|Applies To||RSA Product Set: RSA Identity Governance and Lifecycle|
RSA Product/Service Type: User Interface, Account Data Collector (ADC), Entitlement Data Collector (EDC), Business Role Manager (BRM)
RSA Version/Condition: 7.0.0, 7.0.1, 7.0.2, 7.1.0
|Issue||When managing the RSA Identity Governance & Lifecycle Aveksa Application Roles using the SecurityRole.csv file, the following artifacts are observed. |
1. Users may be assigned Aveksa Application Roles without an Aveksa Application account. The Access tab may show app-role and Entitlements assigned to an Entitlement Path that references an Account that does not exist.
2. Additionally, when viewing the Accounts under the Aveksa Application Accounts tab the account previously associated with the user shows as deleted.
3. Users may be assigned Aveksa Application Roles and Entitlements for Roles that do not exist in the Aveksa Application.
4. If using the Privilege tab to manage Aveksa Security users Aveksa Application it is not possible to Add or Remove Aveksa Application Privileges from the user. When an attempt is made to Add or Remove a Privilege after clicking on the "Apply Changes" button the changes are not accepted.
|Cause||The stated purpose of the SecurityRole.csv file is to allow customers to add additional Roles to the Aveksa Application Role model. Roles are added by adding them to the SecurityRole.csv file and importing the file under the Files tab on the Admin User Interface menu.|
Roles imported in this manner are added directly to the Role model and any changes to this file causes the Aveksa Application ADC (Account Data Collector) and Aveksa Application EDC (Entitlement Data Collector) to be run. If a Role was previously added to an imported SecurityRole.csv file, and a new SecurityRole.csv file is imported that is missing that Role, then that Role will effectively be removed from the Security model. Roles are removed directly without checking to see if that Role is in use. If a Role is removed, and that Role is already assigned to users then the Role assignments for those users becomes orphaned. This may cause Users to show with Roles and Entitlements and Privileges that do not exist in the system.
In addition, when an Aveksa User is associated with an Aveksa Account, and the all Roles for that user are Removed, to ensure that the user is not able to log on as an Aveksa Administrator, the Aveksa Account for that user is Deleted. When the Aveksa Application Account is deleted, it is not possible to manage the users Aveksa Account Privileges from the User Privileges tab. Normally when adding Privileges back to a User the Aveksa Application will automatically create an Aveksa Application Account but this does not occur in this use case.
|Resolution||At this time there is no restriction in place to prevent customers from removing Aveksa Application Roles from the imported SecurityRole.csv file. This is a defect and is targeted for remediation in a future release of the product. |
Customers should ensure that an Aveksa Application Role or Aveksa Application Privilege is removed from all Users before removing the corresponding Role from the SecurityRoles.csv file.
Importing an empty SecurityRoles.csv file may cause many different issues. The issues may be different depending on if the RSA Identity Governance & Lifecycle Role and Business Role Manager packages are enabled or if Aveksa Application security is being manged using the "User Privileges" tab. Consult RSA Customer Support for guidance regarding your specific challenges.