Why automatically generated revocation requests do not add back revoked requests on a revocation date in RSA Identity Governance and Lifecycle
2 years ago
Originally Published: 2017-12-13
Article Number
000057227
Applies To
RSA Product Set: RSA Identity Governance and Lifecycle
RSA Version/Condition: All
Issue
You have one of the following use cases:

   I. Change request containing both add and revoke items

  •  A change request is triggered to add an entitlement (E1=pbciadmin) via Requests > Requests > Create Request > Add Access and removal of existing entitlement (E2=1005-1-pbci : admin) via Requests > Requests > Create Request > Remove Access.
  • The request is submitted with a revocation date.
  • The automatic change request contains only the removal of E1, but not the addition of E2.
User-added image
User-added image
 
User-added image

Why doesn't the automatic revocation request add back entitlement E2? The entitlement that was revoked when the revocation date occurs.

II.  Change request containing only revoke item

  • A change request gets triggered with removal of an existing entitlement (E3=1005-1-pbci : readonly).
  • The request submitted with a revocation date.
  • The automatic request does not contain any change item.
User-added image
 
User-added image
User-added image

Why isn't entitlement E3 added back on the revocation date via the automatic request?
       
Resolution
This is the expected behavior of the product. The purpose of the revocation date is to tell RSA Identity Governance and Lifecycle when to revoke an entitlement, not when to add one back. The word revocation means to revoke or remove so a revocation date implies revoke/remove only. The field is there but it should not be used when revoking an entitlement, as it does not make sense to revoke a revoked entitlement.
 

Related Articles

Trending Articles

Don't see what you're looking for?