000036752 - Controlling multiple account prompting in Global Forms for RSA Identity Governance & Lifecycle 7.1

Document created by RSA Customer Support Employee on Sep 25, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036752
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0
IssueChange requests with user entitlement changes that require an account, create change items against the account instead of the user as they were in previous versions. When a user has multiple accounts in a business source, Global Forms prompt for the appropriate account for each entitlement. The account only needs to be identified once at the business source level for each user in this situation.

As of version 7.1.0 P 01, change request behavior has been changed to enforce the paradigm of having all access be associated with an account when possible.

Release notes show:
User access requests for entitlement changes apply the following rules: 

  • User entitlement changes that require accounts are always account changes.
  • User entitlement changes with no assigned accounts remain user changes.
  • User entitlement changes with one assigned account are created as account changes.
  • User entitlement changes with multiple assigned accounts prompt for account selection and are created as account changes.
How can global form account prompting behavior be modified?
ResolutionAs of version 7.1.0 P 02, a new option for Multiple Account Resolution is provided in the global form definition (In the UI go to Requests > Configuration > Request Forms). This modifies the behavior of the form to only prompt for a user's account once per Business Source. The default behavior is to prompt for each entitlement.
User-added image

An additional change is provided in 7.1.0 P 03 which will further reduce account prompts if accounts are collected to a Directory and then just mapped to users by the application's account collector(s). In this case, when the Once per business source option is selected, then the Business Source is the Directory and would only prompt once, even though the accounts could be mapped to many applications. 

Beware of making collector changes to take advantage of the Directory account collection. It can cause a one-time long-running Indirect Relationship Processing run.