000037188 - Terminated users are not displayed while manually mapping accounts in RSA Identity Governance & Lifecycle 7.1.0

Document created by RSA Customer Support Employee on Mar 11, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037188
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0+

IssueWhile trying to manually map accounts to a user or users in RSA Identity Governance & Lifecycle 7.1.0, we notice that terminated users are not displayed or returned in search in the selection window. For example, on an RSA Identity Governance & Lifecycle 7.1.0 system, the total number of users that includes terminated users is shown below:
User-added image

When you try to add users to an account (orphan/active/disabled) and if you select grouping by the Is Terminated attribute, only users with Is Terminate"= No are displayed.  
User-added image
CauseIn versions prior to RSA Identity Governance & Lifecycle 7.1.0, the selection of terminated users was possible while manually mapping the accounts to users.  However, this is not an allowed use case as it encourages bad security practices.  Terminated users should not be allowed to have access to any entitlements that would otherwise be possible after mapping the terminated user(s) to an account. 

In RSA Identity Governance & Lifecycle 7.0.2, it was possible to view as well as add terminated users to an account as follows:

User-added image

User-added image

However this poses a security threat as the terminated users will still have access to the application(s) via mapped accounts. 
ResolutionThis behavior is by design in RSA Identity Governance & Lifecycle 7.1.0.

Terminated and/or deleted users should not have access to the system and their respective account mappings should be removed from the source system to prevent any possible security issues.  This cleanup is essential as these users will still be collected if they exist in the source system.  

In an RSA Identity Governance & Lifecycle 7.1.0 system, terminated users will neither be displayed nor returned in the search results to avoid adding them to the accounts and hence prevent the security risk. 
User-added image

If you specifically search for a terminated user, the user will not be returned.  In the example below xyz is a terminated user.
User-added image

Searching for xyz will not return a result, as shown below:
User-added image