- RSA Governance & Lifecycle 8.0.0 P09 and 8.0.0 P09 HF01
The values assigned to custom attributes during the creation or editing of a role, are applied to the wrong fields. This issue occurs when separators are used to group custom attributes in the role configuration.
For example, role definition may have been configured as follows (under Admin > Attributes > Role) with two separators in non-ascending order:
When creating or editing a role, using the above configuration, an attempt to assign values, such as the following...
... will result in those values being assigned to the wrong fields, as seen below:
Another symptom of this issue occurs when a value being assigned to a custom attribute is of one type (say String) and the provided value is incorrectly applied to another wrong field with a different type (say Integer), then the creation or editing of the role fails with an error like the following on the UI:
"Value provided for the attribute <custom-attribute-name> should be in <data-type> form."
This issue occurs when any of the following conditions is met under Admin > Attributes > Role:
- Multiple attribute separators for Roles, and the names of these separators are not arranged in ascending order.
- Custom attributes have been imported recently, and there is at least one separator for the Role attributes.
This issue was caused due to a fix made for another Role related issue ACM-134363 where separators may be shown multiple times on role creation or editing page after importing custom attributes.
The issue is fixed in the following versions/patches where the previous fix for ACM-134363 has been reverted:
- RSA Governance & Lifecycle 8.0.0 P10
A workaround is available (see below) for deployments of RSA Governance & Lifecycle 8.0.0 P09 or 8.0.0 P09 HF01 that are affected by this issue.
A) CHECK IF YOUR DEPLOYMENT IS AFFECTED:
Follow the steps below to confirm if your RSA Governance & Lifecycle 8.0.0 P09 or 8.0.0 P09 HF01 deployment is affected by this issue:
- Navigate to Admin > Attributes > Role and verify if separators have been defined. If no separators are defined, then your deployment is NOT affected.
- Verify the order of separators in Admin > Attributes > Role. If the separators are NOT arranged in ascending order, then your deployment is affected. If the separators are defined in ascending order but sequence number is NOT assigned, your deployment may still be affected. Use the following SQL command to determine if sequence number is assigned (returns a value of zero) or not assigned (returns a value other than zero):
select count(*) from avuser.t_extensible_schema_columns where table_name='T_AV_ROLES' and group_name is not null and sequence_num is null;
If your RSA Governance & Lifecycle 8.0.0 P09 or 8.0.0 P09 HF01 deployment is affected, follow the steps below to identify the affected roles:
- Run the below SQL script in order to list the affected role names:
/* Script to identify the Roles which might got affected when the Role general information is modified. Script is to be run on the 8.0.0 P09 and 8.0.0 HF01. */ with upgd as (select * from avuser.t_av_upgrade_history where to_version='8.0.0' and to_patch in ('P09','P09_HF01') and status='Success'), extatr as ( SELECT count(*) sep_order_violation FROM ( SELECT sequence_num, group_name, LAG(group_name) OVER (ORDER BY sequence_num,display_name,name) AS prev_grp FROM avuser.t_extensible_schema_columns where table_name='T_AV_ROLES' ) WHERE prev_grp IS NOT NULL AND group_name < prev_grp ), seqmis as ( select count(*) cnt from avuser.t_extensible_schema_columns where table_name='T_AV_ROLES' and group_name is not null and sequence_num is null ) SELECT rl.name role_raw_name, rl.alt_name role_name, cr.name change_request_name, cr.id change_request_id,cr.request_date, crd.full_operation, ( SELECT JSON_ARRAYAGG( JSON_OBJECT( 'AttributeDisplayName' VALUE g.display_name, 'oldValue' VALUE x.old_value, 'newValue' VALUE x.new_value ) ) FROM XMLTABLE( '/list/com.aveksa.server.core.cr.RoleProfileChangeDetails' PASSING XMLTYPE(crd.additional_data) COLUMNS attribute_name VARCHAR2(50) PATH 'attributeName', old_value VARCHAR2(4000) PATH 'oldValue', new_value VARCHAR2(4000) PATH 'newValue' ) x JOIN avuser.t_extensible_schema_columns g ON g.name = x.attribute_name where table_name='T_AV_ROLES' ) AS Modified_values from avuser.t_av_roles rl inner join avuser.T_AV_AUDIT_SNAPSHOT sn on rl.id = object_id inner join avuser.t_av_change_requests cr on sn.related_object_id = cr.id inner join avuser.t_av_change_request_details crd on cr.id = crd.change_requests_id where sn.object_type='Role' and sn.create_reason='ChangeRequest' and sn.related_object_type='ChangeRequest' and crd.full_operation in ('CreateGlobalRole','ChangeGlobalRoleProfile') and cr.request_date > (select migration_end_time from upgd) and ( 0 not in (select sep_order_violation from extatr) or 0 not in (select cnt from seqmis)) order by rl.name, cr.request_date asc; - Save the results of the above script, then proceed with the remediation steps.
B) REMEDIATION
Follow the steps below to remediate the issue on affected deployments of RSA Governance & Lifecycle 8.0.0 P09 or 8.0.0 P09 HF01:
- Navigate to Admin > Attributes > Role and rename the separators so that those appear in ascending order and save changes
- Review all the affected roles that were listed as a result of the script run above and update the incorrect attribute values for each affected role.
