000035840 - Why automatically generated revocation requests do not add back revoked requests on a revocation date in RSA Identity Governance and Lifecycle

Document created by RSA Customer Support Employee on Feb 9, 2018Last modified by RSA Customer Support Employee on Feb 10, 2018
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000035840
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle
RSA Version/Condition: All
IssueYou have one of the following use cases:

   I. Change request containing both add and revoke items



  •  A change request is triggered to add an entitlement (E1=pbciadmin) via Requests > Requests > Create Request > Add Access and removal of existing entitlement (E2=1005-1-pbci : admin) via Requests > Requests > Create Request > Remove Access.
  • The request is submitted with a revocation date.
  • The automatic change request contains only the removal of E1, but not the addition of E2.

User-added image


User-added image

 

User-added image


Why doesn't the automatic revocation request add back entitlement E2? The entitlement that was revoked when the revocation date occurs.

II.  Change request containing only revoke item



  • A change request gets triggered with removal of an existing entitlement (E3=1005-1-pbci : readonly).
  • The request submitted with a revocation date.
  • The automatic request does not contain any change item.

User-added image
 


User-added image


User-added image


Why isn't entitlement E3 added back on the revocation date via the automatic request?
       
ResolutionThis is the expected behavior of the product. The purpose of the revocation date is to tell RSA Identity Governance and Lifecycle when to revoke an entitlement, not when to add one back. The word revocation means to revoke or remove so a revocation date implies revoke/remove only. The field is there but it should not be used when revoking an entitlement, as it does not make sense to revoke a revoked entitlement.
 

Attachments

    Outcomes