AnsweredAssumed Answered

Rule violation for Parent Business Roles

Question asked by Volodymyr Melnyk on Oct 16, 2019
Latest reply on Apr 24, 2020 by Craig Ramsay

Like • Show 0 Likes0
Comment • 4

Dears,

Please kindly advise how a violation rule should be setup to avoid triggering non-direct members as violation in business roles.

The idea is to have a list of people who dont match a rule membership for all roles. But it seems that rule logic doesn't understand hierarchy (Parent-Child).

Type:

Role Membership Rule Difference

Rule Set:

JML

Last Executed:

10/16/19 8:02 AM

Condition:

Verify that any users who are members not matching the membership rule for any roles

Actions:

Send email to the following users:

For instance, we have roles in hierarchy. And when I run the rule I get a violation with a list of users from Role2-Role5 for HR Management Business Role.

Hierarchy:

HR Management (code1)

HR role2 (code2)

HR role3 (code3)

Internal Communications (code4)

Recruitment (code4)

HR role5 (code5)

Moreover, such business roles are displayed on Users access tab as directly entitled, but according to the logic they should be visible only in ALL

The same behavior is for rule Type: Role Missing Entitlements. RSA IGL based on that rule tries to grant missing access to users, but it is already granted through child roles.

Craig Ramsay

Apr 24, 2020 9:25 AM

Correct Answer

Got it.

So Roles are applied to a user base based on the roles they have and this is flat, meaning direct and indirect (hierarchical) roles are applied the same.

As of now the capability to limit the scope of the Rule to directly assigned Roles does not exist. This feels like a good candidate for submission on the Ideas Forum: RSA Ideas for RSA Identity Governance & Lifecycle

What you have done in updating the Membership Rules to take into consideration all team codes below will resolve the false positive violations you were seeing. This does add an overhead to maintaining your roles though as you have said.

A slightly less resource intensive solution would be to include the Department value of the staff that all these roles belong to in the membership rule. This means all the users would match the Membership rule regardless of inheritance. This can work on multiple layers of role hierarchy if the data exists in your HR feed - for example you collect Department, Sub Division and Team Code from HR would mean that you could capture the hierarchy within your membership rules.

If not, maintaining all the team codes under the Parent role in that Membership Rule is the only option to resolve your issue for now. I would probably recommend turning off the role hierarchy meantime unless you find it useful to alert you when HR change their structure without notifying your IAM function.

See the reply in context

No one else had this question

Outcomes

Jamie Pryer

Mar 11, 2020 2:38 PM

Hey!

did you see the latest webinar with Mostafa Helmy found here: RSA Identity Governance & Lifecycle Webinar #7 - Feb 2020: Recording and Presentation

i think this might help with what you need to do in v7.2x?

Actions

Craig Ramsay

Apr 23, 2020 11:25 AM

Hi Volodymyr,

Just want to confirm the use case you are describing here.

You have the HR Management Role that is the parent role of the other 5 roles listed and the membership rule of that role is something like Department = 'HR Management'.

Because roles 2-5 are child roles of HR Management role, members of these roles who match the appropriate membership rules are inherited members of HR Management Role but do not match the HR Management role's membership rule.

All of these users are then showing as violations of the HR Management Role rule but are inheriting the role through Parent-Child relationship as you wanted/expect?

Actions

Volodymyr Melnyk @ Craig Ramsay on Apr 24, 2020 8:06 AM

Hi Craig,

The thing was fixed by adding team codes to membership rule of all roles below in structure to roles above. But I think it should work automatically based on inheritance rules and not based on membership rules. As it requires too many actions when you move one team from one department to another department. When you do that you need to make sure that membership rules were also changed in addition to parent/child relationship changes.

Thanks & BR,

Volodymyr

Actions

Craig Ramsay

@ Volodymyr Melnyk on Apr 24, 2020 9:25 AM

Got it.

So Roles are applied to a user base based on the roles they have and this is flat, meaning direct and indirect (hierarchical) roles are applied the same.

Actions

4 Replies

Jamie Pryer Mar 11, 2020 2:38 PM
Mark Correct
Correct Answer
Hey!
did you see the latest webinar with Mostafa Helmy found here: RSA Identity Governance & Lifecycle Webinar #7 - Feb 2020: Recording and Presentation

i think this might help with what you need to do in v7.2x?
Like • Show 0 Likes0
Actions
Craig Ramsay Apr 23, 2020 11:25 AM
Mark Correct
Correct Answer
Hi Volodymyr,

Just want to confirm the use case you are describing here.

You have the HR Management Role that is the parent role of the other 5 roles listed and the membership rule of that role is something like Department = 'HR Management'.

Because roles 2-5 are child roles of HR Management role, members of these roles who match the appropriate membership rules are inherited members of HR Management Role but do not match the HR Management role's membership rule.

All of these users are then showing as violations of the HR Management Role rule but are inheriting the role through Parent-Child relationship as you wanted/expect?
Like • Show 0 Likes0
Actions
- Volodymyr Melnyk @ Craig Ramsay on Apr 24, 2020 8:06 AM
  Mark Correct
  Correct Answer
  Hi Craig,
  
  The thing was fixed by adding team codes to membership rule of all roles below in structure to roles above. But I think it should work automatically based on inheritance rules and not based on membership rules. As it requires too many actions when you move one team from one department to another department. When you do that you need to make sure that membership rules were also changed in addition to parent/child relationship changes.
  
  Thanks & BR,
  Volodymyr
  Like • Show 0 Likes0
  Actions
  - Craig Ramsay @ Volodymyr Melnyk on Apr 24, 2020 9:25 AM
    Unmark Correct
    Correct Answer
    Got it.
    
    So Roles are applied to a user base based on the roles they have and this is flat, meaning direct and indirect (hierarchical) roles are applied the same.
    
    As of now the capability to limit the scope of the Rule to directly assigned Roles does not exist. This feels like a good candidate for submission on the Ideas Forum: RSA Ideas for RSA Identity Governance & Lifecycle
    
    What you have done in updating the Membership Rules to take into consideration all team codes below will resolve the false positive violations you were seeing. This does add an overhead to maintaining your roles though as you have said.
    
    A slightly less resource intensive solution would be to include the Department value of the staff that all these roles belong to in the membership rule. This means all the users would match the Membership rule regardless of inheritance. This can work on multiple layers of role hierarchy if the data exists in your HR feed - for example you collect Department, Sub Division and Team Code from HR would mean that you could capture the hierarchy within your membership rules.
    
    If not, maintaining all the team codes under the Parent role in that Membership Rule is the only option to resolve your issue for now. I would probably recommend turning off the role hierarchy meantime unless you find it useful to alert you when HR change their structure without notifying your IAM function.
    Like • Show 0 Likes0
    Actions

Rule violation for Parent Business Roles

Outcomes

Related Content

Recommended Content