Change Requests missing information in SecurID Governance & Lifecycle
2 years ago
Article Number
000067902
Applies To

This issue affects customers upgrading to the following version:

  • SecurID Governance & Lifecycle 7.5.2 (original GA build 181918)
This issue affects customers patching to the following patches:
  • RSA Identity Governance & Lifecycle 7.2.1 P06, P07, P08, P09, P10
  • RSA Identity Governance & Lifecycle 7.5.0 P01, P02, P03, P04, P05, P06
  • SecurID Governance & Lifecycle 7.5.2 P01, P02
The above patches and versions are no longer accessible for download on myRSA, however customers who downloaded these versions previously may be affected.
Issue

After upgrading or patching to the affected versions, Change Requests created before the upgrade or migration may be missing certain information or may not display the information correctly. New Change Requests created after upgrading or patching are not affected.

  1. Historical Change Requests in Completed State or Cancelled State will not show Task information.
  2. For Change Requests in active states such as Approval State or Fulfillment Phase, the missing Task information can cause the following problems:
  • Task is missing from Change Requests in Fulfilment phase
  • The detailed Account Changes on the Approval Phase for the Change Request do not display. (The information is not deleted but it does not display because the Task is missing.)
  • Task column on the Request > Activities menu is blank
  • If a Change Request configured for Automatic Fulfillment (AFX) has a missing task and is subsequently approved, Automatic Fulfillment fails and fallbacks to Manual Fulfillment
  • Reports based on table views, that source data from table T_AV_WFJOB_ITEMS, may not show information related to Change Requests


Example of a Change Request in Manual Fulfillment that properly shows a Task (when using an unaffected patch/version):

screen1.png

Example of  an active Change Request in Manual Fulfillment showing a missing Task, due to applying an affected patch/version:

image.png

3. If a Change request with an Approval that is missing a task moves automatically to fulfilment, the following exception may be logged in the aveksaServer.log and workpoing.log files:

java.lang.Exception: Invalid Empty List of Change Items Returned

 

Cause

During patching (or upgrade) to the affected patch (or version):

  • Tasks are incorrectly removed from active Change Requests. (Active Change Requests are requests in flight at the time of the patch or upgrade that are not in COMPLETED state.)  For example, Manual Fulfillment does not show the Task information.  This prevents an Approver from understanding what was requested and completing the Approval correctly.
  • Change Requests completed prior to the migration do not show the Task information. This prevents reviewing historical information related to the Tasks associated with completed Change Requests.
  • Any new Data Archiving run results in wrong data for Change Requests being archived and subsequently removed by the purge process of the Archiving run. Note that Data Purging, not related to Data Archiving, is not affected.

This issue does not affect new Change Requests created after the patching (or upgrade) to the affected patch/version.

Resolution

This issue is resolved for customers upgrading to the following version:

  • SecurID Governance & Lifecycle 7.5.2 (updated build 182642)

This issue is resolved for customers patching to the following versions:

  • RSA Identity Governance & Lifecycle 7.2.1 P11
  • RSA Identity Governance & Lifecycle 7.5.0 P07
  • SecurID Governance & Lifecycle 7.5.2 P03 (build 182642)

This issue is NOT resolved for customers upgrading to the following version:

  • SecurID Governance & Lifecycle 7.5.2 (original GA build 181918)

(Customers who must upgrade to the affected 7.5.2 build 181918, should refer to the Workaround section.)


