During the implementation of the Entitlement Reports module our customer noticed a defect in the module's behavior. Custom domains, custom tables and reports don't contain any information about the effective state of the permissions. The customer can check whether user or role has a permission related to an object but he is unable to distinguish whether the user is active or disabled. The customer's policy forbids the deletion of user due to compliance requirements (customer is disabling accounts instead). For some of the applications more than 90% of users are inactive/disabled. This factor has a huge impact on the ER reporting. Is some scenarios (monthly effective permission checkups) those reports are useless and unreadable as most of the reports contain the information about defined permissions and not about effective permissions. This behavior can be observed for Oracle, MSSQL, MySQL and Sybase. The solution is quite simple – the ER module should contain the information about the status of the entity for which the permission is being reported (one additional column for each report).
We would like to start a request for enhancement process for this issue. We can provide additional information if needed.
Do not place IBM confidential, company confidential, or personal information into any field.