Scheduling Cleanup for Unresolvable Users and User Groups

The scheduled cleanup job deletes references to unresolvable users and user groups from the internal database.

The scheduled cleanup job runs against linked and unlinked identity sources and can be configured to run on a daily, weekly or monthly basis. The job is canceled if the number of unresolvable users exceeds the specified Cleanup Limit. The limit helps avoid accidentally disassociating a large number of users from their authentication data if changes are made to these users directly in an LDAP directory. The default limit is 50 users.

RSA recommends cleaning up unresolvable users for the following reasons:

  • Unresolvable users count against the license user limit. After cleaning up unresolvable users, the count is reduced, and you can register more users in your deployment.

  • Tokens assigned to unresolvable users remain assigned to them. After cleaning up unresolvable users, you can assign their tokens to other users.

    If users are moved to an identity source in a different physical directory, reassign the tokens to the same users. You also need to reassign any fixed passcodes, on-demand tokencode settings, and administrative roles that users had prior to being moved.

RSA recommends scheduling a cleanup for the following reasons:

  • Before deleting an identity source

    To delete an identity source you must first unlink the identity source from the system, run the scheduled cleanup, and use the Operations Console to delete the identity source. The scheduled cleanup deletes all references to users and groups from the internal database that were associated with the unlinked identity source.

    For more information, see Unlink Identity Sources from the System.

    If you need to temporarily unlink an identity source (for example to add an associated Global Catalog) do not run a cleanup job. When you relink the identity source, all users from that identity source will be resolvable again. Authentication Manager will be able to locate those users as it did before the unlink operation.

  • After narrowing the identity source scope

    After you narrow the scope of an identity source, some users and user groups may become unresolvable and unable to authenticate. You must run the scheduled cleanup job after editing the identity source. When you run the job, make sure that you disable the Grace Period and Cleanup Limit if they are set, and re-enable those settings after this single cleanup runs.

You can use the following options to modify the cleanup process:

Cleanup Limit. The Cleanup Limit cancels the automated cleanup when more than the specified number of unresolvable users are found in the database. This limit helps prevent accidentally disassociating a large number of users from their authentication data if changes are made to these users directly in the identity source.

When the cleanup is canceled, you can run the “Users and User Groups Missing From the Identity Source” report to see a list of unresolvable users. The list may contain users that you do not want to clean up. For example, these may be users who are mistakenly deleted from the directory or moved from location to another in the same directory.

Grace Period. The Grace Period restricts the cleanup to users who have been unresolvable for more than a specified number of days. Specifying a Grace Period gives you time to correct any unintended changes to users in the directory. For example, some users may have been deleted or moved accidentally.

Use the Grace Period to avoid cleaning up users when any of the following actions occur accidentally in linked identity sources:

  • A user is deleted.

  • A user is moved to an organizational unit (OU) outside of any identity source in your deployment.

  • A user’s name is changed.