Article Content
Article Number | 000035482 |
Applies To | RSA Product Set: Identity Governance and Lifecycle RSA Version/Condition: 7.0.2 GA HF02, 7.0.2 P02 |
Issue | In RSA Identity Governance and Lifecycle 7.0.2 GA HF02, when requesting an app-role entitlement to an application for which a user does not have an account, the account is created via an account template and then via a form in the manual fulfillment step of a workflow. This works fine as long as the account name resolves to the collected user attribute defined under the Account Data Collector's IADC) User Resolution Rules. However, when performing the manual fulfillment, if the account name is changed by the person fulfilling the request to an attribute that does not resolve, the expected behavior is for the account to be orphaned. Instead, the account is left in a partial state which requires the account to be unmapped and remapped. Further, there is no way to easily identify accounts in this state. For example, you have an application called 'Animal-Care' with several associated entitlements. If an AD user requests an entitlement in this application, you require an account to also be created in this application using an account template. Let's say you want the account name to be a name not yet known or collected into the Access Certification Manager (ACM). The end-point application also does not know of any attributes collected into ACM. Therefore, there is no known attribute which can be used to resolve this new account upon collection. As such, the desired behavior is, once the ADC and EDC (Entitlement Data Collector) for this application have run, for the entitlements to be associated with this account and for the account to be orphaned so that it may later be identified and mapped to the appropriate user. Instead the following occurs after collection: In this case the account name is changed to 'Professor' which is not a known collected user attribute so it is not able to resolve to the defined user resolution attribute in the collector definition.
|
Cause | This is a defect. |
Resolution | Upgrade to 7.0.2 P02. |
Workaround | Resolve to a known user collected attribute in the Account Collector definition. This assumes that this user attribute is known to the data source and can be collected from the data source. In the case where there is no known user attribute to resolve to, you will need to apply the patch in order to get the collected account to become properly orphaned. |