OverthinkerDave (Customer) asked a question.

Edited October 3, 2024 at 12:06 PM
What about having a rule for removal of (orphan) indirect entitlements?

For a long time I have had this idea that this product introduced a simpler way of finding (and removing) user entitlements/group memberships, linked to roles, where the direct role membership is removed.

 

Is there any interest (of you customers out there) to have a rule that is "the opposite of the rule Add missing entitlements"?

 

A bit more background (below):

Yes you can create reports, to find entitlements. And let someone manually correct them.

Yes you can build a custom workflow (un-official solution)

Yes you can make rule watchers for specific entitlements, one by one... ...by one...

...by one (...times 5000)

 

But the simple fact that: IF you make a review, and the reviewers choose "remove", and that removal (for some reason) is not successful, you get a trust issue.

All trust you built up against the business for doing their reviews etc, is all flushed down the toilet in about 10minutes. (after they shout out: "that admin role is still active! I reviewed that last week.. how can it..." )

 

...

 

So because I made a "feature request" long time ago about this to RSA, with no luck:

 

I ask all customers to give a short "I want this" below, if interested.

Or if you are not a fan: "Why? The product is so much faster without it" :)

 

Login now, and let's show RSA that this community is not dead.

  • 5 answers
  • 220 views
TimWillemstein2 and WestbergPer like this.

  • Boris.Lekumovich (RSA)

    The use case is a reviewer revokes a role (which will trigger the removal of indirect items) and the process is not completed, you want a rule to identify and remove the leftovers (indirect access which was granted via that role)?

    Did I get right?

    • OverthinkerDave (Customer)

      Yes, Boris -> that is what I want. On a global level.

       

      But to be clear about your word "process is not completed":

      • Where decision is made, and role state is "final"
        • Like "revoke"+closing review.
        • Or in any requests, where approval state is passed, and fulfilment of "removal of role membership", has "state complete"

       

      Any entitlements linked to roles without user having a role membership anymore, should trigger an action (similar to add missing rule, but the opposite)

      I want some kind of "authority" of roles (could be a checkmark on the roles).

       

      I want the option to configure the product so that "the Aveksa role memberships decide" if that entitlement/role/group membership should be set on external systems.

      For me this includes not only "Add missing entitlements" rule, but also the need of a "Remove non-authorized entitlements" rule

      Expand Post

    • TimWillemstein2 (Customer)

      I completely missed this one, I love the idea since it would be very valuable for us since our authorization model is pretty much completely RBAC driven. So having a rule to cleanup / identify and handle these outliers would be amazing.

       

       

Don't see what you're looking for?