000038344 - When should a Provisioning-Termination Rule delete accounts in RSA Identity Governance & Lifecycle?

Document created by RSA Customer Support Employee on Jan 16, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038344
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.x
IssueIn RSA Identity Governance & Lifecycle, a Provisioning-Termination Rule can be configured to revoke user entitlements and to disable or delete the accounts that are associated with those entitlements. These options are configured in the user interface under Rules > Definitions > Create Rule > Type: Provisioning - Termination. Note the Actions field:

Termination Rule Actions
ResolutionA Provisioning -Termination rule will delete accounts when specifically configured to do so as in the example below:

User-added image

The Provisioning-Termination rule may also delete an account if the rule is not configured to delete accounts. This is the case when the following conditions are met:
  • All of the access (entitlements) associated to that account have been removed, and
  • The account is not linked to another active (not terminated) user.

If the account no longer has any access and is not mapped to an active user, it would become an orphaned account. This rule deletes the account(s) both for security reasons and to prevent the creation of an orphaned account.

If the account still has one or more entitlements given to it, or is mapped to another user who is not terminated, the rule will take action against the account as per the rule's configured actions. I.e., in this case it will not delete the account unless the rule specifically says to do so.