Skip navigation
All Places > Products > RSA Identity Governance & Lifecycle > Blog > 2019 > March


This is not an April Fools’ Day joke – RSA Charge registration fees go up from $595 to $995 on April 2. Trust us, you will not want to miss this year’s Charge event. REGISTER TODAY!


RSA Charge 2019 will provide you a place to discover game-changing business-driven security solutions to meet today’s greatest business challenges. Attendees will explore best practices and have opportunities to problem-solve and discuss ideas for product and service innovation to increase productivity. From customer case studies to training as well as one-on-one consultations and motivating keynotes, this year’s conference has something for everyone!


RSA Charge 2019 will deliver a host of new content and exciting opportunities through:

Customer-led case studies and hands-on workshops to share trends and issues specific to your industry

Thought-provoking keynote presentations that provides insights on RSA’s products, solutions and customer successes

Partner Expo highlights solutions that are driving high-impact business benefits using RSA’s solutions

Unparalleled Networking invites you to exchange ideas with your peers and RSA experts and save – early bird rates are $595 and available through April 1, 2019, then the regular registration price kicks in at $995. The RSA Charge 2019 website should be your go-to destination for all ‘Charge’ information - Call for Speakers, Agendas at a Glance, Full Agendas and speakers, Keynotes, and so much more.


RSA Charge 2019 will be in Orlando from September 16-19, 2019 @ Walt Disney World Dolphin & Swan Hotel, Orlando. 


REGISTER before April 2, save $400 and check out the RSA Charge 2019 website for continual updates like the one below:


Just Added: Looking for pre-conference training? Due to RSA Charge starting on a Monday and being on the Disney grounds, RSA has decided not to offer any pre-conference training this year but instead offer a whole RSA University track dedicated to your favorite training topics at no extra cost. That’s right, no additional cost!


There will also be RSAU representatives, onsite to talk shop and answer any and all of your questions, just another reason to attend RSA Charge 2019. We look forward to seeing you all in Orlando.

Our 7.1.1 release continues to build on many of areas of improvement we have made across the 7.x releases including enhancing the user experience, delivering analytics to make informed decisions, and reducing the complexity of Identity Governance and Administration.

As we look at our recent releases we have provided innovations such as the new user access review making it easier to understand if access is appropriate, quick start deployments, and analytics that make your processes easier to manage, while enhancing some of the screens in the product to be simpler and easier to use.

So, what about 7.1.1?

Segregation of Duties, made simple

Management of Segregation of Duties (SoD) rules and processes can be hard; when you try and scale it to hundreds or thousands of applications it can feel impossible. To meet the every increasing risk and compliance requirements of many organizations SOD management at this scale is being demanded by audit and the business. To achieve this businesses are defining SoD matrix, a set of access classifications that cannot be held in combination. These organizations are then classifying their access and in this way are able to have simple dynamic SoD detection based on access classification.

To help our customers, RSA has provided a SOD solution including a recommended practice and two new product capabilities in this area.

New SoD Remediator Experience

Working with our customer design partners, RSA has significantly enhanced the remediator experience to reduce the level of effort needed to make decisions when a violation occurs. The experience provides more analytics and data while also allowing bulk actions and reassignments to take place when needed.

SoD Recommended Practice

This recommended practice talks you through our solution for implementing SoD detection, including building the classifications matrix and implementing it within our platform.

Advanced SoD Analysis rules

The new advanced rule process allows for a third data element to be considered when detecting SoD violations. This is needed when using a classification model to detect true violations and remove false positives. For example, you could say that having front office access together with back office access is a violation, but if they have that access in two different applications or countries, it might not be. The advanced rule capabilities allow you to make these correlations .

Continued evolution of the New Reviewer Experience

After RSA released the new Access Reviews experience in 7.1, we wanted to continue to enhance reviews based on the feedback from our customers. In 7.1.1 we have added several changes based on your input. 

Custom Views/Classifications

Give your reviewers more insight into the access they review, build your own custom views of data to highlight areas of risk or provide importance context to reviewers such as critical or privileged entitlements.

Review Calendars

Give your reviewers the time to complete their review successfully, take into account weekends and holidays when setting the amount of time they have to complete a review. All review types now allow you to specify the calendar they use when setting the timing of the review.

Pending Revoke, Automatically Marked Revoke

Reviewers are always frustrated when things don’t make sense. In 7.1 when we added categories into the review we provided a category called “Pending Revoke”. This means the items in this category are already in the process of being removed. Then reviewers asked “Why do we have to mark them as revoke again?” The default now is that everything in this category is immediately marked as revoked in the review.

