This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Identity Governance & Lifecycle Discussions

Discussions about RSA Identity Governance & Lifecycle.
ChrisPope
Beginner
Beginner
‎2020-09-10 02:16 PM

Prevent non-Requestable Entitlements and Apps from Being Added to a Role

Jump to solution

We are on 7.1.1 P05 HF01.

 

We would like to prevent Roles from containing Entitlements which 1) Belong to an Application that has Exclude Entire Application From Add Access And Suggestions set to "Yes" or 2) The Entitlement itself has Available for Request set to "No".

 

The only way we can see to do this is to have an Entitlement Rule created on the Role Set.  Unfortunately, the available Columns do not include either of the two mentioned above...which is simply astounding to me.  We tried using the "Advanced" option to create criteria to exclude the non-Requestable Entitlements but again, there is no way to uniquely identify an Entitlement from the available columns.

 

This is the SQL that we used as a model for the criteria, but as I said there is no column available to uniquely identify the Entitlement (such as ID):

select uents.ID
from avuser.V_ALL_UNIFIED_ENTITLEMENTS uents where uents.EXCLUDE_FROM_NORMAL_ADD_ACCESS = 'N' and uents.CANREQUEST = '1'

Has anyone else successfully excluded non-Requestable Entitlements from being added to a Role?

 

Thank you in advance.

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
MHelmy
Moderator Moderator
Moderator
‎2020-09-17 07:19 AM

Jump to solution

Hey I actually used your exact SQL query in-lab and it worked for me. The advanced options doesn't have an "ID” attribute to pick, but it does work when you manually type in ID.

 

unifiedents.ID in (

select uents.ID

from avuser.V_ALL_UNIFIED_ENTITLEMENTS uents where uents.EXCLUDE_FROM_NORMAL_ADD_ACCESS = 'N' and uents.CANREQUEST = '1'

)

 

Give it a try on your side and let me know if it works.

View solution in original post

Reply
5 Replies
IanStaines
Moderator Moderator
Moderator
‎2020-09-16 04:24 PM

Jump to solution

I can confirm at this time these columns are not available from the Entitlement Rule.   As far as I was able to determine you are the first person to request this feature and it is not already posted in RSA Ideas.

 

This is similar to this discussion.

 

https://community.rsa.com/thread/204670 



0 Likes
Reply
IanStaines
Moderator Moderator
Moderator
In response to IanStaines
‎2020-09-16 04:38 PM

Jump to solution

As you noted this cannot be done with an Entitlement Rule on a Role set, you have already established that and you quoted why it would not work.


Does anyone else have any completely different ideas?

0 Likes
Reply
ChrisPope
Beginner
Beginner
In response to IanStaines
‎2020-09-17 06:47 AM

Jump to solution

Can you explain why these and other Entitlement columns are not available?  I have run into this dozens of times and it is a frustrating aspect of IGL.  I can see the columns on tables but they are not available in the UI.  Very poor design.

0 Likes
Reply
MHelmy
Moderator Moderator
Moderator
‎2020-09-17 07:19 AM

Jump to solution

Hey I actually used your exact SQL query in-lab and it worked for me. The advanced options doesn't have an "ID” attribute to pick, but it does work when you manually type in ID.

 

unifiedents.ID in (

select uents.ID

from avuser.V_ALL_UNIFIED_ENTITLEMENTS uents where uents.EXCLUDE_FROM_NORMAL_ADD_ACCESS = 'N' and uents.CANREQUEST = '1'

)

 

Give it a try on your side and let me know if it works.

View solution in original post

Reply
ChrisPope
Beginner
Beginner
In response to MHelmy
‎2020-09-17 09:39 AM

Jump to solution

Hi Mostafa, thank you!!  Your suggestion is very helpful!!!

I tested this out quickly in our non-Prod environment and it seems to work great!  I tested it both with an Application that has EXCLUDE_FROM_NORMAL_ADD_ACCESS = 'Y' as well as an Application that that has it set to 'N' but the uents.CANREQUEST = '0' and it seems to exclude both scenarios.  This is fantastic news for us and I appreciate you taking the time to understand the issue we faced and coming up with a fix!

Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.