Existing Role memberships later granted through Parent Roles are not revoked when the Role memberships are removed from the Parent Role in RSA Identity Governance & Lifecycle
Originally Published: 2020-09-01
Article Number
Applies To
RSA Version/Condition: 7.1.1, 7..2.0
Issue
For example, if a user has direct access to a Technical Role and is later granted membership to a Business Role that has the Technical Role as an entitlement, their access to the Technical Role is now explained via their membership to the Business Role. If the Technical Role entitlement is removed from the Business Role, the user should lose access to the Technical Role unless they belong to one or more other Business Roles that have that same Technical Role as an entitlement. Once they do not belong to any Business Role that explains their right to be a member of the Technical Role, they are no longer entitled to be a member of the Technical Role regardless of how they originally acquired that access.
EXAMPLE:
- Create Technical Role 1 with no entitlements.
- Add user Cherry Blossom as a member of Technical Role 1.
- Cherry Blossom now has direct access to Technical Role 1.
- Create Business Role 1.
- Add Technical Role 1 as an entitlement to Business Role 1.
- Add user Cherry Blossom as a member of Business Role 1.
- Now Cherry Blossom's access to Technical Role 1 is explained by her membership to Business Role 1.
- The problem occurs if Technical Role 1 is removed as an entitlement from Business Role 1. In this case Cherry Blossom should lose the access to Technical Role 1 but she does not.
Cause
Resolution
- RSA Identity Governance & Lifecycle 7.1.1 P07
- RSA Identity Governance & Lifecycle 7.2.0 P02
Related Articles
Unable to save Application Role mapping in Role Collector in RSA Identity Governance & Lifecycle Number of Views Role collector design changes for RSA Identity Governance & Lifecycle 7.x Number of Views Local roles are not picked up by Role Review Number of Views Unification and collectors get stuck at calculating role metrics after applying P01 to Via L&G v7.0.0 Number of Views Requests Pending Submissions queue accumulating in RSA Identity Governance & Lifecycle Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA-2026-07: RSA Identity Router Security Update for Third-Party Component Vulnerabilities Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory
Don't see what you're looking for?
