000039219 - 'Direct Members Missing' column under Role Entitlements tab incorrectly shows deleted, terminated and/or Role Members no longer belonging to the Role in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Aug 11, 2020Last modified by RSA Customer Support Employee on Aug 18, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000039219
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0, 7.1.1, 7.2.0
IssueRoles in RSA Identity Governance & Lifecycle may be configured so that Role Entitlements are not automatically given to Members of a Role. This is done by disabling the Generate Indirect Entitlements option under REQUEST SETTINGS in the request workflow used for Roles (Requests > Workflows > Request tab > {Workflow name}). The Direct Missing Members column under Roles > Roles > {Role name} > Entitlements tab shows the number of Role Members that are missing Role Entitlements due to this configuration setup. The problem is that this column includes deleted users, terminated users, and Role Members that have been removed from the Role.
CauseThis is a known issue reported in engineering ticket ACM-100944.
ResolutionThis issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release. 
WorkaroundThis issue is partially resolved in the following RSA Identity Governance & Lifecycle patches but additional work is necessary to complete the fix as outlined below.
  • RSA Identity Governance & Lifecycle 7.1.1 P06
  • RSA Identity Governance & Lifecycle 7.2.0 P02
The fix is to show only active users and change the column name from Direct Members Missing to Direct Active Members Missing

To implement the fix:
  1. Install one of the above patches.
  2. Create a Provisioning-Termination Rule that revokes all user entitlements immediately that are associated with Roles. This forces the recalculation of Role Metrics for terminated users. Unification will automatically recalculate Role Metrics for deleted users. This step is only necessary for terminated users. 
NotesThe partial fix is also available in RSA Identity Governance & Lifecycle 7.2.0 P01 but it is recommended to go to 7.2.0 P02 to avoid the issues described in the following RSA Knowledge Base Articles: