Data Resource Access Reviews are a good way to review access to file shares because is combines accounts of users and orphan accounts, something that is not possible in a user access review.
Recently we noticed that the behavior of the review differs per folder. in some folders the review shows the individual accounts on other folders the review shows the Groups but not the individual members.
Senario 1) Accounts can be removed
some folders show the individual accounts. The group is than shown as the entitlement path but not as a separate line item that can be remove.
the result is you can only remove the members of the group not the Group from the resource .
Senario 2) Groups can be removed
Other folders don't show the individual accounts only a line item is shown for the group.
the result is you can remove the group from the folder but not the members from the group.
Testing results
After some testing it seems that groups that give access to multiple folders only show the line item for the group and groups that give access to only one folder are expanded into the accounts that are member of this group.
we have not noticed this behavior in previous versions (running 7.2P4 coming from 7.0.1)
Some Questions:
- is this the expected behavior we see or is there an other reason why the groups are not always expanded?
- Has group nesting an impact on this behavior?
- how can we make the system show the individual accounts for groups that give access to multiple folders?
- how can we make the system show a line item for groups even is it only gives access to one folder?
- is it correct that this behavior changed with the upgrade to version 7.2
Sorry you were not able to get satisfactory assistance from the community.
I recommend you open an RSA Customer Support case for this issue so we can work with you directly