Skip navigation
All Places > Products > RSA Identity Governance & Lifecycle > Blog > 2017 > April

This is the first post in a new blog series by Steve Mowll and Chris Williams - ENJOY!


POINT: NEWS FLASH identity management people, HR is not here to feed you with identity data!
Steve Mowll, Systems Engineer, RSA

Identity management teams may believe it is the human resource (HR) department’s responsibility to be an identity management provider. Unfortunately for IT, or fortunately for HR, it is not their job.

HR is a business function tasked with finding and retaining the top talent for a company. They guide new employees – orientating them, helping them achieve career goals and ensuring that payroll and benefits function correctly. For this, they interact a great deal with, and are aligned to the overall business. NEWS FLASH identity management people: HR has a view into employee data, but they are not here to spoon feed IT with the employees’ identity data!

If IT approaches HR in this mindset, the conversation will end poorly. Getting off on the right foot at the start of any project is key to a successful and productive relationship. That’s why we urge you to think differently if you want to use HR data for your identity management system. Here are a few tips:

  1. Involve HR colleagues at the beginning of an identity management project and identify an HR executive stakeholder.
  2. Understand the end-to-end HR processes and data, but make sure you also understand each process’ intention and purpose, not just the flow or process itself.
  3. HR works with the lines of business to define their processes and data. Get involved in the business conversations and relationships that your HR team has. You will have a very hard time making identity management relevant to the business if you don’t.
  4. Understand the value you can add to the HR team and their mission. This is not just about creating and securing access. It’s about getting employees productive from day one. And, it’s about making sure they have the ready and appropriate access to the systems and applications they need to do their jobs.

Lastly, regardless how hard things get, I warn you, never mention Catbert, the evil HR manager!

COUNTERPOINT: HR data is a good resource, but combining highly-descriptive data about people inside and outside of the IT stack can create a more accurate person-record.
Chris Williams, Advisory Architect RSA

Catbert isn’t evil…he’s just misunderstood. Or, is he?

Years ago, before applications became capable of understanding who their authorized users were, most organizations managed a single repository containing “who a person is” and “what is their business function.” Of course, the repository owner was Human Resources. By its very nature, it’s a fantastic facility for all types of people-data: positions, managers, departments, salary, performance, and so on.

Today, many IT organizations are finding complementary, highly-descriptive data about the people inside and outside of their IT stack. Think of all the directories, databases, applications, and enterprise resource planning (ERP) software within your business. Now, add all the external partner, social, and hosted/SaaS services containing people-data. Combined, this data can be used to create a more accurate person-record, while reducing the impact against HR to attain, maintain, and provide that data. The trick is to not manage too much data.

If we apply a few rules about descriptive and relational data learned from infrastructure management projects (think configuration management databases used in an IT Service Management program), we know that we can select (federate) which “attributes” of a person we want to use, and then populate that within a unified person-record within an identity management solution. In this manner, the identity management solution becomes a living system of truth. With that said, there are a few things you should keep in mind when building a federated identity management record set:

  1. Keep it simple – don’t over think how to collect the data and utilize a base data exchange model – but make sure you still protect the data in transit.
  2. Only take what you need – like most data warehouses, the collected information can easily become too large and too difficult to manage.
  3. Have a plan to utilize the data – think about how a person’s attributes will be used to describe who they are, what access they should have, how it helps build roles and rules, etc. Although it may better describe a nuance about a person, if it doesn’t drive a specific access requirement, then you don’t need it.
  4. Leverage what already exists – you will likely find the data you need without having to go to HR directly. Payroll, corporate directories, organization charts, etc. can all provide very rich data sources. If there are complete records, then grab as much as you can thus limiting how many unification sources are needed to build a “complete record.”

Moreover, information security teams can rely on a current unification of the best attributes from the best descriptive data sources – whether they are from IT, HR or a combination of both – comprising the definitive answer to “Who are my users?” And, Catbert won’t be upset with us each time we need a new report.

Watch this video to see how RSA Identity Governance and Lifecycle is helping Ameritas to streamline access delivery and user lifecycle management for employees while improving audit performance. (NOTE: Via Access is now RSA Identity Governance and Lifecycle)



Believe it or not, the RSA Charge 2017 event is only six months away, Oct. 17-19 in Dallas at the Hilton Anatole. Visit the RSA Charge microsite, now open!  And this means, 'Call for Speakers' submissions are now being accepted as well.  


In case you were not able to attend one of the two live RSA Charge 'Call for Speakers' webinars in April, 'What You Need to Know About Submitting Your Speaker's Proposal'  the webinar replay is now available for your listening pleasure. 


To help you get those creative juices flowing, the following 2017 Submission Tracks have been identified for RSA products; for full session descriptions please see attachment:

 products; for full session descriptions please see attachment:


Security Operations, Identity, Anti-Fraud

Detecting and Responding to the Threats That Matter

Identity Assurance

Reducing Fraud, while Not Reducing Customers

Secrets of the SOC


Governance, Risk and Compliance

Inspiring Everyone to Own Risk

Managing Technology Risk in Your Business

Taking Command of Your Risk Management Journey

Transforming Compliance

RSA Archer Suite Technical

RSA Archer Suite Advanced Technical


It is recommended that you once you listen to the replay, you use the 'offline' form,' available on the microsite as your draft before submitting. You may also have more than one submission. RSA Charge official  'Speaker' Submission Form is also available on the microsite.


