Applying role changes in RSA Identity Governance & Lifecycle takes longer to complete when Generate Indirect Entitlements is enabled. This is true even if there are no entitlements or members to be added to the role; hence, even when there are no indirect entitlements to be generated.
Generate Indirect Entitlements is enabled by default and can be found by looking at any request workflow (
Requests > Workflows >
name of workflow). Open the workflow, look at the right-hand side under
Properties and under
Request Settings, there is a setting called
Generate Indirect Entitlements, which is checked by default.
Image description
In the case of roles, this setting generates all the indirect entitlements associated with the role to all members of the role. For example, if you create a role with member John Smith and have an existing entitlement namd Bug Create, and John does not already have the Bug Create entitlement, a change request will be generated to grant him that privilege. If you do not have Generate Indirect Entitlements enabled, then when you apply changes to the role, a change request to add Bug Create to John Smith will NOT be created. In this case, it is clear as to why having Generate Indirect Entitlements enabled takes longer. It takes longer because of the overhead of creating a change request.
What about in the case where there are neither members nor entitlements that are part of the role? Why does applying role changes still take longer when Generate Indirect Entitlements is enabled but no change requests need to be created?
This is because additional code is run. For example, if you look at the screenshot below, you can see the difference in work needed when Generate Indirect Entitlements are enabled. In this example, two roles were created each with zero members and zero entitlements. One role was created (apply role changes) with Generate Indirect Entitlements disabled. The tasks associated with this role are highlighted in yellow. The other role was created (apply role changes) with Generate Indirect Entitlements enabled. The tasks associated with this role are highlighted in pink. Note the tasks highlighted in a blue outline are the additional tasks that must be done when Generate Indirect Entitlements is enabled.
Image description
If you are going to be creating roles with no members or entitlements, disable Generate Indirect Entitlements in the workflow associated with creating roles.
- Here is where you define the workflow associated with change requests created through roles. (Requests > Workflows)
Image description
- Edit the workflow used above to disable Generate Indirect Entitlements (Requests > Workflows > Request > name of workflow).
Image description