RSA Via Lifecycle and Governance 6.9.1 P06 User Access Review includes indirect entitlements of users
2 years ago
Originally Published: 2016-06-15
Article Number
000063323
Applies To
RSA Product Set: RSA Via Lifecycle and Governance
RSA Version/Condition: 6.9.1 P06
 
Issue
User Access Reviews only includes direct entitlements of users. Indirect entitlements (i. e., entitlements coming from a role should not be available in user access review). This is the default product behavior. However, in version 6.9.1 P06 we see that entitlements from a role are getting pulled in user access review.

The example below shows the indirect entitlement getting pulled in user access review
  1. A technical role named Test Roles is created:
User-added image
 
  1. The AD group entitlements of Test Roles is shown below:
            User-added image 

  3. Create a Business Role using the technical role created above as its entitlements:
User-added image
 
User-added image
  1. Add a user to the business role:
User-added image
  1. Navigate to Users > Users.  
  2. Search for the user created in step 1 above 
  3. Click on the Access tab.  It shows the business role crated above as its direct entitlement
User-added image
  1. The Users Access tab shows the AD group entitlements of the technical role created above (i. e., Test Roles), which is a direct Entitlement of Business Role as its indirect entitlements.
User-added image
  1. Run a user access review using the conditions shown below in the User Selection tab and the Contents tab.
User-added image
User-added image
 
  1. The review result shows all three groups of the user's indirect entitlements. The user access tab should include only direct entitlements, but here you will see indirect entitlements are also pulled.
User-added image
Resolution
This issue is not seen in version 6.9.1 P09.  Apply patch 6.9.1 P09 to have this issue resolved.

Related Articles

Trending Articles

Don't see what you're looking for?