000037377 - Provisioning/Termination Rule does not create change requests to revoke entitlements if the rule also disables and/or deletes accounts in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Apr 23, 2019Last modified by RSA Customer Support Employee on Jun 29, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000037377
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2, 7.1.0, 7.1.1
 
IssueWhen a Provisioning - Termination Rule is configured to revoke user entitlements and disable and/or delete accounts, no change requests are created to revoke the user entitlements. Only change requests to disable and/or delete accounts are created. In the RSA Identity Governance & Lifecycle user interface go to Rules > Definitions > Create Rule > Type: Provisioning - Termination > Actions.

This occurs when the following Rule Actions are defined:
  • Disable accounts (excludes shared and service accounts)
  • Revoke user entitlements (excludes shared and service accounts)

  • Delete accounts (excludes shared and service accounts)
  • Revoke user entitlements (excludes shared and service accounts)

  • Disable accounts (excludes shared and service accounts)
  • Delete accounts (excludes shared and service accounts)
  • Revoke user entitlements (excludes shared and service accounts)

For example the following Provisioning - Termination Rule defines all three actions:
 
User-added image

In this case the expected behavior is that three change requests would be created for each terminated user. One to disable account(s), one to delete account(s) and one to revoke user entitlements. The problem is that when the users are terminated, collections and unification are run, and the rule processed, only two change requests are created: one to disable account(s) and one to delete account(s). A request to revoke user entitlements is not created. If the rule was defined to only disable accounts or only delete accounts along with revoking user entitlements, then the expected behavior would be that two change requests would be created. One to disable/delete accounts and one to revoke user entitlements. But in this case only one change request would be created to disable/delete accounts. A request to revoke user entitlements would not be created.

If a Provisioning - Termination Rule is defined to only revoke user entitlements, a change request to revoke the entitlements is created as expected.
 
CauseThis is a known issue reported in engineering ticket ACM-95904.

This issue occurs when a user has accounts. If the user does not have any accounts and only has user entitlements, then a change request to revoke entitlements is created as expected.
 
ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:
  • RSA Identity Governance & Lifecycle 7.0.2 P13
  • RSA Identity Governance & Lifecycle 7.1.0 P09
  • RSA Identity Governance & Lifecycle 7.1.1 P03
  • RSA Identity Governance & Lifecycle 7.2.0

Attachments

    Outcomes