RRSD not removing user from resource

We are running RRSD 4.8.1. I have a role that is associated with a resource that has an LDAP group entitlement.

I have some users that can be added to the role and provisioned to the LDAP group fine, but when I remove them from the role, they fail to be removed. Specifically, the user is removed from the role but not the resource. The RRSD trace file shows (trace level : 99):

 

<nds dtdversion="4.0"> <source> <product instance="Role and Resource Service Driver" version="4.8.1.0">NetIQ Role Service Driver</product> <contact>NetIQ Corporation</contact> </source> <output> <status event-id="vault1#20201013150719#4#1:54f3aa2f-c48a-4802-978a-2faaf3548ac4" level="success">Transitioned request status from 0 to 30 DN: O=Dev\OU=IDM\CN=DRIVERSET\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=Requests\CN=20201013110719-8407f9bca45841e2b2f6beffa62a91c3-0</status> <status event-id="vault1#20201013150719#4#1:54f3aa2f-c48a-4802-978a-2faaf3548ac4" level="success">Removed assigned role from identity Role: O=Dev\OU=IDM\CN=DRIVERSET\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level10\CN=RGR_TestRole Identity: O=Dev\OU=Data\OU=Users\CN=P3184803</status> <status event-id="vault1#20201013150719#4#1:54f3aa2f-c48a-4802-978a-2faaf3548ac4" level="error">Unable to remove assigned role from identity Role: O=Dev\OU=IDM\CN=DRIVERSET\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level10\CN=RGR_TestRole Identity: O=Dev\OU=Data\OU=Users\CN=P3184803 Reason: java.lang.IllegalStateException</status> <status event-id="vault1#20201013150719#4#1:54f3aa2f-c48a-4802-978a-2faaf3548ac4" level="success">Transitioned request status from 30 to 80 DN: O=Dev\OU=IDM\CN=DRIVERSET\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=Requests\CN=20201013110719-8407f9bca45841e2b2f6beffa62a91c3-0</status> </output> </nds>

 

The failure reason is : java.lang.IllegalStateException

The nrfAssignedResources and nrfEntitlementRef on the users are not updated to indicate the revoke status. A previous post talked about this issue being caused by bad data on one of the user attributes processed by the rrsd driver, but I'm not seeing the issue described. I think it must be data since it only happens on certain users with certain data. One other thing to note is that migrating the user to the rrsd driver cleans up the matter. It removes the user from the resource.

Any ideas?

Parents Reply Children