Unable to delete a Security Domain in RSA Authentication Manager 8.x
2 years ago
Originally Published: 2017-08-11
Article Number
000045561
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform: SuSE Linux
O/S Version: SuSe Linux Enterprise 11 SP4
 
Issue
When deleting a Security Domain, it encounters an error:User-added image 
There was a problem processing your request. 
An attempt to update or delete a security domain resulted in a dependency violation on externally managed resources such as roles or users

Procedure to delete a Security Domain:
In the Security Console, click Administration > Security Domains > Manage Existing.
Use the Search tab or the Browse tab to find the security domain that you want to delete. Some fields are case sensitive.
Click the security domain that you want to delete, and select Delete.
Select Yes, delete this security domain.
Click Delete Security Domain.
Cause
There are some objects, such as users, groups, agents and administrative roles, that are associated with the security domain. 
You cannot delete the security domain until you remove the objects by deleting them or moving them to another security domain.
Resolution
Move users, groups, tokens, agents and administrative roles to another SystemDomain

Review Web Documents for details of moving users, groups, agents, tokens, and administrative roles to a new Security Domain
  • Move Users Between Security Domains
  • Move User Groups Between Security Domains
  • Move an Authentication Agent to a New Security Domain
  • ​Move a Token Record to a New Security Domain
  • Edit an Administrative Role

In some cases, administrators have an environment where some objects are still associated with the security domain but cannot find what they are.

Administrator requires Posgres Database access to run SQL commands. 
1. Open an SSH session on the Authentication Manager primary and run the commands in bold to capture the com.rsa.db.dba.password
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter OS password>
Last login: Wed Jan 14 10:27:53 2017 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console admin's name>
Please enter OC Administrator password: <enter Operations Console admin's password>
com.rsa.db.dba.password: rSAD5bGguLGNL9uGvFWnJoxIcHJah2
rsaadmin@am81p:/opt/rsa/am/utils> cd ../pgsql/bin
rsaadmin@am81p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password captured above> 
psql.bin (9.2.4)

2. Run a SQL command to find a table information:  
select name,id from rsa_rep.ims_security_domain where name='ims_security_domain';
where ims_security_domain is the name of Security Domain 
A sample output is: 
name                 |              id
---------------------------------------------------------
ims_security_domain  | 036e1d1a0b80a8c04c203eddeabe8bf5

3. Run a SQL command with id from above to check the dependency in Security Domain table: 
delete from rsa_rep.ims_security_domain where id='036e1d1a0b80a8c04c203eddeabe8bf5';

A sample output is: 
db=#
ERROR: update or delete on table "ims_security_domain" violates foreign key constraint "fk_sec_dom_token" on table "am_token"
DETAIL: Key (id)=(036e1d1a0b80a8c04c203eddeabe8bf5) is still referenced from table "am_token".
db=#
Note that outputs may vary depending on the objects still associated with the Security Domain table. In the above example, it was a token object and it may be users, groups, agents, and/or administrative roles.

4. Remove the objects by deleting them or moving them to another security domain
 

Related Articles

Trending Articles

Don't see what you're looking for?