000037451 - Unable to re-use a deleted account name if the account was previously disabled in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 5, 2019Last modified by RSA Customer Support Employee on Sep 3, 2020
Version 37Show Document
  • View in full screen mode

Article Content

Article Number000037451
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0 P03+, 7.1.1, 7.2.0
 
IssueOne of the following errors occurs when submitting a request to create a new account using a deleted account name.
 
Unable to create an account with the name [XXXX]. The name is already used by an Active Account or a Disabled Account
 


or



There is already an account with name [XXXX]. A new account can not be created with same name.
 

These messages are seen when submitting a request generated by one of the following methods:

  • An account is created with the Create Account button under the Accounts tab of the related Directory or Application.
  • An account is created with the Add Entitlements button under the Access tab of the user.   

In the examples below the deleted account being re-used is sblue as seen under Resources > Directories/Applications > {Directory or Application name} > Accounts tab:
 


User-added image



Example 1: Using the Create Account button under the Accounts tab 



In the user interface navigate to Resources > Directories/Applications > {Directory or Application name} > Accounts tab > Create Account.
 


User-added image



This error occurs when there is no account template:
 


User-added image



This error occurs when there is an account template:
 


User-added image

 

Example 2: Using the Add Entitlements button under the User Access tab



In the user interface navigate to Users > Users > {user name} > Access tab > Add Entitlements.
 


User-added image

 

This error occurs when there is no account template:
 


User-added image

 

This error occurs when there is an account template:
 


User-added image


 
CauseThis is a known issue reported in engineering tickets ACM-101735 and ACM-98504. 

This problem occurs when the following four conditions are met:
  1. An account with the same name was disabled in RSA Identity Governance & Lifecycle.
  2. At a later time, the same account was deleted from RSA Identity Governance & Lifecycle.
  3. The Business Source is configured with Entitlements Require Account set to Yes.
  4. Under Admin > System > Settings, RSA Identity Governance & Lifecycle is configured with Enable Disabled Accounts for Entitlement Requests set to No.

Setting Enable Disabled Accounts for Entitlement Requests to No is meant to prevent disabled accounts from being used again since they are still existing accounts. The problem is that when these accounts are deleted, RSA Identity Governance & Lifecycle still considers them disabled and will not re-use them when this setting is set to No.
 
ResolutionThis issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release.
 
WorkaroundAs a workaround, configure RSA Identity Governance & Lifecycle to allow disabled accounts in entitlement requests by setting Enable Disabled Accounts for Entitlement Requests to Yes using the steps below:
  1. In the RSA Identity Governance & Lifecycle user interface, go to Admin > System > Settings.
  2. Click the Edit button.
  3. Scroll down to Data > ENTITLEMENTS > Enable Disabled Accounts for Entitlement Requests.
  4. Select Yes to enable the option Enable Disabled Accounts for Entitlement Requests.
  5. Click OK to save the changes.

User-added image

 

WARNING: The parameter Enable Disabled Accounts for Entitlement Requests is a global setting and as such enables all existing disabled accounts available for re-use. If this is not the system-wide desired behavior, then temporarily enable this setting, create the account or accounts that need to be re-created, and then disable this setting.



 

Attachments

    Outcomes