|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle |
RSA Version/Condition: 7.x
|Issue||A Termination–Provisioning Rule set with actions to disable and delete the account(s) for each terminated user with associated accounts results in a pair of Change Requests. |
|Resolution||The Termination Rule only catches those users who have 'Is_Terminated' attribute changed to 'True' as of the latest IDC/Unification run. Any Users who had the status of their 'Is_Terminated' attribute changed previous to the latest run are no longer within the view of the Termination Rule.|
This behavior is by design.
NOTE - This behavior of Termination Rule is by design irrespective of the actions taken. Actions such as Disable/Delete Account do not have any affect on this behavior and are shown here only as an example of Rule configuration with actions.
For example, let's say you have created a Termination Rule with the following configuration (where no filter is used on a condition):
When you run an Identity Data Collector (IDC) that collects users whose termination status is changed (Is_Terminated=1), and then run the Termination Rule (Provisioning-Termination) for the first time (with or without filter), the rule will identify the terminated users as follows:
The result above shows that the rule has identified nine terminated users:
After this, if you update the Rule Definition with the condition updated as Is_terminated=yes (shown below) and run the same rule again, users will not be identified as terminated.
The result of the Rule run will show as:
These users will not be identified as terminated, since it is a different/next run and does not reflect as the updated status for "Is_terminated" attribute.