We are getting an issue in QA environment while testing create user task. If two Provisioning Roles are selected, a security violation error is shown on screen.
We wanted to troubleshoot this further but the DEBUG logs are not showing much details so could not proceed.
Release : 14.4
We have identified several possible causes for this issue.
1. Missing role permissions.
Review your server.log for WARN messages similar to
12:43:16,336 WARN [ims.llsdk.role.azengine][WilyCorId=] Parent 'Site123 Security Administrator' referenced in rule, is not a valid ADMINISTRATIVE ROLE name
12:43:22,278 WARN [ims.llsdk.role.azengine][WilyCorId=] Parent 'Runbook Security Administrator' referenced in rule, is not a valid ADMINISTRATIVE ROLE name
12:43:22,293 WARN [ims.llsdk.role.azengine][WilyCorId=] Parent 'Bank Security Administrator' referenced in rule, is not a valid ADMINISTRATIVE ROLE name
You can then review those ROLEs within IDM itself and take the necessary actions.
2. Identity Policies
It is possible to use Identity Policies to prevent permission overlap, for example, you may not want the Hardware Requesters to be able to be in the Purchase Approval role. You can use Identity Policies to prevent a member of either Role from being assigned to the other Role.
This is more difficult to track down as you will need to review your Identity Policies to determine where the conflict is coming from. You can review your Identity Policies under the Policies > Manage Identity Policies in the User Interface, or you can export your Roles and Tasks from the Management Console. In the export search for "<IdentityPolicy name=" and review the deployed Identity Policies for conflicting policies.
Documentation can be found here for Identity Policies.
3. Missing attributes.
This is a rare cause, as this would generally show a clear error on the attributes missing, but in some circumstances, a sub-activity will encounter a problem with the missing attribute causing the role to not be assigned correctly causing the Security Violation message to appear on the overall task. You can review View Submitted Tasks to drill into the sub-tasks, and / or the application server logs for 'missing attribute' errors and take action as appropriate