Policy version 1 cannot upgraded because is already finalized

Document ID : KB000093100
Last Modified Date : 26/04/2018
Show Technical Document Details
Issue:
After Enterprise Management upgrade from 12.7 to 12.8 version, there may be problems upgrading policies. When trying to create a new version some of the policies may be getting errors like: Modify Policy: My_test_Users Task failed. Error: ERROR: Failed to modify POLICY 'My_test_Users'. Error: ERROR: POLICY version 'My_test_Users#01' is already finalized. Fatal: Event execution failed
Environment:
CA PIM 12.7 updated to 12.8
Cause:
This may be caused by a mismatch in the way that the policies were exported in the original version and were imported back into the new product version.
When a new policy version is deployed from the ENTM to the endpoints, the following occurs:

1. PIM checks prior to create the new version is the previous version is finialized. For instance, if we have policy My_test_Users and we had version #02 finalized, before creating version #03 the PIM will check to make sure that version #02 has been finalized. If version #02 is not finalized, it will fail to create the new version of the policy
2. If step 1 is successful, then it goes ahead and it creates the new policy, as well as the corresponding ruleset, for instance My_test_Users#03
3. New policy, e.g. My_test_Users#03, once successfully created, is added to its group policy, My_test_Users in this example. The ruleset is finalized
4. The new policy, My_test_Users#03 in this case, is finalized once added to the GPOLICY.
5. The Policies to deploy are added to the corresponding DEPLOYMENT objects and these are updated with the nodes where policies need to be distributed, etc
6. The DEPLOYMENT objects are added to a GDEPLOYMENT object

The problem may happen if the export of the database when migrating has, for some reason, exported the commands in the wrong order for import.
For instance let's imagine the export of the DMS in the old system has produced the following lines

cr POLICY(My_test_Users#01) finalize
cr POLICY(My_test_Users#02) finalize
cr GPOLICY ("My_test_Users") mem+("My_test_Users#01")
cr GPOLICY ("My_test_Users") mem+("My_test_Users#02")

If imported into a new database, this may fail because we are trying to finalize the next version before the first version is added to the GPOLICY
As a result the error reported is obtained.
Resolution:
To resolve this problem one must carefully examine the list of policies and their status in the database of the new distribution. To do that one can do

dbmgr -util -export -f dms_128.txt

to have a list of the contents of the database

It helps to have a similar copy of the database prior to upgrading it and compare the objects in both.

To determine the status of each policy we can search it in the export of the database and check which one of the versions are finalized. Let's assume that only My_test_Users#01 is finalized, but that we also got  My_test_Users#02 and My_test_Users#03, which are not finalized. We would be issuing the following commands

cr POLICY ("My_test_Users#02") finalize
cr  GPOLICY ("My_test_Users") mem+("My_test_Users#02") 
cr POLICY ("My_test_Users#03") finalize
cr GPOLICY ("My_test_Users") mem+("My_test_Users#03")

If the rulesets were not finalized the same operation would be required before finalizing every policy. From there the policies may need to be assigned to GNODES, etc. For instance

er GHNODE ("UNIX") policyassign+(My_test_Users)