Partially orphaned accounts occur in RSA Identity Governance & Lifecycle when the ADC defines multiple user resolution attributes from the same target collector
3 years ago
Originally Published: 2019-05-01
Article Number
000041095
Applies To
RSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2, 7.1.0
 
Issue
Partially orphaned accounts are created after Unification. In the example below, note that UserC3 is not displayed as an orphaned account, yet it is not mapped to any user which is the definition of an orphaned account.
 
User-added image
User-added image
Cause
This problem occurs when an Identity Data Collector (IDC) collects multiple attributes for a user, an Account Data Collector (ADC) defines two or more of these attributes in the user resolution rules, and one of the attributes defined in the resolution rules is modified in the data source.

As an example, an IDC collects User Id, Email Address, and Department. An ADC collects AccountName. Three User Resolution rules are defined on these IDC attributes in the ADC definition:
 
User-added image

After running the IDC, Unification and ADC, the AccountName resolves to the User Id and correctly maps the users.
 
User-added image

If one of the user attributes other than the User Id is modified in the IDC, the problem occurs. In this case, the email address for UserC3 was modified. After running the IDC and Unification, the account is left partially orphaned:
 
User-added image
Resolution
This is fixed in 7.0.2 P12, 7.1.0 P05, and 7.1.1.  The fix ensures that unification will not deactivate the affected account mappings and the accounts will no longer appear to be orphaned or partially orphaned.
 
Workaround
As a workaround, run the Account Data Collector. This will re-map the user to the account.

Related Articles

Trending Articles

Don't see what you're looking for?