RRSD not removing user from resource

We are running RRSD 4.8.1. I have a role that is associated with a resource that has an LDAP group entitlement.

I have some users that can be added to the role and provisioned to the LDAP group fine, but when I remove them from the role, they fail to be removed. Specifically, the user is removed from the role but not the resource. The RRSD trace file shows (trace level : 99):

 

<nds dtdversion="4.0"> <source> <product instance="Role and Resource Service Driver" version="4.8.1.0">NetIQ Role Service Driver</product> <contact>NetIQ Corporation</contact> </source> <output> <status event-id="vault1#20201013150719#4#1:54f3aa2f-c48a-4802-978a-2faaf3548ac4" level="success">Transitioned request status from 0 to 30 DN: O=Dev\OU=IDM\CN=DRIVERSET\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=Requests\CN=20201013110719-8407f9bca45841e2b2f6beffa62a91c3-0</status> <status event-id="vault1#20201013150719#4#1:54f3aa2f-c48a-4802-978a-2faaf3548ac4" level="success">Removed assigned role from identity Role: O=Dev\OU=IDM\CN=DRIVERSET\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level10\CN=RGR_TestRole Identity: O=Dev\OU=Data\OU=Users\CN=P3184803</status> <status event-id="vault1#20201013150719#4#1:54f3aa2f-c48a-4802-978a-2faaf3548ac4" level="error">Unable to remove assigned role from identity Role: O=Dev\OU=IDM\CN=DRIVERSET\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level10\CN=RGR_TestRole Identity: O=Dev\OU=Data\OU=Users\CN=P3184803 Reason: java.lang.IllegalStateException</status> <status event-id="vault1#20201013150719#4#1:54f3aa2f-c48a-4802-978a-2faaf3548ac4" level="success">Transitioned request status from 30 to 80 DN: O=Dev\OU=IDM\CN=DRIVERSET\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=Requests\CN=20201013110719-8407f9bca45841e2b2f6beffa62a91c3-0</status> </output> </nds>

 

The failure reason is : java.lang.IllegalStateException

The nrfAssignedResources and nrfEntitlementRef on the users are not updated to indicate the revoke status. A previous post talked about this issue being caused by bad data on one of the user attributes processed by the rrsd driver, but I'm not seeing the issue described. I think it must be data since it only happens on certain users with certain data. One other thing to note is that migrating the user to the rrsd driver cleans up the matter. It removes the user from the resource.

Any ideas?

Parents
  • I have an open case at MF for this. The analysis of SP3 to 4.8 shows that something could have improved in this respect. The workaround is to resync the object to the driver. e.g. all user once a wee

  • I look for nrfRequest objects that have a nrfStatus=80, and then resync the user in the nrfTargetDn. 

  • Hi,

    I just happened upon this thread and I'm seeing the exact same problem.  I upgraded everything to 4.8.3 and enabled the new parallelization setting but I'm still getting the errors in the RRSD and orphaned resource assignments are being left behind on the users.

    I tried so sync the broken users through the RRSD (I assume that is what we are talking about here, Migrate From on the RRSD?) but that made no difference.  I did search for all nrfStatus=80 and I see about 90 or so of them currently.  I pulled the nrfTargetDn and resync'd (Migrate From) some of those users through the RRSD, but it doesn't seem to be fixing them.

    Has there been any update on this problem?  For me it is growing exponentially and beginning to cause big problems.

    Matt

Reply
  • Hi,

    I just happened upon this thread and I'm seeing the exact same problem.  I upgraded everything to 4.8.3 and enabled the new parallelization setting but I'm still getting the errors in the RRSD and orphaned resource assignments are being left behind on the users.

    I tried so sync the broken users through the RRSD (I assume that is what we are talking about here, Migrate From on the RRSD?) but that made no difference.  I did search for all nrfStatus=80 and I see about 90 or so of them currently.  I pulled the nrfTargetDn and resync'd (Migrate From) some of those users through the RRSD, but it doesn't seem to be fixing them.

    Has there been any update on this problem?  For me it is growing exponentially and beginning to cause big problems.

    Matt

Children