Diagnostics & Heuristics

Collecting and testing key performance indicators

How successful am I being? How many applications have I onboarded? How many requests have I processed? What are the trends on my system? Is the way I configured the system the best way?

These are the types of questions we want to answer with this feature, which collects over 130+ data points daily to give you a better understanding of the successes and trends in your system.

These are things like the number of users, application, entitlement, orphan accounts, or time it takes to collect the data, approve a request, or complete a review. You can also provide the data to RSA, where we can give you with deeper insights looking at best practice and your status against other similar customers.

Trending Dashboards

7.1.1 provides a number of new trending dashboards allowing you to visualize the trends in key areas such as reviews, requests, rules, and roles. Customers can create their own as well, leveraging a new public view against the diagnostics and heuristics data.

So, as you can see, there are some great innovations in this release and these are just some of the highlights. Check out the release notes for full details and look out for the RSA Identity Governance and Lifecycle quarterly webinar series here where we will give more insights into what’s coming in the future!

Sean Miller

New Feature: Web Services

Posted by Sean Miller Employee Mar 19, 2019

In the recent RSA Identity Governance and Lifecycle 7.1.1 Service Pack Release we have added some new web services.  In previous releases you could use the findApprovals, getApprovalDetails, and performApproval web services to interact with approvals.  In this release the following web services have been introduced to interact with any type of work item including approvals:


  • getWorkItemsForUser
  • getWorkItemDetails
  • performWorkItem


The getWorkItemsForUser web service returns high level details for the work items including the work item IDs.  The getWorkItemDetails takes a work item ID and returns more details including what actions can be taken.  The actions that are returned are based on the transitions modeled in the workflow.  The performWorkItem web service is used to complete the work item using the provided action and comment.

The approval-specific web services will be deprecated in a future release.  Any implementations based on this should be updated to use the more generic work item web services.



Lastly, the new web service findReviews has be introduced in this release.  This allows you to search for reviews by name or other search criteria.  The web service returns details about the reviews based on the requested columns.  In particular, the review ID is returned which is needed for other calls like getReviewStatus, refreshReview, setReviewState, and updateUnreviewedItems.

As part of the RSA Identity Governance and Lifecycle 7.1.1 Service Pack release we are excited to introduce advanced Segregation of Duty (SOD) violation analysis capabilities that make it even easier for global organizations to identify and remediate where this risky access truly exists in their organization.

To scale at the enterprise level, across thousands of applications and hundreds of millions of entitlements, Segregation of Duty policy analysis needs not only examine if access on one side of the equation is in violation with access that is on the other side (for example, the ability to submit a check request and the ability to approve a check) but also inspect deeper and across business processes to determine if there is a false positive violation present or there is truly a violation and inappropriate access.

In this example, a user should not have the ability to submit a check and approve a check in the payroll expense system and accounting system. However, they may have the ability to approve a check request in the contractor management and vendor management systems. If organizations look at just the ability to submit and approve checks as violations, false-positives would be detected. This will lead to an overhead to cleanup before violations are sent to business users or policy managers or even having to create thousands of rules – which is unmanageable!

With this new and advanced SOD detection and correlation analysis, organizations can create a few number of rules that look across the enterprise and evaluate if the access is truly a violation. This is an advanced analysis that can look across the entire global set of applications and entitlements and determine not only if there is access that is truly in violation (based on a common business interface / application relationship), but also to reduce and virtually eliminate the number of false positives that can be typically be presented when just looking at two sides of the equation.

This analysis is performed at the business application level and determining if entitlements across both sides are in violation based on a “correlation” between the applications. That correlation is where the applications are considered part of the same business process, such as if they interface with each other. Following the example, instead of creating hundreds of rules to look for a submit and approve toxic access combinations, organizations can create a single rule that looks for these access types, using a correlation to identify where access should be considered a violation and access that is found on one side (but no correlating access on the other), is not a violation.

Otherwise without the correlation of the business applications the potential for several false positive violations surface. This creates a burden on the team to clean up before sending out violation to address or if not cleaned up before, creates a mess of information that is inaccurate and creating the potential for appropriate access to be inadvertently removed.

Organizations can effectively analyze across their enterprise applications where risky access exists and truly represents a SOD policy violation; therefore, reducing risk by quickly getting access violations in-front of the right people for review and remediation. In concert with this advanced analysis, a simplified and streamlined new policy violation review and remediation user experience has also been added.   

