SoD rule error
A customer has applications where a user can have only one entitlement in a time. I have prepared a custom form with entitlement field (select only one entitlement) but also want to specify an SoD rule to handle administration errors. I figured a rule where all the entitlements (within the relevant application) are segregated from all other entitlements. Implemented the rule and faced the following error (note that on the screenshot there is even a more simple rule):
The error message in more readable format:
"The rule is invalid since the entitlement specification has 1 common entitlements between entitlement set 1 and 2. Please configure the entitlement specification again. Do not include the same entitlements in each entitlement set."
The error messages states that there is 1 common entitlement in the two entitlement sets but they were defined in order to not have the same entitlement.
Anybody can me explain what did I do wrong?
- Community Thread
- Forum Thread
- Identity G&L
- Identity Governance & Lifecycle
- RSA Identity
- RSA Identity G&L
- RSA Identity Governance & Lifecycle
- RSA Identity Governance and Lifecycle
- RSA IGL
Unfortunately this is another case. I can open my definition, even can test it successfully (returns correct result) but the rule state is still invalid and cannot be processed.
The main problem is that the error message is a false statement, the two entitlement sets have no common entitlements.
As per Boris's response, if you update the below setting you'll be able to process the rule.
However, assuming the screenshot provided in your original post is the rule you're referring to and looking at the error message "Do not include the same entitlements in each entitlement set" I'd argue this is working as expected.
The rule is valid if I use the same logic on application roles, not groups. I did not try entitlements or roles.
Also I found a definitely non-supported workaround. I changed the rule's status in database to "active" (t_av_rules and t_av_rule_versions). Back to UI the rule was active, I could process it (with correct result). When changing anything the rule becomes invalid.
I think some rule examining logic fails in group case.
One more note to Boris: when ticking the "Allow execution of segregation of duties rules with common entitlements" checkbox even the group related rules can be activated without database hacking.
It seems you already know this, but making changes directly to the DB is not supported and definitely not recommended.
I'm confused as to why you even needed to make that direct change when the tick box (above) provides the functionality you require?
If you believe the error message received is incorrect or inconsistent with other settings, I'd advise raising a case with Support for further investigation.
Tried to tick the checkbox but the rule was still invalid. Instead of recreating the rule I first tried the backend hack. After trying new rule with the checkbox ticked it is definitely the solution.
Anyway I have already raised a support ticket. Still I think this is bug.