"[IDENTITY_MEMBER_NOT_FOUND] The identity 'identity-id' could not be found" occurs when you remove an identity from SAS® Viya®


When you remove an identity from SAS Viya, messages similar to the following might occur in the identities service log:

WARN 125928 --- [o-auto-1-exec-4] c.s.i.p.jpa.JpaIdentityRepository        : sasboot(f06e3b0c) [efb8b3088ba11427] [IDENTITY_MEMBER_NOT_FOUND] The identity "testadmin1" could not be found. It will not be included as a member of the group "SASAdministrators".

You can safely ignore the above warning. This message occurs because the identity no longer exists and is not visible within the group membership listing.

Background

When an identity no longer exists, such as when the identities configuration changes or a user is removed from the identity provider, content and associations belonging to that identity ID are not automatically removed from the system. For example, the User folder, credentials, rules, and custom group memberships remain.

You can manually remove content, credentials, and rules using SAS® Environment Manager. But, you cannot remove custom group memberships using SAS Environment Manager after the identity no longer exists.

Since the custom group membership remains active for the identity ID, if you add an identity that has the same ID or if you add the identity that was removed again, that identity has the custom group membership of the identity that was removed.

Workaround

You can delete an identity from SAS® Viya® custom groups after the identity has been removed by deleting the corresponding row from the identities.custom_group_membership table in SAS® Infrastructure Data Server (PostgreSQL). You can use applications such as PSQL and pgAdmin to update the table. Here are the steps using PSQL:

  1. Obtain the password for dbmsowner from the SAS® Configuration Server key/value store by submitting these three commands. The commands should be run as the sas user (or a user with sudo privileges) and be run on the machine that is running SAS Configuration Server.

    source /opt/sas/viya/config/consul.conf 
     
    export CONSUL_HTTP_TOKEN=$(cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/^
    default/client.token)
     
    /opt/sas/viya/home/bin/sas-bootstrap-config kv read 'config/application/postgres/password'


    The current PostgreSQL password is returned.
     

  2. Launch PSQL and connect to the Shared Services database:

    For SAS® Viya® 3.4: /opt/sas/viya/home/bin/psql -h localhost -p 5432 -U dbmsowner -d SharedServices
    For SAS® Viya® 3.5: /opt/sas/viya/home/postgresql11/bin/psql -h localhost -p 5432 -U dbmsowner -d SharedServices

  3. When prompted to provide the password, copy and paste the password obtained from step 1 above. The result should be a command prompt within the Shared Services database, as shown here:

    psql (11.5) 
    SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES128-GCM-SHA256, bits: 128, compression: off) 
    Type "help" for help. 
    SharedServices=#
     
  4. Run the following query to view the custom_group_membership table:
    SELECT * FROM identities.custom_group_membership
    ORDER BY group_id ASC, identity_id ASC, identity_type_cd ASC;

  5. Delete the row from the custom_group_membership table based on group and identity ID. Note that identity IDs are case sensitive. For example, if you want to remove 'testadmin1' from SASAdministrators, the command is:
    DELETE FROM identities.custom_group_membership
    WHERE group_id='SASAdministrators' and identity_id ='testadmin1';

  6. Exit PSQL:

    \quit