 For additional information on this update – please check out this additional context:

  • New SOD Policy Analysis Capabilities:

Have you ever wanted to be able to review and remediation multiple access violations at once? Have you ever wanted to be able to see how widespread access violations were across a grouping of users, business units, or applications? Have you ever wanted a streamlined, intuitive, and single screen to review and remediate access violations in your organization?


As part of the RSA Identity Governance and Lifecycle 7.1.1 release we have introduced a new streamlined, intuitive, and simple policy remediation experience that allows you to address the above questions. This new remediation experience follows the streamlined experience of the Risk Based Reviewer Experience; which, based on customer feedback, delivers a very successful and intuitive user review experience that has reduced risk in their organizations.


Some notable highlights for this new remediation experience

  • Several existing user access review capabilities are now available for the remediation review, such as review instructions, due date, multi-step operations, display views, guidance panel and more.
  • Improved details about the violating access in the accordion drop down, including any other policy where the violation is also in existence.
  • Policy Violation review assignments leverage the same business level assignment capabilities as user access reviews.
  • Violation Remediation Reviews can be linked to one to many User Access and Segregation of Duty Rules, making it simple for organizations to have a focused initiative to address access violations.
  • Violation Remediation Reviews can be monitored to ensure that assigned reviewers are addressing open violations.


For additional information on this update – please check out this additional context:

  • New Violation Remediation Experience: 

The log artifact is a new feature in RSA Identity Governance and Lifecycle Version 7.1.1 that will aide in the gathering of log information in the event that a support ticket is created.  It is an administrator-only feature that can gather the most widely used log files when troubleshooting problems in the application, thereby reducing the time to identify the root cause of an issue.  It is designed to work on a node-by-node basis and will work for different architectures such as Hard Appliance, Software Bundle with remote database, and Clusters, along with the different application servers we support.  The page can be found under the Admin > Diagnostics menu.





It is located on the Log Artifact tab.


The following is a description of the different areas of the page:


  1. Node Name - This tells the user which machine the user is current logged into.  This is important because the utility will gather all the log files that are local to that node.  If you are in a clustered environment and need logs from all the nodes in the cluster you will have to log into each one individually and gather from each node.  The information after the ‘:’ is the node type for the machine.  There are two types Systems Operation Node (SON) and General.  Log files should be collected from all nodes if this is a cluster.  At a minimum they should be collected from the SON.
  2. Date Range - This can limit the amount of information that is extracted from the log files.  For instance if the problem is two days old you would want to limit the log file from the last few days.  The default of 30 days will typically be sufficient.
  3. Create File Password (Optional) - This will allow you to password protect the zip file.
  4. Generate Zip File - This button is what will start the gathering of all the logs and then zipping of them into a single file.
  5. Current Status - After initiating the gathering process, this area of the page will display the status of what is being gathered.  It is not refreshed automatically so to see any new status you will need to refresh the page manually.  Once it is complete it will display the file that is available from this node.
  6. Download - This button will be enabled once the gathering/zipping process is complete.  It will allow you to download the most recent process.




When in progress the Current Status will contain the current step.



Once completed the zip file will be available for download


Upon completion of the process the status section will show the pertinent information about what was chosen for this invocation.  As detailed in the picture we will store the zipped file on the server and it will stay there until the next invocation of the process.  To store the file locally just press the Download button.




  1. When gathering log files for nodes in a cluster the Administrator must log into each node and run the process.  We only gather the local files to the server.
  2. Warning messages from the tool does not indicate a problem with the feature.  Not all environments/configurations will contain the same log files.  The Warning messages are primarily for Engineering.
  3. The gathering of the logs for a remote AFX server is still a manual process.
  4. The gathering of logs for a remote database is also a manual process.  We will display a Warning message with this configuration as the database logs will not be local.
  5. Some log files may reside in different directories depending on a customer’s configuration.  We will make a best attempt to find them with some well-known locations.  If we can’t find them we will display a Warning message to that effect.
  6. The process does not gather an AWR.
  7. The process does not maintain previous ZIP files.  At the start of a new generation the previous file will be removed, this will reduce the chance of running out of disk space.


See the following video which demonstrates the use of the feature.


RSA Identity and Governance Release 7.1 introduced a new interface for user access reviews, to provide a better user experience and improve efficiency in performing reviews with help of analytics-based prioritization and identification of high risk access and violations.


To continue enhancing the enriched user experience, the Display Views feature for the new user interface (for user access and rule remediation reviews) is introduced in Identity Governance and Lifecycle Service Pack Release v 7.1.1.

With the introduction of Display Views, you now have ability to organize review items in multiple ways to meet your requirements.


