Is there any way to have a token assigned to another user without having them reimport?
Here is the scenario,
1. There is one iPhone that has the RSA app
2. There is one token assigned to the user of that phone
3. The current user leaves the company and the phone is given to the new employee
The current token is assigned to the old employee. Is there any way that the token could be switched to the new employee without having them have to reimport the token?
- Community Thread
- Forum Thread
- register tokens
- rsa secureid software token
- RSA SecurID
- RSA SecurID Access
- token administration
- Token Auth
- Token Authentication
- Token Authenticator
- Token Authenticators
- Token Software
It can be done with internal database users easily,
and with external identity source users with a few additional actions....
Ouser is old user
Nuser is new user
If the Ouser is in the internal database, you can edit first name/last name/userid and it's done.
If the Ouser is in an external identity source, it can be done this way:
-export Ouser with token
-edit the ldap user search filter to exclude this Ouser so they do not appear on security console
run an identity source cleanup, flush out Ouser in the list of orphaned objects
-import Ouser and token and send to Internal Database
-now edit Ouser in the Internal database to become Nuser
(if you have a userid conflict such as Nuser already exists, break Nuser in the search filter and do
a cleanup on Nuser so they do not exist on the system, then you can do your edits to Ouser)
-export Nuser in internal database with token
-delete Nuser from internal database
Now repair or fix any Ouser or Nuser search filter exclusions in operations console. At a minimum Nuser
must appear in the security console list now, with the [first name/last name/userid] that matches what you created for
Nuser in the internal database earlier.
-import Nuser and token, and point them toward the external identity source.
an example of an exclude filter
Thank you for the reply. Would you be able to provide step by step instructions on the first 3 options (exporting user and running clean up) or tell me why I can find that information?
Although possible, I would STRONGLY urge you against tampering with the database. Just issue a new token and be done with it. You'll have to clear the PIN anyway since the new users will not know it. Tampering with the LDAP filter or updating SQL tables manually really is not a good idea.. one slip and you could really mess up the system.