Dears,
Please kindly advise how a violation rule should be setup to avoid triggering non-direct members as violation in business roles.
The idea is to have a list of people who dont match a rule membership for all roles. But it seems that rule logic doesn't understand hierarchy (Parent-Child).
Type: | Role Membership Rule Difference | ||
Rule Set: | JML | ||
Last Executed: | 10/16/19 8:02 AM | ||
Condition: | Verify that any users who are members not matching the membership rule for any roles | ||
Actions: |
|
For instance, we have roles in hierarchy. And when I run the rule I get a violation with a list of users from Role2-Role5 for HR Management Business Role.
Hierarchy: |
![]() ![]() ![]() ![]() ![]() ![]() |
Moreover, such business roles are displayed on Users access tab as directly entitled, but according to the logic they should be visible only in ALL
The same behavior is for rule Type: Role Missing Entitlements. RSA IGL based on that rule tries to grant missing access to users, but it is already granted through child roles.
Got it.
So Roles are applied to a user base based on the roles they have and this is flat, meaning direct and indirect (hierarchical) roles are applied the same.
As of now the capability to limit the scope of the Rule to directly assigned Roles does not exist. This feels like a good candidate for submission on the Ideas Forum: RSA Ideas for RSA Identity Governance & Lifecycle
What you have done in updating the Membership Rules to take into consideration all team codes below will resolve the false positive violations you were seeing. This does add an overhead to maintaining your roles though as you have said.
A slightly less resource intensive solution would be to include the Department value of the staff that all these roles belong to in the membership rule. This means all the users would match the Membership rule regardless of inheritance. This can work on multiple layers of role hierarchy if the data exists in your HR feed - for example you collect Department, Sub Division and Team Code from HR would mean that you could capture the hierarchy within your membership rules.
If not, maintaining all the team codes under the Parent role in that Membership Rule is the only option to resolve your issue for now. I would probably recommend turning off the role hierarchy meantime unless you find it useful to alert you when HR change their structure without notifying your IAM function.