RSA Identity Governance and Lifecyle users who do not belong to role can not be identified
Originally Published: 2016-12-29
Article Number
Applies To
RSA Product/Service Type: Access Certification Manager
RSA Version/Condition: 6.9.1 P18
Issue
In 6.9.1 P18, we display a message that x users do not belong to the role, but they are not listed with a Revoke button, although they are directly entitled, and also entitled indirectly through a role or group.
This is different behavior from versions prior to P18, where those users are listed in the Directly Entitled tab with a Remove action button.
In P18, you would see this behavior:
Resolution
- If user is added to a role directly, then the users will be displayed as members in the Directly Entitled category.
- If user is associated to a group or a role and that group/role is added as entitlements to the role, then the user will not be displayed as member in the Directly Entitled category. The user is considered as indirect and will be displayed in All category without any action (that is, without the Remove button) only.
- If user is added to a role directly and also added via group to the role, then the user will not be displayed as member in the Directly Entitled category. The user is considered as indirect and will be displayed in All category without any action (that is, without the Remove button) only.
- The action button will not be available for direct members in the All category if they match in the above use case conditions.
