000033931 - Add entitlements table shows inconsistent results when the Role Set Policy is set to 'Deny entitlements not matching the entitlement rule' in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Sep 19, 2016Last modified by RSA Customer Support on Apr 9, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033931
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.1
IssueNo data is displayed in the entitlements table when adding entitlements to a Role if the Role Set has a Role Set Policy (Roles > Role Sets > {Role Set name} > Policy tab) set to Deny entitlements not matching the entitlement rule.

Below are two examples of when this issue may occur.

Example 1:

  1. Create a Role Set named TestRoleSet. (Roles > Role Sets > Create Role Set)
  2. Set the Policy to Deny entitlements not matching the entitlement rule (Roles > Role Sets > TestRoleSet > Policy tab)
  3. Create an entitlement membership rule for the Role Set to unifiedents."Business Unit Id"=1. (Roles > Roles Sets > TestRoleSet > Policy tab > Membership Rule)
  4. Go to Roles > Roles > Create/Discover > Create role and create TestRole1 role in Role Set TestRoleSet.
  5. Go to the Entitlements tab for TestRole1 (Roles > Roles > TestRole1 > Entitlements tab) and click on Add Entitlements.  
  6. It is expected that matching entitlements will be displayed, as per the entitlements rule:

User-added image

What happens is that:

  • Either no data is displayed in the table:

User-added image


  • Or an Error - is displayed in the table.

Example 2:

  1. Set the TestRoleSet entitlement membership rule to unifiedents.'Business Source"='Application Name'. (Roles > Roles Sets > TestRoleSet > Policy tab > Membership Rule) where Application Name has 31 entitlements.
  2. Go to the TestRole1 entitlements tab (Roles > Roles > TestRole1) and click on Add Entitlements.
  3. It is expected that the entitlement table should display the data per the defined rule. What happens is that the count is displayed as 31 but the records are displayed as Error -.

User-added image

CauseThis is a known issue reported in engineering ticket ACM-66106.
ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:
  • RSA Identity Governance & Lifecycle 7.0.1 P02
  • RSA Identity Governance & Lifecycle 7.0.