000038344 - When should a Provisioning-Termination Rule delete accounts in RSA Identity Governance & Lifecycle?

Document created by RSA Customer Support Employee on Jan 16, 2020Last modified by RSA Customer Support Employee on Sep 4, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000038344
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.x
IssueIn RSA Identity Governance & Lifecycle, a Provisioning-Termination Rule can be configured to revoke user entitlements and to disable or delete the accounts that are associated with those entitlements. These options are configured in the user interface under Rules > Definitions > Create Rule > Type: Provisioning - Termination. Note the Actions field:

Termination Rule Actions

ResolutionA Provisioning -Termination Rule will delete accounts when specifically configured to do so as in the example below:

User-added image

The Provisioning-Termination rule may also delete an account if the Rule is not configured to delete accounts. This is the case when the following conditions are met:
  • All of the access (entitlements) associated to that account have been removed, and
  • The account is not linked to another active (not terminated) user.

If the account no longer has any access and is not mapped to an active user, it would become an orphaned account. The Rule deletes the account(s) both for security reasons and to prevent the creation of an orphaned account.

If the account still has one or more entitlements given to it, or is mapped to another user who is not terminated, the Rule will take action against the account as per the Rule's configured actions. I.e., in this case it will not delete the account unless the Rule specifically says to do so.
NotesThis is documented in the online help in the section entitled Implicit Account Removal:

Implicit Account Removal — When RSA Identity Governance and Lifecycle generates a change request to remove access from an account, it checks to determine if the changes would result in an account not having any access to a business source. In this case, it creates a change item to delete the account regardless of the configuration of this action. This prevents accounts that would allow access to a business source despite not having any permissions to that business source.

This is also documented in the RSA Identity Governance & Lifecycle Administrator's Guide for your version in the section entitled Account Management Terminology.

There may be times when this security feature is not desired. See RSALink Idea Unmap Request should only remove/unmap the user from the account instead of account deletion to vote for a modification to this behavior.