Entitlements are removed from or added to a Role when the Role Set is changed in RSA Identity Governance & Lifecycle
4 years ago
Originally Published: 2018-04-26
Article Number
000041792
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.1, 7.0.2, 7.1.0, 7.2.0
 
Issue
After moving a role to a different role setting and committing the role change, additional (and unexpected) change requests are generated to add or remove entitlements from the role. 

Example

  1. Create a role with a few entitlements and add the role to the Admin Roles role set.  Wait for the role to move to a committed state.
User-added image 
User-added image
  1. Edit the role and change the role set to a different role set. 
  2. Click Apply Changes and note that a change request is generated to remove some entitlements from the role and add already existing entitlements to the role.
User-added image
  1. Wait for the role to move to a committed state.
User-added image
  1. Check the entitlements in the role and note that there are missing entitlements from the role.
User-added image
Cause
This issue may occur when a role is moved from one role set to another. Although the role is correctly moved to the new role set, any change requests pending for the role at the time the role is moved may not be updated correctly.  This can cause those change requests to become orphaned and these may not be correctly deleted once the role commits have been completed. This can cause a variety of symptoms such as change requests being processed multiple times for a role, existing entitlements re-added to the role, and existing entitlements being removed from the role.

This is a known issue in the following versions and has been reported in engineering tickets ACM-86112 and ACM-83273:
  • RSA Identity Governance & Lifecycle 7.0.1 P04
  • RSA Identity Governance & Lifecycle 7.0.2 P02
  • RSA Identity Governance & Lifecycle 7.1.0 
Resolution
This issue is resolved in RSA Identity Governance & Lifecycle 7.2.0 P03. This version prevents the issue from occurring again and has a cleanup script that runs when the patch is applied to cleanup any existing occurrences of this issue.

NOTE: This issue is also resolved in the following older RSA Identity Governance & Lifecycle versions and patch levels. However, the necessary cleanup scripts are not available in these older versions. These versions will prevent this issue from recurring but will not cleanup what has already occurred.
  • RSA Identity Governance & Lifecycle 7.0.2 P07
  • RSA Identity Governance & Lifecycle 7.1.0 P01
  • RSA Identity Governance & Lifecycle 7.1.1

 
Workaround
Avoid moving roles from one role set to another until you can patch.

The following script may be used to identify if you have change requests associated with a role set change that need to be corrected.   
  
SELECT RV.ROLEVERSION_ID AS ID 
FROM (
  SELECT RVER.ROLE_ID
  FROM AVUSER.T_AV_ROLEVERSIONS RVER
  JOIN AVUSER.T_AV_CHANGE_REQUESTS CR ON RVER.CR_ID = CR.ID
  WHERE CR.CURRENT_STATE IN ('ER','RJ','CA','CO')
) AFFECTED_ROLES
JOIN AVUSER.T_AV_ROLEVERSIONS RV ON RV.ROLE_ID = AFFECTED_ROLES.ROLE_ID;

If this script identifies any records, contact RSA Identity Governance & Lifecycle Support and mention this RSA Knowledge Base Article ID 36303 for reference.RSA Identity Governance & Lifecycle Support can provide guidance on cleanup and remediation. 
 

Related Articles

Trending Articles

Don't see what you're looking for?