000034462 - Users are not assigned to new RSA Identity Management and Governance and Lifecycle business unit after collection

Document created by RSA Customer Support Employee on Nov 29, 2016Last modified by RSA Customer Support on Jan 18, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034462
Applies ToRSA Product Set: Identity Management and Governance
RSA Version/Condition: 7.0.0, 7.0.1
 
IssueAfter defining a new business unit in RSA Identity Management and Governance and Lifecycle the collection shows existing users are being collected with the correct attribute value assigned to the new business unit but the users are not showing up in the business unit.  New users assigned to the new business unit are being defined correctly.
When listing users for the new business unit, either no users are showing, or the list is missing old some users.
 
User-added image
CauseIn RSA Identity Management and Governance and Lifecycle version 7.0.0 or later business unit calculation only occurs when a new user is added, or some property of the existing user has changed. This is due to the new Delta Processing feature of 7.0.x that only does not do a full collection and only collects user that have changed since the last collection.  If a new business unit is defined, RSA Identity Management and Governance and Lifecycle does not update the business unit for any users who have already been collected and have a value for the attribute mapped for the new business unit.
ResolutionBusiness units should be defined before the initial data collections are done.  
If a new business unit is defined, or the name of an existing business unit is changed a full refresh should be forced for the IDC that collects the associated business unit.
WARNING:  RSA recommends that a full database backup be performed before making any changes to the database tables. 
To force a full refresh on the Identity Collector (IDC),
  1. Modify the T_DATA_COLLECTORS table.
  2. Set the REQUIRES_FULL_REFRESH column for the collector to O (that is the letter O as in Oscar).  For example, to force a full collection for the Active Directory IDC run the following query:

UPDATE "AVUSER"."T_DATA_COLLECTORS" SET REQUIRES_FULL_REFRESH = 'O' WHERE NAME = 'Active Directory IDC' ;

  1. Confirm the query correctly modified one row, and then commit the data to the database.
User-added image

  1. Do a collection on the IDC with the options to Run unification after collection and Ignore circuit breaker on this run both checked. 
User-added image

  1. After the collection has completed you can confirm that a full refresh has occurred by examining the associated database logs for the collection.  The logs should show "Full refresh. Deleting old runs from t_raw_user"
User-added image

Attachments

    Outcomes