000037887 - Local entitlements belonging to roles are not consistently added to users in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Sep 9, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037887
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0
 
IssueLocal entitlements belonging to roles are not consistently added to users in RSA Identity Governance & Lifecycle. This behavior has been seen in the following two circumstances. There may be other scenarios as well.
  1. Roles have nested entitlements, or
  2. Members of roles are removed from a role and later added back to the same role.
Below is an example use case where role entitlements are nested with nested group memberships.

  1. Create three Active Directory groups called Group1, Group2, and Group3.
  2. Make Group2 a member of Group1.
  3. Make Group3 a member of Group 2.
  4. These groups and subgroups are collected into an Active Directory Application in RSA Identity Governance & Lifecycle.
  5. Create three technical roles called Group1, Group2, Group3 (names same as groups). AD Group1 is a member of technical role Group1, AD Group2 is a member of technical role Group2 and AD Group3 is a member of technical role Group3.   
  6. Create a business role called Business Role and initially add technical role Group3 as an entitlement to the business role. Add UserID1 to the business role.
  7. When changes are applied, a change request is created with two role changes, one account change, and two user changes. This is correct and expected behavior.

User-added image
  1. Add technical role Group2 as an entitlement to the Business Role and apply changes. 
  2. A change request is created with two role changes and one user change. The expected account change that would add account UserID1 to Group2 is missing. 


User-added image




 
CauseThis is a known defect reported in engineering ticket ACM-95811.
ResolutionThis issue is resolved in RSA Identity Governance & Lifecycle 7.1.0 P07.

Attachments

    Outcomes