Guidelines:

  • Customers patching from one of the non affected patches or versions  to one of the versions listed in this section where the issue is resolved do not have to take any action.
  • Customers who have already patched or upgraded to one of the affected versions and are NOT using Data Archiving do not have to take any action but should read the notes in the "Workaround" section. 
  • Customers who have already patched or upgraded to one of the affected versions and ARE using Data Archiving should refer to the "Workaround" section.
  • Customers intending to upgrade or patch to one of the affected versions are advised to instead upgrade or patch to one of the resolved versions. Otherwise refer to the "Workaround" section.
Workaround
In all instances, the first choice for customers is to upgrade or patch to a version where this issue is resolved.  If you are unable to do so, the following detailed guidance is provided for each use case:
  • Customers intending to upgrade to the affected version 7.5.2 (original GA build 181918) listed in the "Applies To" section must apply the "Pre-fix" BEFORE attempting the upgrade.  See the section marked "Pre-fix".  When prompted by the Pre-fix script for a target release, enter "7.5.2".  See Note 3 below. 
  • Customers intending to patch to one of the affected patches listed in the "Applies To" section must apply the "Pre-fix" BEFORE attempting the patching.  See the section marked "Pre-fix". When prompted by the Pre-fix script for a target release and patch, enter the corresponding target version (one of 7.2.1, 7.5.0, or 7.5.2) and the corresponding target patch (e.g., P01, P06, P10) you intend on upgrading or patching to.
  • Customers who have just recently patched or upgraded to one of the affected patches or versions listed in the "Applies To" section are advised to contact SecurID Support for assistance in reverting back to a known good patch and restoring the database from backup.  Customers will need to apply the "Pre-fix" before attempting the patch or upgrade again. When prompted by the Pre-fix script for a target release and patch, enter the corresponding target version (one of 7.2.1, 7.5.0, or 7.5.2) and the corresponding target patch (e.g., P01, P06, P10) you intend on upgrading or patching to.
  • Customers who previously patched or upgraded to one of the affected patches or versions listed in the "Applies To" section should note that Change Requests in Active State at the time of the patching or upgrade may not be able to move to completion.  The problem Change Requested may be cancelled and new Change Requests can be created if this is feasible.
    • Customers who previously patched or upgraded to one of the affected patches or versions listed in the "Applies To" section and are using Data Archiving (Data Purging is not affected) need to apply the "Pre-Fix before using Data Archiving. When prompted by the Pre-fix script for a release and patch, enter the version and patch you are currently on.
    • Customers who previously patched or upgraded to one of the affected patches or versions listed in the "Applies To" section and have a database backup taken PRIOR to applying the affected patch/version may be able to recover the missing data for Change Requests using a tool provided by RSA. See the section marked "Data Recovery Tool".

 

Pre-fix:

If you require the Pre-fix script, contact RSA Customer Support and quote this KB article. 

A Pre-fix is available that prevents the incorrect data from being removed during patching or upgrading to an affected patch or version.  The Pre-fix can be run at any time before patching or upgrading.

  • Apply the Pre-fix (Inflight_workflow_ACM-113586_05112022.sql)
  • Enter the version and patch number as noted for your use case above.
  • Patch or upgrade to the version or patch you indicated.
  • As soon as practicable upgrade or patch to a version listed in the Resolution section.
 

Data Recovery Tool:

If you have a database backup taken prior to applying the affected patch/version and need to recover the missing datra for Change Requests, contact RSA Customer Support and quote this KB article. 

A Data Recovery Tool (MissingDataRecovery_ACM-113586_ACM-114162_v1.pdf) is available that restores the missing data for Change Requests from a database backup taken PRIOR to the migration to an affected patch/version. The tool can be used on any patch/version level after being affected by this issue.

Notes

Note 1 - This issue also affects customers who use Data Archiving (Data Purging is not affected).  Customers on any of the affected patches are advised not to create Data Archives until they have patched to the fixed patch/version or applied the Pre-fix.

Note 2 - Customers patching from one of the affected versions to a different affected version only need consider the impact of original affected patch.  The tasks are only removed on the first patching event.

Note 3 - Customers using database export and database import as part of their upgrade procedure need to apply the Pre-Fix to original system before doing the database export.

Note 4 - Reference SecurID Governance & Lifecycle Product Advisory at:

Urgent SecurID Governance and Lifecycle Product Advisory – Request Activities Task Information Missing after Migration

Attachments
If the attachment does not open when clicked, please refresh the page and try again. You must be logged into view the file(s).

    Related Articles

    Trending Articles

    Don't see what you're looking for?