When should a Provisioning-Termination Rule delete accounts in RSA Identity Governance & Lifecycle?
Originally Published: 2020-01-15
Article Number
Applies To
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.x
Issue
Resolution
The Provisioning-Termination rule may also delete an account if the Rule is not configured to delete accounts. This is the case when the following conditions are met:
- All of the access (entitlements) associated to that account have been removed, and
- The account is not linked to another active (not terminated) user.
If the account no longer has any access and is not mapped to an active user, it would become an orphaned account. The Rule deletes the account(s) both for security reasons and to prevent the creation of an orphaned account.
If the account still has one or more entitlements given to it, or is mapped to another user who is not terminated, the Rule will take action against the account as per the Rule's configured actions. I.e., in this case it will not delete the account unless the Rule specifically says to do so.
Notes
Implicit Account Removal — When RSA Identity Governance and Lifecycle generates a change request to remove access from an account, it checks to determine if the changes would result in an account not having any access to a business source. In this case, it creates a change item to delete the account regardless of the configuration of this action. This prevents accounts that would allow access to a business source despite not having any permissions to that business source.
This is also documented in the RSA Identity Governance & Lifecycle Administrator's Guide for your version in the section entitled Account Management Terminology.There may be times when this security feature is not desired. See RSALink Idea Unmap Request should only remove/unmap the user from the account instead of account deletion to vote for a modification to this behavior.
