This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA SecurID® Access Discussions

Browse the SecurID Access discussion board to get product help and collaborate with other users of SecurID Access.
SumitKumar4
Beginner
Beginner
‎2019-09-06 10:06 AM

User migration

We moved on user1 from ab.com domain to de.com domain in AD.

disabled user in ab.com domain.

now we are seeing that user1 don't have any token and new token is also not able to assign to the user. getting error like already token assigned and that token itself is not searchable in RSA now.

 

if we are moving user from one domain to other through AD, does token also moves with the user? 

can somebody help here?

 

Also, how to mover user with token from 1 identity source(ab.com) to other (de.com)? is it possible?

both identity source are in same setup.

Labels (1)
0 Likes
Reply
14 Replies
SumitKumar4
Beginner
Beginner
In response to JayGuillette
‎2019-09-11 05:50 AM

1-user is not coming in unresolvable report.

2- token is released from the user and assigned to some different user.

3- but now we are not able to assign the new token to the user in new domain. user is disabled in old domain.

 

what we should do to assign the token to this user?

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
In response to SumitKumar4
‎2019-09-11 09:12 AM

If the token was assigned to user1 in ab.com, then you created same user1 in the new domain, at that point you'd have duplicates.  When you hide or delete user1 in ab.com, the new domain user1 may actually heal and assign the token to it, because it's the same userID, same first and last name.  So you are never unresolvable.

0 Likes
Reply
SumitKumar4
Beginner
Beginner
In response to JayGuillette
‎2019-09-12 08:20 AM

i checked for the user in unresolvable list but no results found. now user in old domain is in disabled state and in new domain we are not able to assign new token.

can you please suggest how to resolve this? 

0 Likes
Reply
JayGuillette
Contributor Contributor
Contributor
In response to SumitKumar4
‎2019-09-12 11:40 AM

The user in old domain is not in the unresolvable list because he is in the old domain, just disabled.  He would need to be not found in order to be unresolvable in the old domain.  So the AM internal database has a pointer to the user in old domain, to their ObjectGUID, so when you try to assign a token to the same user in the new domain, you get the error that he already exists.

 

The proper fix is to remove the userID from the old domain..If you cannot control what is done in the old domain, there is a 'trick' we can do, basically to filter out or block the single userid in the old domain Identity Source.  This would allow you to find this userID in the Clean-up unresolvable list.  Once that happens, you will be able to assign a token to the same userID in the new Domain.

0 Likes
Reply
SumitKumar4
Beginner
Beginner
In response to JayGuillette
‎2019-09-13 06:06 AM

Thanks Jay.

will changing the filter from operations console, cause any problems?

 

Also in a article 000026361 - Migrating users across identity sources in RSA Authentication Manager 8.x 

point#9 : Now remove the users that have been exported and cleanup the database. If all the users have been exported, the identity source can be unlinked in the Security Console under Setup > Identity Sources > Link Identity Source to System. Unlink the identity source and click Save.

 

from where we have to remove the users? 

cleanup database means after removing users , we have to cleanup unresolvable users or click on schedule cleanup?

is it mandatory to unlink the identity source at this point if we have more users to migrate?

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.