Unification fails to identify terminated or deleted users in RSA Identity Governance & Lifecycle
Originally Published: 2020-03-19
Article Number
Applies To
RSA Version/Condition: 7.1.1 P03, P04 and P05, 7.2.0
Issue
Additionally, Provisioning - Termination rules may not correctly identify all terminated or deleted users and fail to de-provision accounts and entitlements related to the user.
Users that are terminated in the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_TERMINATED flag unset and users that are missing (deleted) from the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_DELETED flag unset.
This issue typically only affects a subset of all users and may appear to occur randomly or transiently.
Cause
- RSA Identity Governance & Lifecycle 7.1.1 P03, P04 and P05
- RSA Identity Governance & Lifecycle 7.2.0
The issue may occur in configurations where all three of the following conditions are true:
- Multiple Identity Data Collectors (IDCs) exist and may collect attributes for the same users but only one of the IDCs is configured with Create Users = Yes.
- The IDC that creates users typically runs after the other IDCs.
- The IDC that creates users joins to the other IDCs on the USER_ID attribute.
Resolution
- RSA Identity Governance & Lifecycle 7.1.1 P06
- RSA Identity Governance & Lifecycle 7.2.0 P01
The fix includes a code change that prevents this issue from occurring as well as a migration script that corrects any incorrect records.
Workaround
Download and run the attached IdentifyProblemUsers.sql detection script in SQL*Plus or SQL Developer as avuser.
NOTE: If you use a SQL tool other than SQL*Plus or SQL Developer, see the Notes section below for modifications needed to the detection script before it will run.
If the script returns the following output, then you do not have this issue:
Started Completed PL/SQL procedure successfully completed.
If the script returns any records, then you may have this issue and some of the users in the list may be affected. Note that not all users returned in the list will be affected and the script does not identify which users actually are affected. Please contact RSA Identity Governance & Lifecycle Support for assistance on remediating this issue and mention this RSA Knowledge Base Article ID 000038590 for reference.
Problem Master Enterprise User ID: TestUser1
Notes
PL/SQL: ORA-00922: missing or invalid option
Change FROM:
set serveroutput on size unlimited
declare
v_count number;
v_idc_id number;
TYPE NumList IS TABLE OF NUMBER;
MeuIds NumList;
begin
dbms_output.put_line('Started');
TO:
declare
v_count number;
v_idc_id number;
TYPE NumList IS TABLE OF NUMBER;
MeuIds NumList;
begin
dbms_output.enable;
dbms_output.put_line('Started');
Related Articles
Configure Silent Collection for a Risk-Based Authentication Policy Number of Views How to identify the source of a workflow email in RSA Identity Governance and Lifecycle Number of Views Token Expiration Report takes long time to return and eventually failed - RSA Authentication Manager 8.1 Number of Views Duplicate a Risk-Based Authentication Policy Number of Views Risk-Based Authentication Data Flow Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
