Workaround to remove duplicate identities resulted to mapping of account to a terminated account instead of the active one
Originally Published: 2017-05-01
Article Number
Applies To
RSA Version/Condition: All versions
Issue
And what you did to resolve this was:
1. To get the original IDC (first introduced prior to the duplicate) to return zero rows, and have its Users terminate so there would be only one of the two duplicates active in the system.
2. The second IDC created would instead be the only one returning the active User.
The issue this caused is that the system maintains mapping to the terminated/disabled account instead of the active one.
Is this proper behavior, or should the system ideally know to move mapping to the active User?
Resolution
In this scenario, the mapping of an account to a deleted user is working as designed.
This is a required functionality from other Customers as this is a security hole.
The problem that can occur is this:
i.e. A user can be terminated/deleted, but if they still have access to the account, then if someone were to get access as that 'user', they would have access to the privileges to the account as well.
There are other scenarios where users were subsequently rehired by companies in a different role.
If this mapping is not identified then a returning employee may have privileges that their new role does not require.
This is a required functionality from other Customers as this is a security hole.
The problem that can occur is this:
i.e. A user can be terminated/deleted, but if they still have access to the account, then if someone were to get access as that 'user', they would have access to the privileges to the account as well.
There are other scenarios where users were subsequently rehired by companies in a different role.
If this mapping is not identified then a returning employee may have privileges that their new role does not require.
Related Articles
A completed change request to remove Aveksa Application/Directory entitlements from a user does not remove the access from… Number of Views Terminated Users not correctly removed from Roles in RSA Identity Governance & Lifecycle Number of Views How to cancel/remove pending emails waiting in the queue in RSA Identity Governance & Lifecycle Number of Views How to remove all user data stored in the RSA Identity Governance and Lifecycle application database Number of Views Attribute change rule creating duplicate change items for users having more than one account with same entitlement in an a… Number of Views
Trending Articles
How to Download OTP Token Seed Files from myRSA RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8
Don't see what you're looking for?
