Applying role changes in RSA Identity Governance & Lifecycle takes longer to complete when Generate Indirect Entitlements is enabled
Originally Published: 2018-05-23
Article Number
Applies To
RSA Version/Condition: 6.9.1+, 7.0.2+
Issue
Generate Indirect Entitlements is enabled by default and can be found by looking at any request workflow (Requests > Workflows > name of workflow). Open the workflow, look at the right-hand side under Properties and under Request Settings, there is a setting called Generate Indirect Entitlements, which is checked by default.
In the case of roles, this setting generates all the indirect entitlements associated with the role to all members of the role. For example, if you create a role with member John Smith and have an existing entitlement namd Bug Create, and John does not already have the Bug Create entitlement, a change request will be generated to grant him that privilege. If you do not have Generate Indirect Entitlements enabled, then when you apply changes to the role, a change request to add Bug Create to John Smith will NOT be created. In this case, it is clear as to why having Generate Indirect Entitlements enabled takes longer. It takes longer because of the overhead of creating a change request.
What about in the case where there are neither members nor entitlements that are part of the role? Why does applying role changes still take longer when Generate Indirect Entitlements is enabled but no change requests need to be created?
This is because additional code is run. For example, if you look at the screenshot below, you can see the difference in work needed when Generate Indirect Entitlements are enabled. In this example, two roles were created each with zero members and zero entitlements. One role was created (apply role changes) with Generate Indirect Entitlements disabled. The tasks associated with this role are highlighted in yellow. The other role was created (apply role changes) with Generate Indirect Entitlements enabled. The tasks associated with this role are highlighted in pink. Note the tasks highlighted in a blue outline are the additional tasks that must be done when Generate Indirect Entitlements is enabled.
Resolution
- Here is where you define the workflow associated with change requests created through roles. (Requests > Workflows)
- Edit the workflow used above to disable Generate Indirect Entitlements (Requests > Workflows > Request > name of workflow).
