000033357 - Unable to remove privileges for an RSA Via Governance and Lifecycle user

Document created by RSA Customer Support Employee on Sep 1, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033357
Applies ToRSA Product Set: RSA Via Governance and Lifecycle
RSA Version/Condition: 7.0
IssueUnable to remove privileges for an RSA Governance and Lifecycle user.  
After clicking the Remove action for a privilege, the button changes to Removed, but changes back to Remove when the Apply Changes button is pressed.

This behavior occurs when the following steps are taken:
  1. Select the Users selection on the Users tab.
  2. Select the Privileges tab.  
  3. Under the Action column choose a privilege to remove by clicking on the Remove button next to the privilege name.  
  4. The button changes to Removed.  
  5. Click on the Apply Changes button to apply the changes.  
 
Privileges screen
Instead of the privilege being removed the button changes back to Remove, as in the screen shot below:
User-added image
 
CauseThis issue occurs if the entitlement is an indirect entitlement that is assigned as part of an application role (App-role).  Only direct entitlements may be removed from a user on the user Privileges tab.
ResolutionEnsure that you only attempt to remove the parent App Role and not any of the indirect entitlements.  
There are two ways to determine if entitlements are eligible to be removed from the user Privileges tab. 

Option 1


  1. Select the privilege under the Name column and press the information dialog represented by the yellow i icon.   This will display how the user entitlement is defined.  If the entitlement shows that it is Used By App Roles, then this entitlement is an indirect entitlement and must be removed by removing the parent App Role.
Details

  1. Select the privilege under the Name column and press the information dialog represented by the yellow i icon.  If the entitlement details screen shows None for the value of App.Roles, then this is the parent application role and may be removed (or added) as a user privilege.  The indirect entitlements that are children of this App Role are listed under the Entitlements section.
Details
 

Option 2


The second way to determine if entitlements are eligible to be removed from the user Privileges tab is to view the entitlements from the User Access list.  
  1. Select Users from the Users tab and then click the Access tab.  
  2. Group the applications by Business Source Name and then select the Aveksa application.  
  3. In the RSA Via Lifecycle and Governance 7.0 role model the user privileges for the Aveksa application are controlled by roles assigned under the Aveksa application.  
  4. Under the Entitlement Type column entitlements that may be removed (or added) to a user are of type app-role and entitlements that are indirect entitlements owned by a parent application role that cannot be removed will be identified by the type ent.
access list
WorkaroundThe optional user Privileges feature (enabled by selecting the Admin Menu and selecting User Interface and then under Other Features selecting User Privileges tab to On) is being deprecated and customers are encouraged to begin using Access Request Manager to manage RSA Aveksa Application Roles.  To enable the RSA Access Request Manager (ARM),
  1. Select the Admin menu and the System.
  2. Then under the Settings tab select Access Request Manager.
  3. Set the value to On
When you enable Access Request Manager, under the Access tab you will be presented with a view that lists both direct and indirect entitlements but only allows you to remove the parent application roles.

ARM

Attachments

    Outcomes