Workaround to remove duplicate identities resulted to mapping of account to a terminated account instead of the active one
Originally Published: 2017-05-01
Article Number
Applies To
RSA Version/Condition: All versions
Issue
And what you did to resolve this was:
1. To get the original IDC (first introduced prior to the duplicate) to return zero rows, and have its Users terminate so there would be only one of the two duplicates active in the system.
2. The second IDC created would instead be the only one returning the active User.
The issue this caused is that the system maintains mapping to the terminated/disabled account instead of the active one.
Is this proper behavior, or should the system ideally know to move mapping to the active User?
Resolution
In this scenario, the mapping of an account to a deleted user is working as designed.
This is a required functionality from other Customers as this is a security hole.
The problem that can occur is this:
i.e. A user can be terminated/deleted, but if they still have access to the account, then if someone were to get access as that 'user', they would have access to the privileges to the account as well.
There are other scenarios where users were subsequently rehired by companies in a different role.
If this mapping is not identified then a returning employee may have privileges that their new role does not require.
This is a required functionality from other Customers as this is a security hole.
The problem that can occur is this:
i.e. A user can be terminated/deleted, but if they still have access to the account, then if someone were to get access as that 'user', they would have access to the privileges to the account as well.
There are other scenarios where users were subsequently rehired by companies in a different role.
If this mapping is not identified then a returning employee may have privileges that their new role does not require.
Related Articles
How to remove entitlements of a decommissioned application from user access in RSA Via Lifecycle and Governance Number of Views Unable to remove a Role Membership Rule from a Role in RSA Identity Governance & Lifecycle Number of Views Active Directory Account Data Collector (ADC) incorrectly collects null value for PwdLastSet as date 9999-12-31 in RSA Ide… Number of Views Duplicate Local Entitlements may occur when Provisioning Local Entitlements through Manual Activities in RSA Identity Gove… Number of Views How to remove all user data stored in the RSA Identity Governance and Lifecycle application database Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
