|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle|
RSA Version/Condition: 7.0.2, 7.1.0, 7.1.1
|Issue||When a Provisioning - Termination Rule is configured to revoke user entitlements and disable and/or delete accounts, no change requests are created to revoke the user entitlements. Only change requests to disable and/or delete accounts are created. In the RSA Identity Governance & Lifecycle user interface go to Rules > Definitions > Create Rule > Type: Provisioning - Termination > Actions.|
This occurs when the following Rule Actions are defined:
For example the following Provisioning - Termination Rule defines all three actions:
In this case the expected behavior is that three change requests would be created for each terminated user. One to disable account(s), one to delete account(s) and one to revoke user entitlements. The problem is that when the users are terminated, collections and unification are run, and the rule processed, only two change requests are created: one to disable account(s) and one to delete account(s). A request to revoke user entitlements is not created. If the rule was defined to only disable accounts or only delete accounts along with revoking user entitlements, then the expected behavior would be that two change requests would be created. One to disable/delete accounts and one to revoke user entitlements. But in this case only one change request would be created to disable/delete accounts. A request to revoke user entitlements would not be created.
If a Provisioning - Termination Rule is defined to only revoke user entitlements, a change request to revoke the entitlements is created as expected.
|Cause||This is a known issue reported in engineering ticket ACM-95904.|
This issue occurs when a user has accounts. If the user does not have any accounts and only has user entitlements, then a change request to revoke entitlements is created as expected.
|Resolution||This issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:|