000036801 - Termination Date is not populated with the Account Expires date when running an AD Identity Collector (IDC) in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Oct 5, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036801
Applies ToRSA Product Set: Identity Governance & Lifecycle

IssueThe RSA Identity Governance & Lifecycle termination date field does not populate with the Active Directory accountExpires attribute  collected via an Active Directory Identity Collector (IDC).


  1. The termination date is set in the raw data but not in the user record.
  2. The accountExpires information may be collected into a custom attribute field.


  1.  Note the accountExpires attribute is populated with an expiration date in the Active Directory.

User-added image

  1. The data for accountExpires is collected as the Termination Date by the AD IDC.

User-added image

  1. After running the AD IDC and unification, the Termination Date is set in the raw data.

User-added image

  1. In RSA Identity Governance & Lifecycle, the Termination Date in the user record is blank.

User-added image
CauseThis is expected behavior. In RSA Identity Governance & Lifecycle, the termination_date field indicates when a user was terminated, not when an active user will get terminated, unlike the accountExpires attribute in the AD. The Termination Date field will not be set unless the the user is terminated; that is, when the is_terminated field is set to true. 
ResolutionEither collect accountExpires into a custom user attribute or populate the Termination Date field with the actual date the user is terminated along with the is_terminated flag.