|Issue||Local entitlements belonging to roles are not consistently added to users in RSA Identity Governance & Lifecycle. This behavior has been seen in the following two circumstances. There may be other scenarios as well.|
Below is an example use case where role entitlements are nested with nested group memberships.
- Roles have nested entitlements, or
- Members of roles are removed from a role and later added back to the same role.
- Create three Active Directory groups called Group1, Group2, and Group3.
- Make Group2 a member of Group1.
- Make Group3 a member of Group 2.
- These groups and subgroups are collected into an Active Directory Application in RSA Identity Governance & Lifecycle.
- Create three technical roles called Group1, Group2, Group3 (names same as groups). AD Group1 is a member of technical role Group1, AD Group2 is a member of technical role Group2 and AD Group3 is a member of technical role Group3.
- Create a business role called Business Role and initially add technical role Group3 as an entitlement to the business role. Add UserID1 to the business role.
- When changes are applied, a change request is created with two role changes, one account change, and two user changes. This is correct and expected behavior.
- Add technical role Group2 as an entitlement to the Business Role and apply changes.
- A change request is created with two role changes and one user change. The expected account change that would add account UserID1 to Group2 is missing.