000038590 - Unification fails to identify terminated or deleted users in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Mar 20, 2020Last modified by RSA Customer Support Employee on Mar 24, 2020
Version 17Show Document
  • View in full screen mode

Article Content

Article Number000038590
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.1, 7.2.0
 
IssueAfter data collection and unification, RSA Identity Governance & Lifecycle fails to identify some users as terminated or deleted even though an Identity Data Collector (IDC) either collected the IS_TERMINATED attribute or identified the user as deleted in the raw data.

Additionally, Provisioning - Termination rules may not correctly identify all terminated or deleted users and fail to de-provision accounts and entitlements related to the user. 

Users that are terminated in the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_TERMINATED flag unset and users that are missing (deleted) from the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_DELETED flag unset. 

This issue typically only affects a subset of all users and may appear to occur randomly or transiently.
 
CauseThis is a known issue reported in engineering ticket ACM-103555 and found in the following RSA Identity Governance & Lifecycle versions and patch levels:
  • RSA Identity Governance & Lifecycle 7.1.1 P03, P04 and P05
  • RSA Identity Governance & Lifecycle 7.2.0

The issue may occur in configurations where all three of the following conditions are true:



  • Mulltiple Identity Data Collectors (IDCs) exist and may collect attributes for the same users but only one of the IDCs is configured with Create Users = Yes.
  • The IDC that creates users typically runs after the other IDCs.
  • The IDC that creates users joins to the other IDCs on the USER_ID attribute.
This issue does not occur randomly, but due to the complexity of the possible collection and unification run orders it is difficult to predict.
 
ResolutionThis issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release. The fix will include a code change that prevents this issue from occurring as well as a migration script that corrects any incorrect records.
 
WorkaroundA detection script called IdentifyProblemUsers_ACM-103555.sql is attached to this RSA Knowledge Base Article and can be run to identify this issue and list the USER_ID of any users that are affected.

Download and run the attached IdentifyProblemUsers.sql detection script in SQL*Plus or SQL Developer as avuser. 

NOTE: If you use a SQL tool other than SQL*PLus or SQL Developer, see the Notes section below for modifications needed to the detection script before it will run.



If the script returns the following output, then you do not have this issue:




Started
Completed


PL/SQL procedure successfully completed.


If the script returns any records, then you have this issue. Please contact RSA Identity Governance & Lifecycle Support for assistance on remediating this issue and mention this RSA Knowledge Base Article ID 000038590 for reference. 




Problem Master Enterprise User ID:  TestUser1


 
NotesIf you use a SQL tool other than SQL*Plus or SQL Developer, please make the following modifications to IdentifyProblemUsers.sql before executing the program. That is because the set serveroutput command is a SQL*Plus command and not part of the PL/SQL programming language. Using this command with a non-SQL*Plus tool, will result in the following error:
 

PL/SQL: ORA-00922: missing or invalid option

 

Change FROM:



set serveroutput on size unlimited
declare
v_count  number;
v_idc_id number;
TYPE NumList IS TABLE OF NUMBER;
MeuIds      NumList;
begin
    dbms_output.put_line('Started');


TO:



declare
v_count  number;
v_idc_id number;
TYPE NumList IS TABLE OF NUMBER;
MeuIds      NumList;
begin
    dbms_output.enable;
   
dbms_output.put_line('Started');


 

Outcomes