|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle|
RSA Version/Condition: 7.0.2
|Issue||During an entitlement collection run, an Unauthorized Change Detection rule is triggered, indicating that there is no record of an approved change request for the addition of the entitlement in RSA Identity Governance & Lifecycle. |
However, when looking at the change request's Approval Phase - Date, approval phase has been completed earlier so it should not have triggered the Unauthorized Change Detection rule.
For example, an Unauthorized Detection Rule was triggered on 27 November 2018 at 2:53 AM. However, as confirmed from the following screenshot of the change request in question, the approval phase has been completed on 7 November 2018, which is 20 days earlier than Unauthorized Detection Rule date.
|Tasks||By design, RSA Identity Governance & Lifecycle detects unauthorized access by looking at the latest change request based on Creation Date, not based on Approval or Fulfillment completion date.|
Verify if there are any change requests to remove the same account and if the entitlement combination has been created later than change request for the addition of the same account and entitlement combination.
|Resolution||Upon verification, another change request for the removal of the same account and entitlement combination has been raised after the change request for the addition of the same account and entitlement combination has been created.|
In the following example, a change request to remove access was been created on 22 November. The change request for the addition was created earlier on 5 November. Considering the latest change request for the account and entitlement combination is based on the creation date found in the database (change request to remove access created on 22 November 22 is the latest), this has caused Unauthorized Detection Rule to trigger, which is an expected behavior.
|Notes||In the above use case, it's discovered that the customer has raised multiple change requests for adding the same account and entitlement combination. Ideally customers should not raise multiple change requests for adding the same account and entitlement combination to prevent confusion.|