RSA Archer Dev Tips: "Exclude Inactive Users" Option

July 20, 2020

 

But first, a fun analogy:

Inactive users are like that classmate in your college group project...Except worse! They are the one that dropped the class, didn't tell you, the project deadline is approaching, and 25% of the work is not completed. Not cool man!

Okay, on a serious note, let's dive into some of the ins and outs of the Exclude Inactive Users option so you know how it functions, the implications, whether you want to use it going forward, and other options available.

Exclude Inactive Users

What is the "Exclude Inactive Users" feature?

The Exclude Inactive Users option in RSA Archer is available for record permissions and user/group fields. It was meant to prevent selecting inactive users in records because as we all know....inactive users don't do a great job at completing their tasks (remember that project classmate above?).

Archer's documentation specifically says that this option...

"Excludes inactive users whose user status is no longer active and whose access is revoked."

Pros:

  • Prevents a user from choosing/selecting an inactive user when creating/editing records (Yes, that's the goal!)

Cons:

  • Unfortunately it automatically removes/clears any inactive users from RP or User/Group fields immediately after clicking the Edit button on a record. And yes, this option clears out the inactive users even if the section/field is read-only and even if you didn't touch that record permission or user/group field!

 

The documentation mentions when "access is revoked" how does that work?

Archer doesn't remove/clear inactive users if they lose access from group membership as some might interpret. I assume they meant when access to Archer is revoked, not group membership because that is how the feature functions when enabled.

 

What are the considerations/workarounds?

1. Using the option: If you are using this option, you cannot edit a record and expect to retain inactive users even if the record is closed or the fields/section is read-only. This is important to remember for historical/audit purposes. You may need to rely on the history log more to produce record information for auditors or regulators. We suggest you ensure the history log is enabled and specifically tracks these fields.

2. A much better way: Instead of using that feature, here is a shameless plug to use our Inactive User Reporting solution as an elegant solution to find and resolve inactive users in active records. This way you won't have to risk modifying records.

 

Bottom line:

The feature could be useful to your organization if you are aware of how it works, understand the risks/impacts, and you have all your business partners in agreement to use it. Perhaps for certain applications, it is ideal to clear out inactive users. In other instances, this could mean much more work for staff to produce historical records.