|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle|
RSA Version/Condition: 7.x
|Issue||In RSA Identity Governance & Lifecycle, a Provisioning-Termination Rule can be configured to revoke user entitlements and to disable or delete the accounts that are associated with those entitlements. These options are configured in the user interface under Rules > Definitions > Create Rule > Type: Provisioning - Termination. Note the Actions field:|
|Resolution||A Provisioning -Termination rule will delete accounts when specifically configured to do so as in the example below:|
The Provisioning-Termination rule may also delete an account if the rule is not configured to delete accounts. This is the case when the following conditions are met:
If the account no longer has any access and is not mapped to an active user, it would become an orphaned account. This rule deletes the account(s) both for security reasons and to prevent the creation of an orphaned account.
If the account still has one or more entitlements given to it, or is mapped to another user who is not terminated, the rule will take action against the account as per the rule's configured actions. I.e., in this case it will not delete the account unless the rule specifically says to do so.