000034501 - Accounts created from an RSA Via Lifecycle and Governance account template are not removed from UI when request item is rejected or cancelled

Document created by RSA Customer Support Employee on Jan 13, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034501
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle
RSA Version/Condition: 6.9.1, 7.0.0
 
Issue
When an account template is associated to an application and Entitlements require account is enabled, the new account creation triggers automatically for the request created to add entitlements. If the request item to create an account is rejected in the approval phase or cancelled in the fulfillment phase, the account should be removed from the UI. However this is not happening.

Issue 1: Issue when items are rejected in approval phase


  1. The Simple Account template is created and associated to an application and enabled Entitlements require account.
User-added image

User-added image

  1. The request is created to add entitlements to multiple users for the account template associated application. That approval is rejected for one of the users and accepted for another user:
User-added image

  1. Since the create account for salva was rejected, we accept this account to not be created in the application. Only the account krao is to be created. When we go into application we can see account salva was created.
User-added image

  1. The account for salva shows as local user mapping:
User-added image

Issue 2: Issue when items are cancelled in fulfillment phase


  1. A request is created to add entitlements to two other users. In the request, items are accepted in approval phase. Items are cancelled for one user in fulfillment phase:
User-added image

  1. In the application we could see the cancelled account is created as well:
User-added image

User-added image
Resolution
  • For 6.9.1 update to 6.9.1P18 or 6.9.1 P19 to get the fix 
  • For 7.0.0 or later, upgrade to 7.0.1 P01 or 7.0.1 P02
WorkaroundAs a workaround we have a script named DeleteStaleCreateAccounts.sql (attached to the article) to delete the accounts created.

Before running the script, do the following:


  1. Take a full backup of AVUSER schema (that is, the whole RSA Via Lifecycle and Governance  database).
  2. Within the DeleteStaleCreateAccount script is the following SELECT statement.  Run just this statement to find the list of accounts that are going to be deleted, and make sure it does not contain anything we need to preserve in the database.
SELECT operand_name AS account_name, operand_id AS oid
FROM t_av_change_request_details crds
WHERE crds.operand_type = 'AC'
AND crds.full_operation = 'CreateAccount'
AND crds.state in ('RJ', 'CA')
AND NOT exists (-- Exclude accounts that had not been completely rejected
SELECT 1 FROM t_av_change_request_details cri
WHERE ((cri.operand_type = 'AC' AND cri.operand_id = crds.operand_id)
OR
(cri.value_type = 'AC' AND cri.value_id = crds.operand_id))
AND cri.state NOT IN ('RJ', 'CA'))
AND NOT exists (-- Exclude collected accounts
SELECT 1 FROM t_av_accounts acc
where acc.id = crds.operand_id
AND acc.adc_id > 0) ;

  1. Make sure that accounts we want to delete are listed by the above query.
  2. Then execute the SQL script.

Outcomes