The symptoms and the fix:

We struggled for 2 days on why User Application wouldn't restore the provisioning admin and other default roles, even with the xmldata reset trick.

Error message in Role and Resource Service Driver logs:

Code:
--------------------
[04/03/14 13:55:43.841]:Role and Resource Service Driver ST:
DirXML Log Event -------------------
Driver: \CSCTEST\system\driverset1\Role and Resource Service Driver
Channel: Subscriber
Status: Success
Message: Transitioned request status from 0 to 30
DN: O=system\CN=driverset1\CN=UserApplication\CN=AppCo nfig\CN=RoleConfig\CN=Requests\CN=20140403135543-7477dda454f243779bbee19512c1dfa2-0
[04/03/14 13:55:43.847]:Role and Resource Service Driver ST:Processing operation <status> for .
[04/03/14 13:55:43.849]:Role and Resource Service Driver ST:
DirXML Log Event -------------------
Driver: \CSCTEST\system\driverset1\Role and Resource Service Driver
Channel: Subscriber
Status: Error
Message: Unable to add assigned role to identity
Role: O=system\CN=driverset1\CN=UserApplication\CN=AppCo nfig\CN=RoleConfig\CN=RoleDefs\CN=Level20\CN=Syste m\CN=provAdmin
Identity: O=CSC\OU=Users\CN=uaadmin
Reason: novell.jclient.JCException: openStream -602 ERR_NO_SUCH_VALUE
[04/03/14 13:55:43.869]:Role and Resource Service Driver ST:Processing operation <status> for .
[04/03/14 13:55:43.872]:Role and Resource Service Driver ST:
DirXML Log Event -------------------
Driver: \CSCTEST\system\driverset1\Role and Resource Service Driver
Channel: Subscriber
Status: Success
Message: Transitioned request status from 30 to 80
DN: O=system\CN=driverset1\CN=UserApplication\CN=AppCo nfig\CN=RoleConfig\CN=Requests\CN=20140403135543-7477dda454f243779bbee19512c1dfa2-0

--------------------

Used these instructions for the reset:
https://www.netiq.com/communities/co...dministrators/

The clues finally emerged from looking at ndstrace logs and numerous retries at the reset.

Solution: Delete the attribute DirXML-EntitlementRef from uaadmin object.

-Joni / CSC