000035904 - How user selection and custom account attribute filters work in User Access Reviews in RSA Identity Governance and Lifecycle

Document created by RSA Customer Support Employee on Feb 9, 2018Last modified by RSA Customer Support Employee on Feb 10, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000035904
Applies ToRSA Product Set: Identity Governance and Lifecycle
RSA Version/Condition: All
IssueIf we have a User Access Review where the user selection has a filter to include users in the review based on a custom account attribute:
User-added image

User-added image

The filter does not seem to work correctly for all users.

In the example below you can see the review result is including one user whose Account Status=LOCKED. Ideally, the user should not have been included in the review result.
User-added image
ResolutionThe User Selection and Contents tab in review are two distinct steps. If a user has an account in the desired business source that should be excluded based on the account attributes but has another account in a different business source that shouldn't be excluded, they will be included in the review. If the subsequent content (access) review restricts the entitlements to the desired business source, then that account that was intended to be excluded will be included in the review.

As shown below the user molly is included in the review because she has an account in another business source whose status is not LOCKED.

User-added image

One option here is to use an advanced expression to select the users to include that matches the business source(s) used in the access step: 

users.id in accounts (accounts."Account Status"<>'LOCKED' and accounts."Application Name"='DAMS') .


User-added image

After using the advanced filter you can see the account is excluded from review result.

User-added image

NotesAn enhancement is filed to filter the access by account attributes rather than filtering during the user selection. Currently, the only way to filter by account in this access review step (after the user selection step) by excluding the entitlements granted from disabled accounts. The plan of the enhancement is to replace this specific filter with a more flexible search-expression builder, where we could filter on more than just disabled accounts but instead any account attributes.