000038793 - Revoked local entitlements are auto-completed by the system after collections are run in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Apr 28, 2020Last modified by RSA Customer Support Employee on Apr 28, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000038793
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.x, 7.1.0, 7.1.1, 7.2.0
IssueWhen a Local Entitlement Collector is defined with Apply User-Entitlement Changes Immediately disabled, change requests to add/revoke access to those entitlements will go to Manual Fulfillment. In the user interface go to Collectors > Entitlement Collectors > {name of Local Entitlement Collector} > Edit > Next.  
User-added image

The expected behavior is that once these change requests go to Manual Fulfillment, they will not be completed until the associated Manual Activity has been performed. The problem is that once collections have run, manual activities to revoke local entitlements are automatically completed by the system. 

This is not a problem when granting local entitlements. Change requests granting local entitlements wait for the manual activity to be completed.
CauseThis is a known issue reported in engineering ticket ACM-84860.
ResolutionThis issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release.
WorkaroundThere are two potential workarounds to this issue:
  1. Complete manual activities to revoke local entitlements before any collections are run.
  2. Uncheck the Complete work assigned if activity is verified option in the Manual Activity Node of the related workflow. In the user interface go to Requests > Workflows > Fulfillment tab > Manual Activities > Manual Fulfillment Node. In the Activity Node Properties panel on the right, scroll down to RESOURCES and uncheck the box as shown below:

User-added image