Authentication Manager token assigned to <no access> or <unknown> after user in an external identity source is deleted from the identity source with a token still assigned
Originally Published: 2013-07-12
Article Number
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
Cause
Users become unresolvable for any of the following reasons:
- The user is deleted from the LDAP directory.
- The user is moved outside the scope of the base DN of the identity source.
- The user is moved outside the scope of all identity sources.
- The scope of the identity source is narrowed so that it no longer includes the user.
- The Search Filter of the identity source is modified so that it no longer contains the user.
- The user is moved to an identity source in the same physical directory using the delete and add method, and the Unique Identifier is configured to use the default value.
- The user is moved to an identity source in a different physical directory.
Resolution
Before continuing, please login to the primary's Operations Console and take a backup of the database.
1. Login to the Security Console and select Setup > Identity Sources > Clean Up Unresolvable Users.
2. Select the name of the identity source that you want to clean up, or select All.
3. In the Grace Period field, do one of the following:
- To clean up users who have been unresolvable for more than the specified number of days, select the checkbox.
- To clean up users immediately when they are found to be unresolvable, clear the checkbox.
The Grace Period is used to prevent cleanup for any users and user groups that may have been mistakenly removed from the directory or moved to an OU out of scope of the identity source. You can specify how many days the users must be unresolvable before they are cleaned up, and take corrective action beforehand. By default, this field is enabled to clean unresolvable users after seven days.
4. Click Next. The list of unresolvable users builds and displays in the Preview panel when complete. The Preview displays up to 500 results at a time. If you see exactly 500 results, you may need to clean up additional users. In this case, RSA recommends running a report based on the Users and User Groups Missing From Identity Source report template to view a complete list of unresolvable users. For more information, see Add a Report.
5. In the Preview pane, review the list of users. Click the column names to sort the list. If the list is empty, there are no unresolvable users.
6. Click Clean Up Now.
Related Articles
Assign a replacement RSA SecurID token to a user in RSA Authentication Manager Number of Views Assigned token list shows tokens assigned to <UNKNOWN> for RSA Authentication Manager Number of Views Delete a duplicate user or duplicate group and run a schedule cleanup job when the identity source no longer exists in RSA… Number of Views Assign a fixed passcode to a user in RSA Authentication Manager Number of Views Cannot add or manage a user with user ID <UserID>. User IDs must be unique within a deployment. This user ID is already in… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
