Unification fails to identify terminated or deleted users in RSA Identity Governance & Lifecycle
Originally Published: 2020-03-19
Article Number
Applies To
RSA Version/Condition: 7.1.1 P03, P04 and P05, 7.2.0
Issue
Additionally, Provisioning - Termination rules may not correctly identify all terminated or deleted users and fail to de-provision accounts and entitlements related to the user.
Users that are terminated in the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_TERMINATED flag unset and users that are missing (deleted) from the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_DELETED flag unset.
This issue typically only affects a subset of all users and may appear to occur randomly or transiently.
Cause
- RSA Identity Governance & Lifecycle 7.1.1 P03, P04 and P05
- RSA Identity Governance & Lifecycle 7.2.0
The issue may occur in configurations where all three of the following conditions are true:
- Multiple Identity Data Collectors (IDCs) exist and may collect attributes for the same users but only one of the IDCs is configured with Create Users = Yes.
- The IDC that creates users typically runs after the other IDCs.
- The IDC that creates users joins to the other IDCs on the USER_ID attribute.
Resolution
- RSA Identity Governance & Lifecycle 7.1.1 P06
- RSA Identity Governance & Lifecycle 7.2.0 P01
The fix includes a code change that prevents this issue from occurring as well as a migration script that corrects any incorrect records.
Workaround
Download and run the attached IdentifyProblemUsers.sql detection script in SQL*Plus or SQL Developer as avuser.
NOTE: If you use a SQL tool other than SQL*Plus or SQL Developer, see the Notes section below for modifications needed to the detection script before it will run.
If the script returns the following output, then you do not have this issue:
Started Completed PL/SQL procedure successfully completed.
If the script returns any records, then you may have this issue and some of the users in the list may be affected. Note that not all users returned in the list will be affected and the script does not identify which users actually are affected. Please contact RSA Identity Governance & Lifecycle Support for assistance on remediating this issue and mention this RSA Knowledge Base Article ID 000038590 for reference.
Problem Master Enterprise User ID: TestUser1
Notes
PL/SQL: ORA-00922: missing or invalid option
Change FROM:
set serveroutput on size unlimited
declare
v_count number;
v_idc_id number;
TYPE NumList IS TABLE OF NUMBER;
MeuIds NumList;
begin
dbms_output.put_line('Started');
TO:
declare
v_count number;
v_idc_id number;
TYPE NumList IS TABLE OF NUMBER;
MeuIds NumList;
begin
dbms_output.enable;
dbms_output.put_line('Started');
Related Articles
How to identify the source of a workflow email in RSA Identity Governance and Lifecycle Number of Views upgrade adds geoip_SHORTRUN_1.dat Number of Views RSA Governance & Lifecycle Recipes: Review Definition Types Number of Views "NoClassDefFoundError" error when attempting to run RSA Authentication Manager Bulk Administration (AMBA) Number of Views RSA SecurID Access: Identify Java Authentication API version/build Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide Troubleshooting RSA MFA Agent for Microsoft Windows RSA Release Notes for RSA Authentication Manager 8.8 RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
