Existing Role memberships later granted through Parent Roles are not revoked when the Role memberships are removed from the Parent Role in RSA Identity Governance & Lifecycle
Originally Published: 2020-09-01
Article Number
Applies To
RSA Version/Condition: 7.1.1, 7..2.0
Issue
For example, if a user has direct access to a Technical Role and is later granted membership to a Business Role that has the Technical Role as an entitlement, their access to the Technical Role is now explained via their membership to the Business Role. If the Technical Role entitlement is removed from the Business Role, the user should lose access to the Technical Role unless they belong to one or more other Business Roles that have that same Technical Role as an entitlement. Once they do not belong to any Business Role that explains their right to be a member of the Technical Role, they are no longer entitled to be a member of the Technical Role regardless of how they originally acquired that access.
EXAMPLE:
- Create Technical Role 1 with no entitlements.
- Add user Cherry Blossom as a member of Technical Role 1.
- Cherry Blossom now has direct access to Technical Role 1.
- Create Business Role 1.
- Add Technical Role 1 as an entitlement to Business Role 1.
- Add user Cherry Blossom as a member of Business Role 1.
- Now Cherry Blossom's access to Technical Role 1 is explained by her membership to Business Role 1.
- The problem occurs if Technical Role 1 is removed as an entitlement from Business Role 1. In this case Cherry Blossom should lose the access to Technical Role 1 but she does not.
Cause
Resolution
- RSA Identity Governance & Lifecycle 7.1.1 P07
- RSA Identity Governance & Lifecycle 7.2.0 P02
Related Articles
RSA Authentication Manager 8.2 SP1 Vulnerabilities in the Linux kernel – False Positive Number of Views RSA Authentication Manager 6.1 to 8.1 Migration Guide Number of Views When a role is removed from a user based on a revocation date, the entitlement(s) belonging to that role are not removed f… Number of Views Terminated Users not correctly removed from Roles in RSA Identity Governance & Lifecycle Number of Views Data Archiving fails with 'Error saving data archival job for the date range' in RSA Identity Governance & Lifecycle Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
