000036896 - Access User Access Review not showing indirect entitlements associated with a role for RSA Identity Governance & Lifecycle 7.x

Document created by RSA Customer Support Employee on Dec 11, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036896
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2, 7.1.0
IssueRSA Identity Governance & Lifecycle Access User Access Review is not showing indirect entitlements associated with a role when filtering the contents by business source.

Only a portion of the user entitlements associated with a particular business source or application are shown even though the user is known to have other entitlements. 

User-added image

This is by design.   

The Contents tab of the User Access Review can be used to filter entitlements by business source.  Select the Contents tab and check the Filter business sources checkbox and then select the business sources using various criteria.

User-added image

When filtering entitlements by business source and selecting an application name as the business source the review will only display direct entitlements.  Indirect entitlements associated with a role will not be shown even if those entitlements are part of the application.  This is because a role is a business source and entitlements associated with a role belong to the business source associated with the role set to which that that role belongs.

ResolutionThe User Access Review can include roles and the role can display role entitlements.   You can include these roles on the User Access Review by ensuring that the include roles checkbox is enabled and by adding the application role set that is associated with the roles is included as a business source for the review.

For example, to include role based entitlements for the Aveksa application in addition to direct entitlements add the role set that contains the role as a business source.
User-added image

This will allow the User Access Review to include roles on the review.
User-added image
NotesNote that this may not be a practical solution depending on the business requirements for the review.
  • The roles themselves will be reviewed not the indirect entitlements associated with the role.
  • The role set may cover more than one business source or application. 
These are limitations of mixing Role based and direct entitlements.  Customers intending on leveraging the role based access model should consider this when designing reviews.