Please kindly advise how a violation rule should be setup to avoid triggering non-direct members as violation in business roles.
The idea is to have a list of people who dont match a rule membership for all roles. But it seems that rule logic doesn't understand hierarchy (Parent-Child).
|Type:||Role Membership Rule Difference|
|Last Executed:||10/16/19 8:02 AM|
|Condition:||Verify that any users who are members not matching the membership rule for any roles|
For instance, we have roles in hierarchy. And when I run the rule I get a violation with a list of users from Role2-Role5 for HR Management Business Role.
| HR Management (code1)|
HR role2 (code2)
HR role3 (code3)
Internal Communications (code4)
HR role5 (code5)
Moreover, such business roles are displayed on Users access tab as directly entitled, but according to the logic they should be visible only in ALL
The same behavior is for rule Type: Role Missing Entitlements. RSA IGL based on that rule tries to grant missing access to users, but it is already granted through child roles.