This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Identity Governance & Lifecycle Discussions

Discussions about RSA Identity Governance & Lifecycle.
PhilipMartinez1
Beginner
Beginner
‎2020-04-13 09:44 AM

Account Access Rule Missing Ability To Delete Account

Jump to solution

We'd like to be able to delete an account if the account doesn't have any entitlements. The account access rule appears to only allow you to disable the account. If our requirement is to delete instead of disable, what choices do we have related to automating this via a change request? 

 

It appears previous posters have had similar questions, without a clear solution for deleting the account:

 

Account To Be Deactivated When All Responsibilities 
https://community.rsa.com/message/915765 

 

Currently I'm thinking we'd need either a custom task or a sub-process within our workflow (when using a form/access review to remove entitlements) that would check to see if the account has any associated entitlements left for said business application. If not, we'd then have to add a provisioning node to the workflow. The one thing I don't like about this is you don't see the delete account item within the change request itself. 

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
MHelmy
Moderator Moderator
Moderator
‎2020-04-14 04:29 AM

Jump to solution

Perhaps you can reuse the same method created by Clive Morrish in the Account Review - Revoke Account Options to submit those requests using web services.

 

Maybe something like a simple custom task, where all it does is select the accounts to be deleted into a Change Request XML then posting it via Web Services using a REST node back to IGL to create proper 'Delete Account' change requests.

View solution in original post

Reply
3 Replies
MHelmy
Moderator Moderator
Moderator
‎2020-04-14 04:29 AM

Jump to solution

Perhaps you can reuse the same method created by Clive Morrish in the Account Review - Revoke Account Options to submit those requests using web services.

 

Maybe something like a simple custom task, where all it does is select the accounts to be deleted into a Change Request XML then posting it via Web Services using a REST node back to IGL to create proper 'Delete Account' change requests.

View solution in original post

Reply
CliveMorrish
Moderator Moderator
Moderator
‎2020-04-14 06:32 AM

Jump to solution

How about using an Account Access and Ownership review and using the account filter to only include accounts without entitlements. This could be run on a scheduled basis.

 

You can then use an escalation workflow to mark all items as Revoke which will generate a Delete Account change request. The same escalation can also be used to mark the review as Complete.

 

Something to consider is how you scope the accounts with no access as you could end up deleting newly created accounts that haven't yet had access granted. Perhaps the 'First Seen On' or 'Created On' attributes could be utilized. 

Reply
PhilipMartinez1
Beginner
Beginner
In response to MHelmy
‎2020-04-15 11:29 AM

Jump to solution

Thanks Mostafa and Clive. Much appreciated.   

Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.