000037451 - Unable to re-use a deleted account name if the account was previously disabled in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 5, 2019Last modified by RSA Customer Support Employee on Oct 30, 2020
Version 55Show Document
  • View in full screen mode

Article Content

Article Number000037451
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0 P03+, 7.1.1, 7.2.0
 
IssueOne of the following errors occurs when submitting a request to create a new account using a deleted account name.
 
Unable to create an account with the name [XXXX]. The name is already used by an Active Account or a Disabled Account.
 


Or



There is already an account with the name [XXXX]. A new account cannot be created with same name.
 

These messages are seen when submitting a request generated by one of the following methods:

  • An account is created with the Create Account button under the Accounts tab of the related Directory or Application.
  • An account is created with the Add Entitlements button under the Access tab of the user.   

In the examples below the deleted account being re-used is sblue as seen under Resources > Directories/Applications > {Directory or Application name} > Accounts tab:
 


User-added image



Example 1: Using the Create Account button under the Accounts tab 



In the user interface, go to Resources > Directories/Applications > {Directory or Application name} > Accounts tab > Create Account.
 


User-added image



This error occurs when there is no account template:
 


User-added image



This error occurs when there is an account template:
 


User-added image

 

Example 2: Using the Add Entitlements button under the User Access tab



In the user interface, go to Users > Users > {username} > Access tab > Add Entitlements.
 


User-added image

 

This error occurs when there is no account template:
 


User-added image

 

This error occurs when there is an account template:
 


User-added image


 
CauseThis is a known issue that is reported in engineering tickets ACM-101735 and ACM-98504. 

This problem occurs when the following four conditions are met:
  1. An account with the same name was disabled in RSA Identity Governance & Lifecycle.
  2. At a later time, the same account was deleted from RSA Identity Governance & Lifecycle.
  3. The Business Source is configured with Entitlements Require Account set to Yes.
  4. Under Admin > System > Settings, RSA Identity Governance & Lifecycle is configured with Enable Disabled Accounts for Entitlement Requests set to No.

Setting Enable Disabled Accounts for Entitlement Requests to No is meant to prevent disabled accounts from being used again since they are still existing accounts. The problem is that when these accounts are deleted, RSA Identity Governance & Lifecycle still considers them disabled and will not re-use them when this setting is set to No.
 
ResolutionThis issue has been resolved in the following versions:
  • RSA Identity Governance & Lifecycle 7.2.1


This introduces a new configuration setting for the ADC (Account Data Collectors) collectors called "Allow Account Reuse".   This new configuration setting is optionally enabled when the "Account Disabled" Feature of the collector is enabled and the ADC is configured to collect or set the Is_Disabled flag of the Account.  These settings are available on the Search Configuration For Accounts page when editing the Account Data Collectors.

User-added image

The "Allow Account Reuse" configuration setting changes the way RSA Identity Governance & Lifecycle sets and maintains the Account Disabled status of the Account in the Is_Disabled attribute.   



With the Allow Account Reuse disabled (default setting)



  • Accounts that are Disabled will remain Disabled even after they are Deleted.

With the Allow Account Reuse enabled.



  • Accounts that are Disabled will remain Disabled only until they are Deleted.  When the Accounts are Deleted the Is_Disabled flag will immediately be set to False.

 



Note that when checking the "Allow Account Reuse" option is enabled the following warning dialog is displayed.

User-added image



WARNING: When you enable this option the all existing deleted Accounts for this ADC (Accounts with the Is_Deleted=True) will have the "Is_Disabled" flag immediately set to false.   This is not reversible. 
 

WorkaroundAs a workaround, configure RSA Identity Governance & Lifecycle to allow disabled accounts in entitlement requests by setting Enable Disabled Accounts for Entitlement Requests to Yes using the steps below:
  1. In the RSA Identity Governance & Lifecycle user interface, go to Admin > System > Settings.
  2. Click the Edit button.
  3. Scroll down to Data > ENTITLEMENTS > Enable Disabled Accounts for Entitlement Requests.
  4. Select Yes to enable the option Enable Disabled Accounts for Entitlement Requests.
  5. Click OK to save the changes.

User-added image

 

WARNING: The parameter Enable Disabled Accounts for Entitlement Requests is a global setting and as such enables all existing disabled accounts available for re-use. If this is not the system-wide desired behavior, then temporarily enable this setting, create the account or accounts that need to be re-created, and then disable this setting.



 

Attachments

    Outcomes