This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Identity Governance & Lifecycle Discussions

Discussions about RSA Identity Governance & Lifecycle.
ZoltanIzsak1
Beginner
Beginner
‎2017-11-23 08:23 AM

SoD rule error

Dear All,

 

A customer has applications where a user can have only one entitlement in a time. I have prepared a custom form with entitlement field (select only one entitlement) but also want to specify an SoD rule to handle administration errors. I figured a rule where all the entitlements (within the relevant application) are segregated from all other entitlements. Implemented the rule and faced the following error (note that on the screenshot there is even a more simple rule):

 

pastedImage_2.png

 

The error message in more readable format:

"The rule is invalid since the entitlement specification has 1 common entitlements between entitlement set 1 and 2. Please configure the entitlement specification again. Do not include the same entitlements in each entitlement set."

 

The error messages states that there is 1 common entitlement in the two entitlement sets but they were defined in order to not have the same entitlement.

 

Anybody can me explain what did I do wrong?

 

Zoltan

Labels (1)
Labels
0 Likes
Reply
6 Replies
BorisLekumovich
Frequent Contributor Frequent Contributor
Frequent Contributor
‎2017-11-23 05:10 PM

Take a look at the following KB article - https://community.rsa.com/docs/DOC-73324 

Reply
ZoltanIzsak1
Beginner
Beginner
In response to BorisLekumovich
‎2017-11-24 08:38 AM

Unfortunately this is another case. I can open my definition, even can test it successfully (returns correct result) but the rule state is still invalid and cannot be processed.

The main problem is that the error message is a false statement, the two entitlement sets have no common entitlements.

0 Likes
Reply
CliveMorrish
Moderator Moderator
Moderator
In response to ZoltanIzsak1
‎2017-11-24 09:12 AM

Hi Zoltan,

 

As per Boris's response, if you update the below setting you'll be able to process the rule.

 

pastedImage_1.png

 

However, assuming the screenshot provided in your original post is the rule you're referring to and looking at the error message "Do not include the same entitlements in each entitlement set" I'd argue this is working as expected.

Reply
ZoltanIzsak1
Beginner
Beginner
‎2017-11-24 09:42 AM

Some updates:

 

The rule is valid if I use the same logic on application roles, not groups. I did not try entitlements or roles.

Also I found a definitely non-supported workaround. I changed the rule's status in database to "active" (t_av_rules and t_av_rule_versions). Back to UI the rule was active, I could process it (with correct result). When changing anything the rule becomes invalid.

I think some rule examining logic fails in group case.

 

One more note to Boris: when ticking the "Allow execution of segregation of duties rules with common entitlements" checkbox even the group related rules can be activated without database hacking.

0 Likes
Reply
CliveMorrish
Moderator Moderator
Moderator
‎2017-11-24 11:05 AM

It seems you already know this, but making changes directly to the DB is not supported and definitely not recommended.

 

I'm confused as to why you even needed to make that direct change when the tick box (above) provides the functionality you require?

 

If you believe the error message received is incorrect or inconsistent with other settings, I'd advise raising a case with Support for further investigation.

0 Likes
Reply
ZoltanIzsak1
Beginner
Beginner
In response to CliveMorrish
‎2017-11-24 11:33 AM

Tried to tick the checkbox but the rule was still invalid. Instead of recreating the rule I first tried the backend hack. After trying new rule with the checkbox ticked it is definitely the solution.

Anyway I have already raised a support ticket. Still I think this is bug.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.