RSA IGL v7.1.1 Display Views


Here are some of the capabilities added to support Display Views in version 7.1.1.


Select multiple display views in review definition

The system now supports using display views in the legacy as well as the new user interface (for user access and rule remediation reviews). When more than one display views are selected in the review definition, the resulting review in the new user interface lists the display views in the left panel above Guidance and Analysis.


Custom display views

You can now define custom display views that can be used for the legacy user interface as well as the new user interface. The process to create custom display views is same as that for the legacy user interface. When custom display view definitions are used with new user interface:

  • Only the first six selected columns (from the custom view definition) are visible to the user in the new user interface.
  • The new user interface ignores the "grouping" configuration of the custom display view definition.


For additional information, follow the online help pages.


Here is a video on display views.

This blog describes what all diagnostics data is collected in RSA Identity Governance and Lifecycle V7.1.1 and how it can be useful to customers.


         The diagnostic data collection in RSA Identity Governance and Lifecycle is turned on by default and collects system information daily. The frequency of data collection is configurable (see Admin > Diagnostics in the product help). Customers should review the schedule for diagnostic gathering to ensure it does not conflict or delay nightly collections. With this feature enabled, statistical information is gathered about the product components like reviews, rules, access request, AFX, roles, reports, as well as information related to the deployed environment and the applications that are configured.


         Trends related to the change in the application configurations can be assessed by looking at the application parameters like the number of accounts, users, orphan accounts, users with multiple accounts, roles, entitlements over time. Assessment of sudden increase in data volume or spikes can be tied to symptoms like application slowness and performance degradations. Admins can use the historical data to explain such anomalous behavior or trace and tighten rouge jobs that could be the cause.


         Deployment related information can similarly be used to get the big picture of the type of Database configured (remote/local), number of “Remote Agents” deployed, number of AFX servers, number of nodes in cluster. This information can be used to compare any deviations from the recommended configuration by RSA and corrective actions can be taken.


         AFX related information like the number of connectors, daily status, number of active running connectors, and count of fulfillment request sent in a day, including failures. These can be used to understand the trend and make necessary changes including tuning of the end points to adjust the overall performance.


         Health of collectors can be learned from the trend in time taken for collections to complete, frequency of collection, and number of collection failures. This information will help in tuning the collection schedule and avoid redundant collections.


Out of the box Reports/Charts in 7.1.1 are provided for the following components:

Weekly and Monthly views are available for customers to include in their dashboards to get their statistics.

  • Reviews: Parameters like the number of review definitions defined, size of reviews, number of revokes are collected. Administrators can take stock of these statistics and take corrective actions like increasing/decreasing the number of reviewers, adjust the size of reviews, take actions based on the number of revokes (e.g. some rule may be granting more access than needed resulting in more revokes during reviews).
  • Rules: Parameters like number of rule sets, active/inactive/deleted rules, rule processing time, number of violations/exceptions caught, number of change/violations triggered by reviews each day, exception access granted in a day are monitored. Based on the chart summary admins can tune rules to improve processing, delete/modify rules as needed, can investigate exception access grants.
  • Access Request Forms: Parameters like the number of access request forms that exist, number of workflows defined, number of requests/approvals/fulfillments made per day, and approvals rejected per day are noted. Approval and fulfillment trends will help in measuring and ensuring conformance to SLAs.
  • Roles: Parameters such as the number of roles, number of roles with membership rules, roles with entitlement rules, average entitlements per role, number of users per role, number of app roles per role are captured. These statistics can hint on the complexity, hierarchy and gaps in implementation and association of roles within the system.


         The public view PV_TELEMETRY_DATA is also provided so customers can develop their own reports and charts against the diagnostic information gathered.


Diagnostics data use for troubleshooting:

         The complete set of data collected can be downloaded from the UI as a zip file containing a set of JSON files, which can be shared with RSA while reporting issues on the product. This data will be used by RSA to diagnose the reported issues and troubleshoot /fix them. Also the data will help RSA understand how customers are using the product and if the scale of objects defined is different from other customers. This will improve the time to resolve issues while reducing the number of meetings with customers. The likelihood of root causing a problem at first level of support (CS) would increase as the data is more intuitive.


See V7.1.1 Diagnostics overview video in the attachments.

Im very excited and happy to share our first edition of the RSA IGL newseltter!


Our goal is to help share more informatoin about whats happening and key things for you to be aware of. 

This is a monthly release, so you can expect the next newseltter at the start of April.

Filter Blog

By date: By tag: