Jamie Pryer

User (Identity) Types within RSA IGL

Blog Post created by Jamie Pryer Employee on Sep 19, 2018

A lot of quesitons are asked around how to calculate users within RSA IGL and different totals for each user "type". for people who have left the organisation. 

 

A user "type" could be one of the following, when it comes to their status

  • Active
    • They are an active employee, who is part of the organisation still (eg. they are still on the payroll and working for the company)
  • Leaver
    • They are no longer an active employee and part of the organisation (eg. they are not being paid for working at the company any longer.
    • These can be collected and broken down into 2 different classifications:
      • Terminated (is_terminated)
      • Deleted (is_deleted)

 

Taking a step back and looking at identity collection...

RSA IGL works by collecting identities (individual users) into the system but we NEVER remove them out again. So once an identity is "in" RSA IGL, that’s it, they are there forever.

Even if we remove an identity from the source feed of HR (so an identity is no longer included within an identity collection), that identity will still be seen in RSA IGL.

 

RSA IGL Flags used for leaver types

 All companies do things differently, some companies keep their historic employees that have gone in their HR feeds =  these would be covered with an "is_terminated" flag. 

Some just keep a HR feed of only active users, so these would be covered with an "is_deleted" flag AND the "is_terminated" flag.

 

There are 2 different flags that we use to classify tan identity who is a "leaver", due to the way different companies manage their leaver data. These flags are set at the individual idenitty level and can be seen from the main "user" display view, or within any selected identity itself.

  • Is_terminated = this shows a identity who we are still collected into RSA IGL but HR states they have left the organsiation (maybe with a flag). This is like a positive confirmation someone has gone from the organisation and is a great piece of information to gather if possible.
  • Is_deleted = this shows a identity who we no longer collected by the RSA IGL identity collection process and so RSA IGL will assume that that they have left the organsiation (as they are no longer in the HR source data). This method is not a positive confirmation someone has left however, as it could just be that there was a mistake and the identity was not included in the HR source data for some reason. In general however, if someone is removed from the HR source, we treat this as confirmed they have left that company.

When an identity is set to "is_deleted = true", we also assume they have left the company. So the "is_terminated = true" flag is ALSO set. 

 

 

Working examples
  • Active Identity 
    • The identity for "Joe Blogs" is found in the HR source with the ID "JBLOGS". This identity is active within the company and a current employee.  This identity is collected into RSA IGL as an "active" user and so
      • Is_terminated = flase (no)
      • Is_deleted = flase (no)
  • "Is_Deleted" 
    • The identity for "Joe Blogs" is NO LONGER found in the HR Source anymore. So the ID for "JBLOGS" which was in the HR data previous has seen been totally removed from this data source. The identity is NOT collected into RSA IGL, as its not in the HR data. 
      • Is_terminated = true (yes)
      • Is_deleted = true (yes)
  • "Is_Terminated"
    • The identity for "Joe Blogs" is STILL found in the HR, however HR has set a flag against the "JBLOGS" for "Leaver" to be "true" - So the HR team is telling RSA IGL that JBLOGS has left the company. The identity for JBLOGS is collected into RSA IGL, but we also have this extra info with the flag being set.
      • Is_Terminated = true (yes)
      • Is_Deleted = flase (no)

 

How can you calculate these different types of identities in RSA IGL?

Option 1 = In the RSA IGL UI itself. (see image below)

  1. Log in to RSA IGL as someone within Admin privilages (who can see all identities in the system)
  2. Click on the "Users" then "Users" menu
  3. Using the "Grouping" drop down, select either "Is_Deleted" or "Is Terminated"
  4. This will then give you the total number of identies for each status.

SO in this example below, we can see there are 85005 identies who are "is_deleted"

NOTE: this method will have some cross-over, as there are some identites in a system who could be set to BOTH "is_deleted = yes" and "is_terminated = yes". See examples above for more info on this

UI Calculation Example

Option 2 = A SQL query against the DB

  1. Run the folllowing SQL query against your DB, to produce a list of the different types of identies. 

select

count(1) as TotalUsers,

sum(is_terminated) as TerminatedCount,

sum(is_deleted) as DeletedCount

from avuser.t_master_enterprise_users

 

Note: The SUM total of "is_deleted" and "is_terminated" might not always add up to the "total_users" value. This is due to the fact that some identites could be set to both "is_deleted = true" and "is_Terminated = true". Please see the example above for more infomation.

 

 

Thanks for reading - if you have any quesitons, please ask below.

 

Jamie Pryer

RSA Global Services Product Lead - Identity

Outcomes