How user selection and custom account attribute filters work in User Access Reviews in RSA Identity Governance and Lifecycle
3 years ago
Originally Published: 2018-01-10
Article Number
000063358
Applies To
RSA Product Set: Identity Governance and Lifecycle
RSA Version/Condition: All
 
Issue
If we have a User Access Review where the user selection has a filter to include users in the review based on a custom account attribute:
 
User-added image
 
User-added image

The filter does not seem to work correctly for all users.

In the example below you can see the review result is including one user whose Account Status=LOCKED. Ideally, the user should not have been included in the review result.
 
User-added image
Resolution
The User Selection and Contents tab in review are two distinct steps. If a user has an account in the desired business source that should be excluded based on the account attributes but has another account in a different business source that shouldn't be excluded, they will be included in the review. If the subsequent content (access) review restricts the entitlements to the desired business source, then that account that was intended to be excluded will be included in the review.

As shown below the user molly is included in the review because she has an account in another business source whose status is not LOCKED.

User-added image

One option here is to use an advanced expression to select the users to include that matches the business source(s) used in the access step: 

users.id in accounts (accounts."Account Status"<>'LOCKED' and accounts."Application Name"='DAMS') .

 

User-added image

After using the advanced filter you can see the account is excluded from review result.

User-added image

Notes
An enhancement is filed to filter the access by account attributes rather than filtering during the user selection. Currently, the only way to filter by account in this access review step (after the user selection step) by excluding the entitlements granted from disabled accounts. The plan of the enhancement is to replace this specific filter with a more flexible search-expression builder, where we could filter on more than just disabled accounts but instead any account attributes.

 

Related Articles

Trending Articles

Don't see what you're looking for?