I dropped in to hunting a problem where a user should have been removed from a downstream system, but was not. The setup is pretty straightforward, with a Null driver doing role grant / role revoke based on an HR attribute change. employeeStatus => Terminate, and it revokes the role. That seems to be working, I can see it doing so in the driver trace, in the UserApp log file, and in RRSD.

There is a Role with three Resources. When I looked at it first, the Role had been removed from the user, as had one of the resources, but the other two were still present. So, with the resource still there, the user doesn't get removed from the downstream system. That part makes sense.

We repeatedly activated / terminated the user (employeeStatus => Active. employeeStatus => Terminate) while testing. What we found was that the Role grant works fine. The Role revoke removes one of the three Resources, then dies with a NullPointerException.

Thereís nothing obviously good in the driver trace, just the <status> and eventual ending of:

[05/24/18 11:34:42.132]:Role and Resource Service Driver ST:
DirXML Log Event -------------------
     Driver:   \TREE\org\services\IDM\IDV\Role and Resource Service Driver
     Channel:  Subscriber
     Status:   Error
     Message:  Unable to remove assigned role from identity
                Role: o=org\OU=services\OU=IDM\CN=IDV\CN=UserApp\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level30\CN=ROLENAME
                Identity: o=org\OU=users\CN=username
                Reason: java.lang.NullPointerException
[05/24/18 11:34:42.144]:Role and Resource Service Driver ST:Processing operation <status> for .
[05/24/18 11:34:42.144]:Role and Resource Service Driver ST:
DirXML Log Event -------------------
     Driver:   \TREE\org\services\IDM\IDV\Role and Resource Service Driver
     Channel:  Subscriber
     Status:   Success
     Message:  Transitioned request status from 30 to 80
                DN: o=org\OU=services\OU=IDM\CN=IDV\CN=UserApp\CN=AppConfig\CN=RoleConfig\CN=Requests\CN=20180524113724-322b6ddf23624121
[05/24/18 11:34:42.145]:Role and Resource Service Driver ST:End transaction.
Any good ideas on finding what itís tripping over? RRSD is kinda opaque, doesnít put much information out anywhere to work with. Iím already at trace level 10, I donít think this one supports anything above 5, or at least it doesnít seem to. Despite the message, it does remove the Role assignment from the User, it just leaves the Resources still assigned, so that it looks like the Role revoke didnít work.

We removed all of the nrf* and DirXML-Entitlements* attributes from the user, re-activated them, saw the Role and Resource assigns work correctly, then terminated them yet again, and saw the Resource removes work fine, and the Role revoke went without error. That seems to indicate to me that the Role, Resource, and role-to-resource linkage objects are all ok, since we didn't change them. So maybe it's something specific to the affected user object that RRSD is tripping over.

I don't see anything in Bugzilla that looks like this. RRSD reports version="" in trace, system is IDM4.6. I see a couple of RRSD patches have been released, but the list of fixes don't sound anything like this one.

On the bright side (?), it looks like I have about 750 more users to test any theories or ideas with.