How the Pending Revoke category functions in the default reviewer interface style of the User Access Review in RSA Identity Governance & Lifecycle
2 years ago
Originally Published: 2020-03-17
Article Number
000064453
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.x, 7.2.x
 
Issue
Starting in RSA Identity Governance & Lifecycle 7.1.0 the User Access Review has two reviewer interface style options. One style option is called Default which is the new and recommended interface style and the other style is called Legacy which is the style in previous versions of RSA Identity Governance & Lifecycle. To see these options go to Reviews > Definitions > {Name of user access review} > General tab > Edit Definition. You can also see these options when creating a new user access review.
 
User-added image

Using the new interface style allows reviewers to review items based on categories as defined under the Reviews > Definitions > {Name of user access review} > Analysis & Guidance tab. The purpose of this RSA Knowledge Base Article is to explain how the Pending Revoke category functions as it behaves slightly differently from the other categories. 
 
User-added image

Note: The complete Pending Revoke description in the above screenshot is:
 
The system identifies review items that are already pending revocation. Any identified items are listed in the "Pending Revoke" category. Note: Reviewers cannot perform any action on items that are pending revocation. Regardless of whether the Pending Revoke category is displayed in the Analysis and Guidance panel, all entitlements that are pending revocation are displayed within a review as completed and locked.
Resolution
When a reviewer logs into a user access review that uses the new style, they see categories on the left based on what categories are defined to be displayed in the review definition under the Reviews > Definitions > {Name of user access review} > Analysis & Guidance tab.
 
User-added image

The Pending Revoke category shows review items that already have a change request associated with them to revoke that access and always displays as 0 since they are considered completed and do not need to be reviewed. These items may be viewed by choosing the Completed drop-down menu option under Showing.
 
User-added image

If accessing a user access review created prior to 7.1.0 or if using the Legacy reviewer user interface in 7.1.0 and above, pending revoke items can be reviewed and maintained or revoked. This ability to maintain/revoke pending revoke items has been removed in the new interface because the functionality makes no sense. If you revoke an already revoked item, it has no effect, and if you maintain a revoked item, it also has no effect because the pending revoke change request still exists and is not cancelled. As a result, by maintaining a pending revoked item, the reviewer is misled into thinking the items will be maintained. As a result, the ability to review such items no longer exists starting in 7.1.0. If any pending revoke items need to be maintained, the existing change request(s) need to be cancelled. The ability to view these items in the new interface without performing any action on them allows you to determine if there are any such requests that need to be cancelled without performing actions that have no effect.
 

Related Articles

Trending Articles

Don't see what you're looking for?