• RSA Governance & Lifecycle 8.0 Patch 03
• RSA Governance & Lifecycle 8.0 Patch 03 HF1
• RSA Governance & Lifecycle 8.0 Patch 03 HF2
• RSA Governance & Lifecycle 8.0 Patch 03 HF3

• RSA Governance & Lifecycle 8.0 Patch 02 and earlier
• RSA Governance & Lifecycle 8.0 Patch 04 and later

• Roles are being used 
• Roles' structure is nested or hierarchical (Role A has another Role B as an entitlement)
• Roles managed using the following:
  • Rules, such as the Role Membership Rule Difference (UOOC) rule, User Access (UA) rule, or Segregation of Duties (SoD) rule
  • User Access Reviews
  • User Access screen to remove users from such roles

Summary

If users are removed from a role that has a hierarchy of nested or child roles as entitlements—whether through methods such as the Role Membership Rule Difference (UOOC) rule, User Access (UA) rule, or Segregation of Duties (SoD) rule, or through User Access Review or explicitly removing a role from the user via the user access screen—the resulting change request will not include the indirect change request item necessary for the removal of entitlements linked to the nested or child role.

The root cause for the issue is the custom parameter UseDirectTablesInplaceofGlobalRoleDefView for which the default was incorrectly set to true in affected versions.
 

Recommendation

STEP 1

In the affected versions, set the custom parameter UseDirectTablesInplaceofGlobalRoleDefView to false. Once the value is set to false, future change requests will work as expected.

Perform the following steps to set this custom parameter:

1. Log in to RSA Governance & Lifecycle with a user who has Administrative permission to modify the System setting.

2. Navigate to Admin > System.

3. Under Settings, click Edit.

4. Scroll down to the Custom section.

5. Add the setting UseDirectTablesInplaceofGlobalRoleDefView with value false. As shown below.

STEP 2

Change requests that were initiated between the beginning of the RSA Governance & Lifecycle upgrade to the affected version, and the execution of the aforementioned recommendation setting may be affected by this issue. The attached script (SQL_Script.sql) will detect any change requests and its associated roles if they are affected during the indicated period.

The script considers the change requests generated between the application of the affected version and the recommended custom settings. Furthermore, a filter is implemented to verify whether the change requests were produced through the Rules, User Access Review, or specifically from the user access screen. Additionally, a condition is included to check if the role has nested or child roles.

To execute the attached script, perform the following steps:

1. Log in to RSA Governance & Lifecycle.

2. Go to Admin > System > SQL Utility.

3. Copy the script content into the text area.

4. Click Run Query.

• If you see no results, there are no affected change requests. 

• If you see any results, there are affected change requests that may need corrective action.

*See attached 2 scenarios (images) where the G&L deployment is affected and when it is not.

STEP 3

After following the above procedure, if you determine that your RSA Governance & Lifecycle deployment is affected by the issue, please contact RSA Customer Support for assistance in taking corrective action with help from RSA Engineering team.
 

Note: The custom setting UseDirectTablesInplaceofGlobalRoleDefView is utilized while generating change requests. When a member is removed from a role, a procedure is initiated to identify the direct and indirect entitlements that must be revoked from the member. When this setting is enabled (set to true), it exclusively identifies the top-level entitlements by consulting a table, rather than referencing a view that includes both top-level and nested entitlements. This setting is particularly beneficial for certain customers whose roles do not encompass nested or child roles as entitlements.