If you look at the following KB
https://community.rsa.com/docs/DOC-45944
You can get an understanding of how RSA calculates the license count *
So if your Security Console - Setup - Licenses - Status at one point showed 1110 count, then at a later point in time showed 1103, that indicates 7 users changed their status, e.g. had their token, fixed passcode or RBA un-assigned. What many sites configure is a Clean-up job
To find users who were in Active Directory or an LDAP identity source, who had a token assigned, but they no longer are in LDAP or AD, probably because they are no longer employees. The Clean-up job looks at users no longer in AD and unassigns their tokens, freeing up the token to be used by someone else, and lowering the active user count.
An expired token can still count against the active User Limit count if it is assigned to a user. I think you have to unassign the expired token before you can delete it, so if you did unassign, that could have lowered the license count.
* RSA sells two things for use with Authentication Manager:
- Active user license limits through a product license, and
- Tokens, which can include hardware tokens, software tokens, on-demand authenticators (ODA) and/or and fixed passcodes.
Note the following about tokens and active users:
- Any user with at least one of the above token authenticators assigned to them counts as one user against the active user limit, as defined in the software license. This includes expired tokens assigned to any user, including LDAP external identity source users who have been removed or disabled in Active Directory. Run a clean up job to determine which tokens can be unassigned free up your active user count.
- A single user with two or more tokens of any type and a fixed passcode only counts as a single active user.
- A single user with ODA enabled counts as an ODA user and an active user.
