AnsweredAssumed Answered

Role Missing Entitlements Rule Creates Duplicate Requests

Question asked by Chris Pope on Sep 9, 2020
Latest reply on Sep 11, 2020 by Chris Pope

We are on IGL  7.1.1 P05 HF02 and are using Roles.

 

Issue:

IGL Roles have "Missing Required Entitlements", some if which are manually-provisioned Entitlements.  The "Role Missing Entitlements Rule" doesn't check for existing requests before it creates duplicate requests to provision the missing entitlements.

 

Explanation:

We noticed that for some reason (and why this is even happening is beyond my comprehension) users who are Role Members are not being provisioned all of the Role Entitlements.  This is evident by looking at the Role Analytics tab under the "Missing Required Entitlements" section where Role Members and their missing Role Entitlements are listed...again...how this is even happening is a mystery to me.

In order to "fix" this, IGL has the "Role Missing Entitlements" rule-type, which we have created in our non-Production environment.  We have it configured to "Create change requests to add access" and "Run after any collection". 

 

During testing we noticed that if a the Rule is run against a Role which has manually-provisioned Entitlements which are among the "Missing Required Entitlements" a situation arises where a request is created and assigned for manual fulfillment, which can take hours or days to fulfill.  In the meantime (aka before fulfillment and completion of the first change request) the Rule is run again due to a collection.  This results in a second request being created that is a duplicate of the first request...meaning the same manually-provisioned Entitlements that was in the first request is also in the second request. 

 

We have dozens of collections happening daily which would cause this Rule to also run dozens of times daily, resulting in dozens of duplicate requests being created and dozens of duplicate manual-fulfillment activities.  We considered only running the Rule daily but that would likely result in the same duplication of requests and manual activities.

 

I don't understand how the "Missing Required Entitlements" even occur...this seems contrary to one of the basic benefits of using Roles...namely provisioning ALL the access that is contained in the Role to ALL the Role Members.  It seems their is a bug in IGL that prevents this from happening and instead of fixing the bug, the "Role Missing Entitlements" rule-type was created but unfortunately not a lot of thought and testing went into it.

 

Has anyone experienced this and if so, have you come up with a solution?

Outcomes