SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

how to automatically unassign token from disabled user

Hello together,


I am using RSA Authentication Manager 8.5 P1 for MFA.

The userbase is imported by LDAP from a Microsoft Active Directory.

Now when a user leaves the company and gets disabled in AD, the user also becomes disabled in RSA.

Is there a way to also automatically unassign a user's SecurID token on the event of disabling the user, or after a specific time of being in disabled state?


Thank you very much in advance.

Best regards,


Labels (1)
4 Replies
Valued Contributor Valued Contributor
Valued Contributor

When you disable a user in AD, do you also disable the account in Authentication Manager?  When an auth request arrives, if the user record is in AD, AM will check the AD enable flag and/or the AM enable flag, depending on the settings for that identity source.  There's nothing in AM that automatically disables the user on the AM side when the user is disabled in AD.


That said, are you 100% certain that a user account is never disabled for any reason other than leaving the company?  You don't disable an account if they take extended leave, for instance? 


Dear Steven,

thank you for the reply.

We disable users when they leave the company or for a parental leave. There is no process to disable a user for other reasons.

I just tested again that when I disable the AD user, it also shows Account status: disabled in AM. Enabling a user in AD will also enable it in AM.

Users are not imported from AD, only LDAP identitty source. So this behaviour seems fine to me.

Is there a way to create a batch job or something to check for disabled users having a token assigned to them and unassign it? It does not have to be instant, a daily basis would already fit my needs.

Thank you very much in advance.


Are you set up to make SQL queries?  The 8.5 extras kit has documentation on the public tables, in the Developer's Guide.  A join of the am_token and ims_principal_data tables can yield a list of tokens assigned to disabled accounts.  You can manipulate the list into a format usable by the AMBA tool to unassign the tokens.


Dear Steven,


I looked into your idea and got the SQL queries working, but unfortunately I do not have an Enterprise license to use the AMBA tool.

So I was thinking about using LDAP filters to have unresolvable token assignments after user deactivation which will be cleared by the cleanup job.

Any thoughts?


Thank you very much.