Due to the way business roles are evolving in our organization users can be both member of a business role and the technical role that is an entitlement of the business role.
This causes strange behavior in the request process. the 2 main issues are:
A) as soon as the user is member of the business role there is no way you can remove the user as a member of the technical role.
B) When a membership rule or a request removes the user from the business role. the system generates a request to remove the business role, the technical role and entitlement c and group d, but after the request is fulfilled the user is still a member of the technical role b with missing the entitlements.
Issue A and B contradict each other.
If the system is "smart" and understands that the technical role is indirect entitled from the business role and should not be removed you would expect is to understand that if I remove the business role the technical role should also be removed. That is not the case and I need to create a second request to remove the technical role.
On the other hand if the system knows that the tech-role is both direct and indirect entitled and should not be removed from the user when de business role is removed. It should also know that the entitlements that are part of the tech-role should not be removed because the user is still a member of the tech-role.
adding to that, if the system assumes the user both direct and indirect entitled to the technical role why is there no option to remove the direct entitlement without removing the user from the business role first.
Question:
- what is the expected way the system should handle this situation.
- if this behavior is expected what is the logic behind this.
- is there a way to change this. in other words, how can I bring back the option to remove the direct entitled technical role without removing the user from the business role. And have the request workflow not generating request to remove entitlements when the user is still a member of the technical role.
In short, A is expected behaviour by design while B sounds like a defect to me.
There are a lot of Role processing issues discovered and fixed recently in the latest patch (Fixed Issues in 7.1.1 Patch 5 ref: Role Management section). If you are not already on that patch, I would recommend you upgrade to get those issues fixed.
If you still face similar problems on that version, then I suggest you log a case with RSA Support to further investigate this.