000037471 - Cancel change request node does not revert deletion of a role requested from a Role Review in in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 6, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037471
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition:  7.0.2, 7.1.0, 7.1.1
 
Issue

You have a fine-grained role review which allows role reviewers the ability to remove members and entitlements from roles. It also allows role reviewers the ability to delete roles and all their associated members and entitlements. While modifying role content is okay, you do not want reviewers requesting that roles be deleted.

In this case to prevent role deletion from a review, a Cancel Change Request node was added to the fulfillment workflow that processes role requests. If a role reviewer requested a role be deleted, the resulting change request would delete the role. The Cancel Change Request node would then attempt to add back the role by reverting the changes already made (that is, the role was deleted). Adding the role back was a manual activity. The problem is that when the manual change was made, the following error would occur and the role was not added back.



[Test1] have been deleted.  Please cancel the change request.



Further, because this action was not allowed, the change request could not be completed.



User-added image



 



Note the fulfillment workflow shown below. The workflow has a decision node to verify if the reviewer is deleting the entire role. If so, then it is passed to the Cancel Change Request node with Event Type of Cancel entire request and revert completed changes.



User-added image




Below is the change request created for one such change. There are two role changes created, one is to Remove the entire role as per the reviewer activity and the other one is to Add the deleted role back by cancelling the request and reverting the changes (as defined by the Event Type setting).



User-added image
Note the Add Role is in a Pending Action state which requires a manual activity. When the assigned user goes to complete the Add Role manual activity, the above error occurs.

CauseThis problem is occurring because the Cancel Change Request node is in the Fulfillment workflow.
ResolutionRedesign the request workflow so that the canceling of the request is made earlier in the workflow cycle,; that is, before the role is deleted. In the current configuration, the role is being deleted and recreated. By moving the cancellation to earlier in the workflow, both are avoided. In this case the decision node and 'Cancel Change Request node were both moved to the approval workflow.


 
 

Attachments

    Outcomes