000035258 - How to configure the RSA Identity Governance and Lifecycle system to prevent users from requesting exceptional access

Document created by RSA Customer Support Employee on Jun 16, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035258
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle 
RSA Version/Condition: All
 
IssueThis article describes how to configure the system to prevent users from requesting exceptional access in RSA Identity Governance and Lifecycle. The term "exceptional access" in this article refers to Segregation of Duties (SOD) violations.
TasksHere are the steps to prevent users from requesting exceptional access:
  1. First define the exceptional access:
    1. Create an SOD rule that defines the exceptional access:
Rules > Definitions > Create New Rule > Type: Segregation of Duties

  1. Process the rule.
  1. Second, define who can and cannot request the exceptional access:
    1. Go to Requests > Configuration -> Submission tab -> Edit Settings.
    2. Under Violations there are three options:
User-added image

By default, these options are not checked. This means anyone can request exceptional access and submit the request. To prevent users from requesting exceptional access, the first two options need to be defined.

  • The first option Show violations to the specified requestors determines who will see if their requested access creates a violation. Any user meeting this criteria will see a warning if they request exceptional access:
User-added image

 
  • The second option Requests with violations can be submitted by requestors determines who is allowed to request exceptional access. Any user that does NOT meet this criteria AND that meets the criteria of the first option will be prevented from submitting the request:
User-added image
ResolutionKEY POINT:  The second option applies only to those users defined in the first option. That is, if a user does not meet the criteria defined in the first option Show violations to the specified requestors, they will be allowed to submit the request regardless of whether or not they meet the criteria in the second option Requests with violations can be submitted by requestors.

 

Attachments

    Outcomes