This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
JuliaHalstead
Beginner
Beginner
‎2018-10-25 04:31 AM

Automatically un-assigning RSA Software Tokens from Users still active in AD

Hi, 

Is there a report/job that can be run to automatically un-assign RSA Software Tokens from users who have not used their Token for 4 months or more. I'm currently doing this job manually at the beginning of each month.

The users are still active in AD but there has been no activity on their Token so we'd like to be able to recycle them.

thanks

Julia

0 Likes
Reply
4 Replies
EdwardDavis
Employee
Employee
‎2018-10-25 08:02 AM

The all users report has last login date. There is another report for listing last login for a specific token (users with days since last login using specific token). However, tokens are never automatically unassigned unless you are replacing them, and when the replacement is first used, the original token is then unassigned. 

0 Likes
Reply
JayGuillette
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2018-10-25 08:31 AM

There are two problems here;

 1. identifying the users who have not used their token in a 'long time' - that's solved with a report

 2. un-assigning the tokens from those users identified in step 1

That's why there is not single easy report/job that can identify and un-assign, and why you are currently doing this manually.

If your users are in an external Identity Source like Active Directory, you might make this job easier if you could move them out of scope of what Authentication Manager sees, at which point their tokens will be unassigned during the next clean up job, which you could schedule nightly.

This KB explains how to map an Identity Source to a group in AD, so that only users in the group are seen by AM so that tokens can be assigned

https://community.rsa.com/docs/DOC-45897 

If you take your last login date report, you might be able to move lots of users out of this group at one time, so that at the next clean up job their tokens are un-assigned

0 Likes
Reply
JayGuillette
Occasional Contributor Occasional Contributor
Occasional Contributor
In response to JayGuillette
‎2018-10-25 08:33 AM

A second approach might be to output your report of last login to .csv file with userIDs, and use that as input to an AMBA script to unassign tokens from those users 

Reply
JuliaHalstead
Beginner
Beginner
In response to JayGuillette
‎2018-10-25 08:36 AM

Perfect, thanks. This is similar to what we did in Version 6 so i'll look into that. 

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.