Risk Definition in Portal not able to stop user access request due to violation
Article ID: 123327
Updated On:
Products
CA Identity Manager
CA Identity Governance
CA Identity Portal
Issue/Introduction
The scenario is a BPR configured in Identity Governance to prohibit the assignment of Role1 and Role2 to a user (Segregation of duties).
Identity Portal has risk definition configured to use the Identity Governance BPR.
While a request for a user to assign Role1 and Role2 fails in Identity Governance it is successful in Identity Portal.
Identity Portal has risk definition configured to use the Identity Governance BPR.
While a request for a user to assign Role1 and Role2 fails in Identity Governance it is successful in Identity Portal.
Environment
Identity Portal 14.x
Identity Governance 14.x
Identity Governance 14.x
Cause
The reason for this is the fact that Identity Portal checks each role separately as it is a separate entity.
At the time of the request, the user does not have Role2 when checking for Role1 and doe not have Role1 when checking for Role2.
So the BPR allows this, It is only the combination of the two that is prevented.
At the time of the request, the user does not have Role2 when checking for Role1 and doe not have Role1 when checking for Role2.
So the BPR allows this, It is only the combination of the two that is prevented.
Resolution
It is necessary to add another condition to the scope of the risk definition.
This rule is to prevent the assignment of Role1 and Role2 together.
So this is blocked on the Identity Portal level.
If by any chance the user did get a request for both roles, it will also be blocked on the Identity Governance side by the BPR.
This rule is to prevent the assignment of Role1 and Role2 together.
So this is blocked on the Identity Portal level.
If by any chance the user did get a request for both roles, it will also be blocked on the Identity Governance side by the BPR.
Feedback
Yes
No
Powered by
