000039273 - Existing Role memberships later granted through Parent Roles are not revoked when the Role memberships are removed from the Parent Role in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Sep 1, 2020Last modified by RSA Customer Support Employee on Sep 1, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000039273
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.1, 7..2.0
 
IssueIf a user has a Role as a direct entitlement and later becomes a member of another Role (Parent) that has the same Role (Child) as an entitlement, their access to the Child Role is not getting revoked if the Child Role is removed from the Parent Role. 

For example, if a user has direct access to a Technical Role and is later granted membership to a Business Role that has the Technical Role as an entitlement, their access to the Technical Role is now explained via their membership to the Business Role. If the Technical Role entitlement is removed from the Business Role, the user should lose access to the Technical Role unless they belong to one or more other Business Roles that have that same Technical Role as an entitlement. Once they do not belong to any Business Role that explains their right to be a member of the Technical Role, they are no longer entitled to be a member of the Technical Role regardless of how they originally acquired that access. 

EXAMPLE:
  1. Create Technical Role 1 with no entitlements.
  2. Add user Cherry Blossom as a member of Technical Role 1.
  3. Cherry Blossom now has direct access to Technical Role 1.
  4. Create Business Role 1.
  5. Add Technical Role 1 as an entitlement to Business Role 1.
  6. Add user Cherry Blossom as a member of Business Role 1.
  7. Now Cherry Blossom's access to Technical Role 1 is explained by her membership to Business Role 1.
  8. The problem occurs if Technical Role 1 is removed as an entitlement from Business Role 1. In this case Cherry Blossom should lose the access to Technical Role 1 but she does not.

 
CauseThis is a known issue reported in engineering ticket ACM-98417.
 
ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle patch levels: 
  • RSA Identity Governance & Lifecycle 7.1.1 P07
  • RSA Identity Governance & Lifecycle 7.2.0 P02

 

Attachments

    Outcomes