AnsweredAssumed Answered

Rule violation for Parent Business Roles

Question asked by Volodymyr Melnyk on Oct 16, 2019

Dears,

 

Please kindly advise how a violation rule should be setup to avoid triggering non-direct members as violation in business roles.

 

The idea is to have a list of people who dont match a rule membership for all roles. But it seems that rule logic doesn't understand hierarchy (Parent-Child).

 

Type:Role Membership Rule Difference
Rule Set:JML 
Last Executed:10/16/19 8:02 AM
Condition:Verify that any users who are members not matching the membership rule for any roles
Actions:
  
  • Send email to the following users:

 

For instance, we have roles in hierarchy. And when I run the rule I get a violation with a list of users from Role2-Role5 for HR Management Business Role.

Hierarchy:
 HR Management (code1)
         HR role2 (code2) 
         HR role3 (code3) 
         Internal Communications (code4) 
         Recruitment (code4) 
         HR role5 (code5) 

 

Moreover, such business roles are displayed on Users access tab as directly entitled, but according to the logic they should be visible only in ALL

 

The same behavior is for rule Type: Role Missing Entitlements. RSA IGL based on that rule tries to grant missing access to users, but it is already granted through child roles.

Outcomes