000034616 - RSA Identity Governance and Lifecyle users who do not belong to role can not be identified

Document created by RSA Customer Support Employee on Jan 5, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034616
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle
RSA Product/Service Type: Access Certification Manager
RSA Version/Condition: 6.9.1 P18
 
Issue
In 6.9.1 P18, we display a message that x users do not belong to the role, but they are not listed with a Revoke button, although they are directly entitled, and also entitled indirectly through a role or group.

This is different behavior from versions prior to P18, where those users are listed in the Directly Entitled tab with a Remove action button.
In P18, you would see this behavior:
Example of P18 dispay for users who do not belong to the role.
ResolutionThe role membership functionality in the latest 6.9.1 P18 patch is as follows:
  • If user is added to a role directly, then the users will be displayed as members in the Directly Entitled category.
  • If user is associated to a group or a role and that group/role is added as entitlements to the role, then the user will not be displayed as member in the Directly Entitled category. The user is considered as indirect and will be displayed in All category without any action (that is, without the Remove button) only.
  • If user is added to a role directly and also added via group to the role, then the user will not be displayed as member in the Directly Entitled category. The user is considered as indirect and will be displayed in All category without any action (that is, without the Remove button) only.
  • The action button will not be available for direct members in the All category if they match in the above use case conditions.

Attachments

    Outcomes