000035205 - Correct Termination Rule behavior in RSA Identity Governance and Lifecycle 7.x

Document created by RSA Customer Support Employee on Jun 11, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035205
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle 
RSA Version/Condition: 7.x
 
IssueA Termination–Provisioning Rule set with actions to disable and delete the account(s) for each terminated user with associated accounts results in a pair of Change Requests.  
  • What is the correct behavior on the part of the Termination Rule?
  • What happens to all the users whose attribute is changed to  IS_TERMINATED=1/yes status during one of the collection periods in previous runs?  




 
ResolutionThe Termination Rule only catches those users who have  'Is_Terminated' attribute changed to 'True' as of the latest IDC/Unification run.  Any Users who had the status of their 'Is_Terminated' attribute changed previous to the latest run are no longer within the view of the Termination Rule.

This behavior is by design.

NOTE - This behavior of Termination Rule is by design irrespective of the actions taken.  Actions such as Disable/Delete Account do not have any affect on this behavior and are shown here only as an example of Rule configuration with actions.


For example, let's say you have created a Termination Rule with the following configuration (where no filter is used on a condition):
 
Termination-Rule-Definition


When you run an Identity Data Collector (IDC) that collects users whose termination status is changed (Is_Terminated=1), and then run the Termination Rule (Provisioning-Termination) for the first time (with or without filter), the rule will identify the terminated users as follows:
 
First-Rule-Run-RunId-82


The result above shows that the rule has identified nine terminated users:
Processing Summary:


  • Number of terminated users found:9
  • Number of deleted users found:0

After this, if you update the Rule Definition with the condition updated as Is_terminated=yes (shown below) and run the same rule again, users will not be identified as terminated. 
Second-Rule-Run-RunId-83

The result of the Rule run will show as: 
 
Processing Summary:


  • Number of terminated users found:0
  • Number of deleted users found:0

These users will not be identified as terminated, since it is a different/next run and does not reflect as the updated status for "Is_terminated" attribute.

Attachments

    Outcomes