How user selection and custom account attribute filters work in User Access Reviews in RSA Identity Governance and Lifecycle
RSA Product Set: Identity Governance and Lifecycle RSA Version/Condition: All
If we have a User Access Review where the user selection has a filter to include users in the review based on a custom account attribute:
The filter does not seem to work correctly for all users.
In the example below you can see the review result is including one user whose Account Status=LOCKED. Ideally, the user should not have been included in the review result.
The User Selection and Contents tab in review are two distinct steps. If a user has an account in the desired business source that should be excluded based on the account attributes but has another account in a different business source that shouldn't be excluded, they will be included in the review. If the subsequent content (access) review restricts the entitlements to the desired business source, then that account that was intended to be excluded will be included in the review.
As shown below the user molly is included in the review because she has an account in another business source whose status is not LOCKED.
One option here is to use an advanced expression to select the users to include that matches the business source(s) used in the access step:
users.id in accounts (accounts."Account Status"<>'LOCKED' and accounts."Application Name"='DAMS') .
After using the advanced filter you can see the account is excluded from review result.
An enhancement is filed to filter the access by account attributes rather than filtering during the user selection. Currently, the only way to filter by account in this access review step (after the user selection step) by excluding the entitlements granted from disabled accounts. The plan of the enhancement is to replace this specific filter with a more flexible search-expression builder, where we could filter on more than just disabled accounts but instead any account attributes.