Please Note: 'Call for Speakers' closes on May 26.'  


Did you know that 86% of the questions have missing information and most of the follow up questions are to gather that missing information?


Don’t waste your time and get the answer as soon as possible by providing relevant information.

  • Information like product version. Why product version is important? The issue you are describing might be fixed in the next release
  • Information like business use case. Why this is needed? There is more than 1 way to do things. If you are describing an issue with your approach, someone can suggest a different approach.
  • Complete information around the observed issue will clear misunderstandings. Screenshots, relevant snippets from logs, browser version (if relevant) and etc... are an excellent way to achieve that.


Happy posting!


Are you getting everything you can out of the community?

Most likely not.
No worries, this blog post will help you get there in few clicks.


Are you a follower?
If not, then you are missing all the action.

Customers, partners and RSA employees are posting questions which you most likely to encounter in the future or encountering already.
New tutorials are being uploaded by product management.
How to articles are being posted by engineers to help you understand the nuts and bolts of the system.
New solutions are being created by professional services.
New concepts are being demonstrated by pre sales.
Updated documentation is being uploaded by technical writers
New knowledge base articles are being made publicly by customer support.


Don’t stay behind and follow the communities below to get updates instantly to your inbox with every new post. Check the Inbox checkbox under the Following section (for every link).
RSA Identity Governance & Lifecycle Client/Partner Community  
RSA Identity Governance & Lifecycle 
Connector & Collector Application Guides 



Use the Outlook plugin for ease of access
The specified item was not found. 


Happy posting!


In 2016, 63% of confirmed data breaches involved weak, default or stolen passwords (Verizon 2016 Data Breach Investigations Report). Identity has emerged as the most consequential threat vector.


Now is the time to upgrade to RSA Identity Governance and Lifecycle Version 7.0.2 to address identity-based risks and deliver continuous compliance for your organization. Our approach incorporating risk analytics and business context to identity management, means you are getting more than basic provisioning and governance.




Visibility and control into all identities including privileged users all in one place with PIM/PAM interoperability. No longer manage privilege accounts separately, which opens up vulnerabilities for highly sought after accounts and compliance issues. Manage it all from one platform.


Better adoption by the business with integration to ServiceNow. Users will be able access and make requests via the portal that is already used for other IT and business requests in the organization instead of accessing a siloed portal.


Increase agility to manage identity governance with streamlined workflows, dashboards, simplified approvals, improved overall performance and administration.


Upgrade tools for RSA Identity Governance and Lifecycle streamlines the upgrade process making it easier for you to deploy upgrades. Our Professional Service is here make sure you upgrade goes smoothly.


Here is a full list of enhancements:








Full details behind these enhancements available.


Threats continue to evolve each day—with identity being the primary attack vector. Version 7.0.2 provides you the best protection against identity-based vulnerabilities, based on risk analytics and business context. Not upgrading, means your identities may not be as secure as they could be.



Got questions? We’re here to help you upgrade to the latest version. Here are 3 easy options to help you get started with upgrade:

  1. Leave a comment here and we’ll answer your questions in the community
  2. Connect with your RSA Identity Governance and Lifecycle sales representative
  3. Reach out to our professional services contacts below


Orlando Salinas
Nitinkumar Khadse


Khalil El Damisi


Thomas Leresche

Have you had a collection job fail with a status of "Aborted (Circuit Breaker)" and all you did was kick of the collection again with "Ignore Circuit Breaker"?

The Circuit Breaker is there to protect you. In the past customers have had issues with their source data being incorrect and then that incorrect data being pulled into the system. For example, some collections are collected from CSV files that the customer builds with some manual or automatic process from various systems within their organization. If this aggregation process fails, or does not properly create the CSV files, then our collectors will gather the incorrect data and attempt to process it, typically resulting in cases where we think a significant number of objects or relationships have been deleted, which in turn can trigger all kinds of actions. The Circuit Breaker can prevent that. It raises a red flag that a particular collection has too much change, and gives the administrator a chance to review the raw data before we take it on board.

The Circuit Breaker is designed to stop a collection process that exceeds a percentage of change. That change could be something New, Missing or Changed, and it pertains to objects and direct entitlements. Our OOTB percentage change is 5%, but that can be adjusted. We allow the percentage to be changed system wide or it can be changed on a per collector basis as well as on the type of change that occurs. So if you know that your Ldap server does not have a lot of activity you can keep the OOTB percentage. If you have self-service HR system where the users are constantly making modifications to their information you may want to increase the percentage for that collector.


In the Collector's Guide there is a section on "Configuring a Data Processing Interruption Threshold" which will give you more information on how to adjust the setting.

The RSA Identity Governance and Lifecycle Shopping Cart has been certified on Helsinki and Instanbul versions of ServiceNow.  


RSA on ServiceNow Store  

Filter Blog

By date: By tag: