This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Identity Governance & Lifecycle Discussions

Discussions about RSA Identity Governance & Lifecycle.
TomKelly
Beginner
Beginner
‎2020-04-03 06:24 AM

Orphan Account definition

Jump to solution

I’ve been trying to simplify a leaver process and cutdown on the amount of workflow customizations that we use, to this end I’ve been testing the termination rule to handle removing any AD groups assigned to the leavers prior to deleting the accounts.

 

This is a required step in our leaver process in case there are any errors in the HR feed or the employee re-joins the company within an allowed timeframe, Allowing the AD account to be then re-enabled and reused.

 

However, this rule fails as the account is also deleted when the groups are removed.

 

 

Apparently, this is by design https://community.rsa.com/docs/DOC-109920

 

If the account no longer has any access and is not mapped to an active user, it would become an orphaned account. This rule deletes the account(s) both for security reasons and to prevent the creation of an orphaned account.

 

 

Does anyone agree with RSA definition of an orphan account?

 

I’ve never come across this as a definition of an orphaned account. If an account is attached to a user then it’s not an orphan, the fact that they’re terminated is irrelevant.

 

I can’t think of anywhere else in IGL that uses this definition for orphan accounts.

0 Likes
Reply
1 Solution

Accepted Solutions
TomKelly
Beginner
Beginner
In response to MostafaHelmy
‎2020-05-01 04:33 AM

Jump to solution

The Admin guides definition of Orphaned accounts is "An account with no users mapped to it".

 

So, if what is in this knowledge article is RSA’s new definition of what an Orphaned account is, then the Admin Guide will need to be changed as will the Applications as they use the old definition.

 

Personally, I don’t think having two definitions of orphan accounts is the way to go.

https://community.rsa.com/ideas/3556

View solution in original post

0 Likes
Reply
3 Replies
FrankSchubert
Beginner
Beginner
‎2020-04-03 09:37 AM

Jump to solution

Hi

 

Your quote from the RSA definition:

 

   If the account no longer has any access and is not mapped to an active user,

 

When a user terminates/gets deleted it is a none-active user. Hence the account becomes an orphan.

 

Frank

Reply
MostafaHelmy
Moderator Moderator
Moderator
In response to FrankSchubert
‎2020-04-06 01:19 PM

Jump to solution

I agree with Frank that an account mapped to a terminated/deleted user is an orphan account. Basically this user doesn't exist in the organization anymore.

 

On the other hand, can you explain:

  1. Your full leavers process (Business Process).
  2. How you are trying to configure it (Technical translation)?
  3. At which step is this not working for you.

 

I'm pretty sure the use case of disabling an account immediately then deleting it later is possible.

0 Likes
Reply
TomKelly
Beginner
Beginner
In response to MostafaHelmy
‎2020-05-01 04:33 AM

Jump to solution

The Admin guides definition of Orphaned accounts is "An account with no users mapped to it".

 

So, if what is in this knowledge article is RSA’s new definition of what an Orphaned account is, then the Admin Guide will need to be changed as will the Applications as they use the old definition.

 

Personally, I don’t think having two definitions of orphan accounts is the way to go.

https://community.rsa.com/ideas/3556

View solution in original post

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.