Existing Role memberships later granted through Parent Roles are not revoked when the Role memberships are removed from the Parent Role in RSA Identity Governance & Lifecycle
Originally Published: 2020-09-01
Article Number
Applies To
RSA Version/Condition: 7.1.1, 7..2.0
Issue
For example, if a user has direct access to a Technical Role and is later granted membership to a Business Role that has the Technical Role as an entitlement, their access to the Technical Role is now explained via their membership to the Business Role. If the Technical Role entitlement is removed from the Business Role, the user should lose access to the Technical Role unless they belong to one or more other Business Roles that have that same Technical Role as an entitlement. Once they do not belong to any Business Role that explains their right to be a member of the Technical Role, they are no longer entitled to be a member of the Technical Role regardless of how they originally acquired that access.
EXAMPLE:
- Create Technical Role 1 with no entitlements.
- Add user Cherry Blossom as a member of Technical Role 1.
- Cherry Blossom now has direct access to Technical Role 1.
- Create Business Role 1.
- Add Technical Role 1 as an entitlement to Business Role 1.
- Add user Cherry Blossom as a member of Business Role 1.
- Now Cherry Blossom's access to Technical Role 1 is explained by her membership to Business Role 1.
- The problem occurs if Technical Role 1 is removed as an entitlement from Business Role 1. In this case Cherry Blossom should lose the access to Technical Role 1 but she does not.
Cause
Resolution
- RSA Identity Governance & Lifecycle 7.1.1 P07
- RSA Identity Governance & Lifecycle 7.2.0 P02
Related Articles
RSA Authentication Manager 8.2 SP1 Vulnerabilities in the Linux kernel – False Positive Number of Views Data Purging after Data Archiving run may take longer than expected in RSA Identity Governance & Lifecycle Number of Views Data Archiving fails with 'Error saving data archival job for the date range' in RSA Identity Governance & Lifecycle Number of Views Terminated Users not correctly removed from Roles in RSA Identity Governance & Lifecycle Number of Views When a role is removed from a user based on a revocation date, the entitlement(s) belonging to that role are not removed f… Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
