|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle|
RSA Version/Condition: 7.1.1 P03, P04 and P05, 7.2.0
|Issue||After data collection and unification, RSA Identity Governance & Lifecycle fails to identify some users as terminated or deleted even though an Identity Data Collector (IDC) either collected the IS_TERMINATED attribute or identified the user as deleted in the raw data.|
Additionally, Provisioning - Termination rules may not correctly identify all terminated or deleted users and fail to de-provision accounts and entitlements related to the user.
Users that are terminated in the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_TERMINATED flag unset and users that are missing (deleted) from the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_DELETED flag unset.
This issue typically only affects a subset of all users and may appear to occur randomly or transiently.
|Cause||This is a known issue reported in engineering ticket ACM-103555 and found in the following RSA Identity Governance & Lifecycle versions and patch levels:|
The issue may occur in configurations where all three of the following conditions are true:
|Resolution||This issue is fixed in the following patches|
The fix includes a code change that prevents this issue from occurring as well as a migration script that corrects any incorrect records.
|Workaround||A detection script called IdentifyProblemUsers_ACM-103555.sql is attached to this RSA Knowledge Base Article and can be run to identify this issue and list the USER_ID of any users that may have been affected.|
Download and run the attached IdentifyProblemUsers.sql detection script in SQL*Plus or SQL Developer as avuser.
NOTE: If you use a SQL tool other than SQL*Plus or SQL Developer, see the Notes section below for modifications needed to the detection script before it will run.
If the script returns the following output, then you do not have this issue:
If the script returns any records, then you have this issue and the users in the list may be affected. Note that not all users returned in the list will be affected and the script does not identify which users actually are affected. Please contact RSA Identity Governance & Lifecycle Support for assistance on remediating this issue and mention this RSA Knowledge Base Article ID 000038590 for reference.
|Notes||If you use a SQL tool other than SQL*Plus or SQL Developer, please make the following modifications to IdentifyProblemUsers.sql before executing the program. That is because the set serveroutput command is a SQL*Plus command and not part of the PL/SQL programming language. Using this command with a non-SQL*Plus tool, will result in the following error:|