This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

How user selection and custom account attribute filters work in User Access Reviews in RSA Identity Governance and Lifecycle

Article Number

000035904

Applies To

RSA Product Set: Identity Governance and Lifecycle
RSA Version/Condition: All
 

Issue

If we have a User Access Review where the user selection has a filter to include users in the review based on a custom account attribute:
 
Image descriptionImage description
 
Image descriptionImage description

The filter does not seem to work correctly for all users.

In the example below you can see the review result is including one user whose Account Status=LOCKED. Ideally, the user should not have been included in the review result.
 
Image descriptionImage description

Resolution

The User Selection and Contents tab in review are two distinct steps. If a user has an account in the desired business source that should be excluded based on the account attributes but has another account in a different business source that shouldn't be excluded, they will be included in the review. If the subsequent content (access) review restricts the entitlements to the desired business source, then that account that was intended to be excluded will be included in the review.

As shown below the user molly is included in the review because she has an account in another business source whose status is not LOCKED.

Image descriptionImage description

One option here is to use an advanced expression to select the users to include that matches the business source(s) used in the access step: 

users.id in accounts (accounts."Account Status"<>'LOCKED' and accounts."Application Name"='DAMS') .

 

Image descriptionImage description

After using the advanced filter you can see the account is excluded from review result.

Image descriptionImage description

Notes

An enhancement is filed to filter the access by account attributes rather than filtering during the user selection. Currently, the only way to filter by account in this access review step (after the user selection step) by excluding the entitlements granted from disabled accounts. The plan of the enhancement is to replace this specific filter with a more flexible search-expression builder, where we could filter on more than just disabled accounts but instead any account attributes.

 

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 01:52 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.