Article Content
Article Number | 000035205 |
Applies To | RSA Product Set: RSA Identity Governance & Lifecycle RSA Version/Condition: 7.x |
Issue | A Termination–Provisioning Rule set with actions to disable and delete the account(s) for each terminated user with associated accounts results in a pair of Change Requests.
|
Resolution | The Termination Rule only catches those users who have 'Is_Terminated' attribute changed to 'True' as of the latest IDC/Unification run. Any Users who had the status of their 'Is_Terminated' attribute changed previous to the latest run are no longer within the view of the Termination Rule. This behavior is by design. NOTE - This behavior of Termination Rule is by design irrespective of the actions taken. Actions such as Disable/Delete Account do not have any affect on this behavior and are shown here only as an example of Rule configuration with actions. For example, let's say you have created a Termination Rule with the following configuration (where no filter is used on a condition): When you run an Identity Data Collector (IDC) that collects users whose termination status is changed (Is_Terminated=1), and then run the Termination Rule (Provisioning-Termination) for the first time (with or without filter), the rule will identify the terminated users as follows: The result above shows that the rule has identified nine terminated users: Processing Summary:
After this, if you update the Rule Definition with the condition updated as Is_terminated=yes (shown below) and run the same rule again, users will not be identified as terminated. The result of the Rule run will show as: Processing Summary:
These users will not be identified as terminated, since it is a different/next run and does not reflect as the updated status for "Is_terminated" attribute. |