RuntimeException: One user cannot be deleted in Policy Manager

Document ID : KB000101413
Last Modified Date : 07/01/2019
Show Technical Document Details
Issue:
It is not possible to delete one user in the Identity Provider via Policy Manager.

When trying to delete the internal user following error is seen 

ava.lang.RuntimeException: Found more than one membership to be deleted; user <hexoid>, group <hexoid> 
at com.l7tech.server.identity.PersistentGroupManagerImpl$5.doInHibernate(PersistentGroupManagerImpl.java:474) 
at org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:406) 
at org.springframework.orm.hibernate3.HibernateTemplate.execute(HibernateTemplate.java:339) 
at com.l7tech.server.identity.PersistentGroupManagerImpl.deleteMembership(PersistentGroupManagerImpl.java:462) 
at com.l7tech.server.identity.PersistentGroupManagerImpl.setUserHeaders(PersistentGroupManagerImpl.java:698) 
at com.l7tech.server.identity.PersistentGroupManagerImpl.update(PersistentGroupManagerImpl.java:381) 
at com.l7tech.server.identity.PersistentGroupManagerImpl.update(PersistentGroupManagerImpl.java:32) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
at java.lang.reflect.Method.invoke(Method.java:606) 


The user is associated with only one group and that group has only one user.
Environment:
Build Info: 
CA API Gateway 8.3.00 build 4753,
Cause:
Try to find the entries in database using following commands

1. Find the mapping of user - user group and identity provider  select hex(goid) , hex( internal_group) , hex(provider_goid) , hex(user_goid) , hex(subgroup_id) from internal_user_group \G; 

2. Find groups available select hex(goid) from internal_group; 

3.  Find the identity provider available select hex(goid), name from identity_provider; 

4. Find internal users available
select hex(goid) from internal_user; 


 
Resolution:
The above queries will help in identifying the mapping between user , user group , identity providers and groups.

For example in above issue we found that 

there were 3 duplicate entries for same user group , user id and identity provider in table internal_user_group and deleting 2 entries using

delete from internal_user_group where hex(goid) = '<number>'; 

resolved the issue.

However the cause of the issue will defer from case to case so please keep a full backup of ssg database and snapshot of  all the nodes to prevent any critical situation due to changes.