One of the strengths of the RSA Identity Governance and Lifecycle offering is the ability to model groupings of user access using our local role management solution. This provides the capability of combining different types of entitlements (access) that are collected from various end points.  These local roles, whether they are defined as business, technical or global roles, allow you to customize the necessary access that is required for different jobs in an organization.  These become the building blocks of access by allowing you to combine various local roles that will fully define the access needed for your user population.

A local role is different from a collected role.  A collected role, like other collected information, is access obtained from an endpoint which maintains that information externally from our system.  Like any collected items, a collected global role is suitable to use as an entitlement in a local role.  A potential problem can occur when a user attempts to add a local role as an entitlement to a collected role.  The endpoint that maintains the collected role definition doesn’t know anything about our internal (local) roles – which contain entitlements from a number of other types and sources, including other local roles and local entitlements.  This would make provisioning of the information difficult, if not impossible, and extremely confusing.

At this time, there are areas of the product which inadvertently allow the addition of local to collected roles.  This is not intentional, and we plan to remove that capability in future releases.