'Direct Members Missing' column under Role Entitlements tab incorrectly shows deleted, terminated and/or Role Members no longer belonging to the Role in RSA Identity Governance & Lifecycle
3 years ago
Originally Published: 2020-08-11
Article Number
000043840
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0, 7.1.1, 7.2.0
 
Issue
Roles in RSA Identity Governance & Lifecycle may be configured so that Role Entitlements are not automatically given to Members of a Role. This is done by disabling the Generate Indirect Entitlements option under REQUEST SETTINGS in the request workflow used for Roles (Requests > Workflows > Request tab > {Workflow name}). The Direct Missing Members column under Roles > Roles > {Role name} > Entitlements tab shows the number of Role Members that are missing Role Entitlements due to this configuration setup. The problem is that this column includes deleted users, terminated users, and Role Members that have been removed from the Role.
 
Cause
This is a known issue reported in engineering ticket ACM-100944.
 
Resolution
This issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release. 
 
Workaround
This issue is partially resolved in the following RSA Identity Governance & Lifecycle patches but additional work is necessary to complete the fix as outlined below.
  • RSA Identity Governance & Lifecycle 7.1.1 P06
  • RSA Identity Governance & Lifecycle 7.2.0 P02
The fix is to show only active users and change the column name from Direct Members Missing to Direct Active Members Missing

To implement the fix:
  1. Install one of the above patches.
  2. Create a Provisioning-Termination Rule that revokes all user entitlements immediately that are associated with Roles. This forces the recalculation of Role Metrics for terminated users. Unification will automatically recalculate Role Metrics for deleted users. This step is only necessary for terminated users. 
Notes
The partial fix is also available in RSA Identity Governance & Lifecycle 7.2.0 P01 but it is recommended to go to 7.2.0 P02 to avoid the issues described in the following RSA Knowledge Base Articles:
 

Related Articles

Trending Articles

Don't see what you're looking for?