Users in a newly attached external identity source show as disabled, and administrators cannot manage or edit the users in RSA Authentication Manager.
This is a permissions issue for the LDAP service account used to manage the Active Directory on the RSA Authentication Manager from the Operations Console.
From the external identity source (Active Directory in the example below), make sure that the group of users are being managed by the administrator (service account) who has full read permissions on the group:
Login to the primary Authentication Manager Operations Console and select Deployment Configuration > Identity Source > Manage Existing.
Click the context arrow next to the identity source in question and click Edit.
Click on the Map tab.
Scroll down to the section labeled Directory Settings.
Set the User Account Enabled State to Manage in Directory and Internal database. This specifies where Authentication Manager looks for the enabled/disabled state of user accounts.
Select the Home tab on the Operations Console and click Flush Cache.
Choose to flush all cache objects and click Flush.
Wait for five minutes to ensure all cached objects have been cleared.
Go back to the Security Console and attempt to enable or manage a user.