AnsweredAssumed Answered

Exclude Entire Application From Add Access And Suggestions not for Role Management

Question asked by Marcel van Kekeren on Feb 19, 2020
Latest reply on Feb 26, 2020 by Marcel van Kekeren

Like • Show 0 Likes0
Comment • 7

On an applicatie and directory level you have the the option to set Exclude Entire Application From Add Access And Suggestions to Yes.

based in the title of the option and the description on the help page you would expect that this would also count for role development. this is not the case. a role owner can still add entitlements from a application that has this option set to yes. .

you could argue that this can be prevented by setting a rule on the role set, but this rule is managed by de role set owner and can easily be removed.

I would expect the option Exclude Entire Application From Add Access And Suggestions to remove the ability to use the application in roles or have a second option to separately configure this.

Without this i have to manually update all roles sets with an entitlements rule with the risk that this rule is removed.

does anybody have the same issue?

Craig Ramsay

Feb 26, 2020 3:51 AM

Correct Answer

Hi Marcel,

I see that both you and Marek would be interested in this functionality being available. Please raise this as an idea (RSA Ideas for RSA Identity Governance & Lifecycle ) to allow others to vote on it too.

Kind regards,
Craig

See the reply in context

1 person had this question

Outcomes

Marek Lotocki Feb 20, 2020 4:50 AM

I think is not the issue, it's application design. If you will find a solution how to block selected entitlements from adding to the roles I will be interested of this solution as well.

1 person found this helpful

Actions

Zoltan Izsak Feb 24, 2020 7:44 AM

I think you can do it workflow level. You can add a sub-workflow to the workflow which handles role changes. The sub-workflow can cancel those changes which would add an entitlement from a black-listed application. Also I think you should send an email to the requestor that the role change was not successful completely.

However, probably RSA would suggest education of role owners instead of adding new logic to the workflows.

1 person found this helpful

Actions

Marcel van Kekeren @ Zoltan Izsak on Feb 25, 2020 11:35 AM

From a technical perspective i understand your point and in a small organization education could potentially work .

But from a usability perspective that is unacceptable.

The process or tool should guide the user in making the right decisions. Imagine a supermarket where you can putt apples in your shopping basket and carry them to the classier only to find out that you are not allowed to take them home. I don’t think giving you a list of items you cannot use before you enter the store will make that experience any better.

Actions

Craig Ramsay

@ Marcel van Kekeren on Feb 26, 2020 3:51 AM

Hi Marcel,

Kind regards,
Craig

1 person found this helpful

Actions

Zoltan Izsak @ Marcel van Kekeren on Feb 26, 2020 5:12 AM

I agree with you, I struggle a lot with configuration.

Also let me emphasize I am not RSA engineer and several times got the answer which suggests education instead of technical solution. In some cases customer can accept it, other cases technical solution is the best way. You know your customer.

1 person found this helpful

Actions

Marcel van Kekeren @ Zoltan Izsak on Feb 26, 2020 9:04 AM

Same here, configuration is a struggle for us.

Support questions or ideas regularly result is advise to implement workarounds because the tool is simple missing basis capabilities

Actions

Marcel van Kekeren Feb 26, 2020 4:25 PM

please vote on my idea: https://community.rsa.com/ideas/3346

Actions

7 Replies

Marek Lotocki Feb 20, 2020 4:50 AM
Mark Correct
Correct Answer
I think is not the issue, it's application design. If you will find a solution how to block selected entitlements from adding to the roles I will be interested of this solution as well.
1 person found this helpful
Like • Show 1 Like1
Actions
Zoltan Izsak Feb 24, 2020 7:44 AM
Mark Correct
Correct Answer
I think you can do it workflow level. You can add a sub-workflow to the workflow which handles role changes. The sub-workflow can cancel those changes which would add an entitlement from a black-listed application. Also I think you should send an email to the requestor that the role change was not successful completely.
However, probably RSA would suggest education of role owners instead of adding new logic to the workflows.
1 person found this helpful
Like • Show 0 Likes0
Actions
- Marcel van Kekeren @ Zoltan Izsak on Feb 25, 2020 11:35 AM
  Mark Correct
  Correct Answer
  From a technical perspective i understand your point and in a small organization education could potentially work .
  
  But from a usability perspective that is unacceptable.
  The process or tool should guide the user in making the right decisions. Imagine a supermarket where you can putt apples in your shopping basket and carry them to the classier only to find out that you are not allowed to take them home. I don’t think giving you a list of items you cannot use before you enter the store will make that experience any better.
  Like • Show 1 Like1
  Actions
  - Craig Ramsay @ Marcel van Kekeren on Feb 26, 2020 3:51 AM
    Unmark Correct
    Correct Answer
    Hi Marcel,
    
    I see that both you and Marek would be interested in this functionality being available. Please raise this as an idea (RSA Ideas for RSA Identity Governance & Lifecycle ) to allow others to vote on it too.
    
    Kind regards,
    Craig
    1 person found this helpful
    Like • Show 0 Likes0
    Actions
  - Zoltan Izsak @ Marcel van Kekeren on Feb 26, 2020 5:12 AM
    Mark Correct
    Correct Answer
    I agree with you, I struggle a lot with configuration.
    Also let me emphasize I am not RSA engineer and several times got the answer which suggests education instead of technical solution. In some cases customer can accept it, other cases technical solution is the best way. You know your customer.
    1 person found this helpful
    Like • Show 0 Likes0
    Actions
    - Marcel van Kekeren @ Zoltan Izsak on Feb 26, 2020 9:04 AM
      Mark Correct
      Correct Answer
      Same here, configuration is a struggle for us.
      
      Support questions or ideas regularly result is advise to implement workarounds because the tool is simple missing basis capabilities
      Like • Show 0 Likes0
      Actions
Marcel van Kekeren Feb 26, 2020 4:25 PM
Mark Correct
Correct Answer
please vote on my idea: https://community.rsa.com/ideas/3346
Like • Show 0 Likes0
Actions

Exclude Entire Application From Add Access And Suggestions not for Role Management

Outcomes

Related Content

Recommended Content