accounts, and a CR is created to remove groups from the account, the CR is created as a “User Change” instead of “account change”.

The CR Item fails with the following error: 
Exception while processing the automated request for item Expected 1 account associated with the ChangeRequestItem.  There were 2.  CRI=[com.aveksa.server.core.cr.ChangeRequestItem@4ac2701f[reqID=13,itemID=43,stateStr=PZ,fullOperationStr=RemoveUserFromUserGroup,operandID=68,operandName=Helmy, Mostafa,operandDcId=63,operandAppId=<null>,description=<null>,valueTypeStr=UG,valueID=93,value2ID=<null>,valueName=TestGroup,valueAppId=41,value2AppId=<null>,valueDcId=62,value2DcId=<null>,watchId=49,watchToken=266:WPDS-26:WPDS-264:WPDS-0,affectedUserId=68,additionalData=<map/>]]
Account List:
Account{id=3, name='Mostafa.Helmy', applicationId=41, adcId=62, lastLoginDate=null, isDisabled='1', isLocked='0', creationDate=2017-04-07 19:09:52.0, lastCollectedDate=2017-04-11 14:42:55.0, addState='NotPending', removeState='NotPending', orphanedDate=null, isOrphaned='N', isDeleted='N', deletionDate=null, accountCollectorName='Active Directory ADC', applicationName='Active Directory', applicationRawName='Active Directory', isShared='y', isService='FALSE', userAccountMappings=[UserAccountMapping{id=15, accountId=3, accountName='Mostafa.Helmy', userId=68, isUserDeletedStr='n', adcId=62, createdBy=null, deletedBy=null, comments='null', stateStr='VA', collectedDate=null, creationDate=2017-04-07 19:09:52.0, lastCollectedDate=2017-04-11 14:42:55.0, deletedDate=null, addStateCode=0, addState=null, removeStateCode=0, removeState=null}], derivedFromType='null', derivedPath='null', expirationDate='null', guid='6d001ad5-d6bd-4d28-93d2-865ce92ce350', objectSid='null'},
Account{id=14, name='Mostafa.Helmy.2', applicationId=41, adcId=62, lastLoginDate=null, isDisabled='1', isLocked='0', creationDate=2017-04-07 19:12:48.0, lastCollectedDate=2017-04-11 14:42:55.0, addState='NotPending', removeState='NotPending', orphanedDate=null, isOrphaned='N', isDeleted='N', deletionDate=null, accountCollectorName='Active Directory ADC', applicationName='Active Directory', applicationRawName='Active Directory', isShared='y', isService='FALSE', userAccountMappings=[UserAccountMapping{id=47, accountId=14, accountName='Mostafa.Helmy.2', userId=68, isUserDeletedStr='n', adcId=62, createdBy=null, deletedBy=null, comments='null', stateStr='VA', collectedDate=null, creationDate=2017-04-07 19:12:48.0, lastCollectedDate=2017-04-11 14:42:55.0, deletedDate=null, addStateCode=0, addState=null, removeStateCode=0, removeState=null}], derivedFromType='null', derivedPath='null', expirationDate='null', guid='6fbd6a34-d66e-4c62-b9b2-10adeba69788', objectSid='null'}, exception is: {1}

Steps to Reproduce:
  1. User has two AD accounts.
  2. These two accounts have access to an AD group.
  3. The accounts are then disabled in AD and collected.
  4. When a change request  is created to remove the groups from the access tab of the user, note that the “submit Request” button has only 1 change instead of 2.
User-added image

User-added image

 Comment of the item shows the error:

User-added image
Cause
This is a bug which is fixed in 6.9.1 P23, 7.0.1 P04, 7.0.2 P02 for version 6.9.1 , 7.0.1 and 7.0.2 respectively.
Resolution
Deploy the patches 6.9.1 P23/ 7.0.1 P04/ 7.0.2 P04 respective to your version to have this issue fixed.

Related Articles

Trending Articles

Don't see what you're looking for?