000037420 - Partially orphaned accounts occur in RSA Identity Governance & Lifecycle when the ADC defines multiple user resolution attributes from the same target collector

Document created by RSA Customer Support Employee on May 2, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037420
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2, 7.1.0
Partially orphaned accounts are created after Unification. In the example below, note that UserC3 is not displayed as an orphaned account, yet it is not mapped to any user which is the definition of an orphaned account.

User-added image

User-added image
CauseThis problem occurs when an Identity Data Collector (IDC) collects multiple attributes for a user, an Account Data Collector (ADC) defines two or more of these attributes in the user resolution rules, and one of the attributes defined in the resolution rules is modified in the data source.

As an example, an IDC collects User Id, Email Address, and Department. An ADC collects AccountName. Three User Resolution rules are defined on these IDC attributes in the ADC definition:
User-added image

After running the IDC, Unification and ADC, the AccountName resolves to the User Id and correctly maps the users.
User-added image

If one of the user attributes other than the User Id is modified in the IDC, the problem occurs. In this case, the email address for UserC3 was modified. After running the IDC and Unification, the account is left partially orphaned:
User-added image
ResolutionThis is fixed in 7.0.2 P12, 7.1.0 P05, and 7.1.1.  The fix ensures that unification will not deactivate the affected account mappings and the accounts will no longer appear to be orphaned or partially orphaned.
WorkaroundAs a workaround, run the Account Data Collector. This will re-map the user to the account.