|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle|
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.x
|Issue||In RSA Identity Governance & Lifecycle, a Provisioning-Termination Rule can be configured to revoke user entitlements and to disable or delete the accounts that are associated with those entitlements. These options are configured in the user interface under Rules > Definitions > Create Rule > Type: Provisioning - Termination. Note the Actions field:|
|Resolution||A Provisioning -Termination Rule will delete accounts when specifically configured to do so as in the example below:|
The Provisioning-Termination rule may also delete an account if the Rule is not configured to delete accounts. This is the case when the following conditions are met:
If the account no longer has any access and is not mapped to an active user, it would become an orphaned account. The Rule deletes the account(s) both for security reasons and to prevent the creation of an orphaned account.
If the account still has one or more entitlements given to it, or is mapped to another user who is not terminated, the Rule will take action against the account as per the Rule's configured actions. I.e., in this case it will not delete the account unless the Rule specifically says to do so.
|Notes||This is documented in the online help in the section entitled Implicit Account Removal:|
Implicit Account Removal — When RSA Identity Governance and Lifecycle generates a change request to remove access from an account, it checks to determine if the changes would result in an account not having any access to a business source. In this case, it creates a change item to delete the account regardless of the configuration of this action. This prevents accounts that would allow access to a business source despite not having any permissions to that business source.
This is also documented in the RSA Identity Governance & Lifecycle Administrator's Guide for your version in the section entitled Account Management Terminology.
There may be times when this security feature is not desired. See RSALink Idea Unmap Request should only remove/unmap the user from the account instead of account deletion to vote for a modification to this behavior.