Article Number
000039219
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0, 7.1.1, 7.2.0
Issue
Roles in RSA Identity Governance & Lifecycle may be configured so that Role Entitlements are not automatically given to Members of a Role. This is done by disabling the Generate Indirect Entitlements option under REQUEST SETTINGS in the request workflow used for Roles (Requests > Workflows > Request tab > {Workflow name}). The Direct Missing Members column under Roles > Roles > {Role name} > Entitlements tab shows the number of Role Members that are missing Role Entitlements due to this configuration setup. The problem is that this column includes deleted users, terminated users, and Role Members that have been removed from the Role.
Cause
This is a known issue reported in engineering ticket ACM-100944.
Resolution
This issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release.
Workaround
This issue is partially resolved in the following RSA Identity Governance & Lifecycle patches but additional work is necessary to complete the fix as outlined below.
- RSA Identity Governance & Lifecycle 7.1.1 P06
- RSA Identity Governance & Lifecycle 7.2.0 P02
The fix is to show only active users and change the column name from
Direct Members Missing to
Direct Active Members Missing.
To implement the fix:
- Install one of the above patches.
- Create a Provisioning-Termination Rule that revokes all user entitlements immediately that are associated with Roles. This forces the recalculation of Role Metrics for terminated users. Unification will automatically recalculate Role Metrics for deleted users. This step is only necessary for terminated users.
Notes
The partial fix is also available in RSA Identity Governance & Lifecycle 7.2.0 P01 but it is recommended to go to 7.2.0 P02 to avoid the issues described in the following RSA Knowledge Base Articles:
