SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

How to select all users who don't have tokens to assign tokens in bulk


we are using RSA AM 8.1 SP1. We have a set for 1200 user who have tokens assigned already.

Now I need to assign software tokens to 400 more. When I go to select users to assign tokens to I don't have filter to select only those who don't have tokens assigned.

Do I miss something?

Is there any way to select such users?

Labels (1)
2 Replies

In the security console, no.


Probably the best thing to do is run a report for users with no tokens, and output it as csv,

then tune it to become an AMBA input file for assigning tokens


AMBA (auth manager bulk admin) using csv input files


a) run a security console report for all users, and choose 'has tokens assigned NO'


run report, save as csv, you now have a list of userids without tokens assigned, and can remake this csv

into a new csv for input into AMBA to assign tokens 


b) if the users are in active directory,

and you have never 'touched' the user account yet, the report from (a) will not show any of these users.


You need to do something (some or any administrative action) in the RSA security console with the AD user accounts to make the RSA server 'register' the user as something that can be reported on


Here is a simple thing to do for that 'administrative action': put them in a group, and take them out later


b1) security console, identity, user groups, create a new group in the internal database...move-grp


b2) security console, identity, users, manage existing,

list your AD users (up to 500 at a time on screen), select all with the upper checkbox, and chose the upper

dropdown selection box 'add to user groups', and add them to the new group you created move-grp




b3) repeat in batches of 500 users until all users you want to show up in the report have been put in that

group move-grp


b4) run your all users report again no tokens assigned, (you do not need to specify anything about that group

in the report) and now all the AD users you just 'administratively touched' and have no token assigned will now show up in the report

(and report output is exportable as csv)


b5) go to identity, user groups, manage existing, and look at the members of the move-grp

and you can remove them from the group (in batches of 500)

Dear Edward,


your reply is much appreciated! Great thanks!

At the moment we don't have AMBA bought but you gave me the right way towards. At least I will prepare a helpful report as described above.

It's a pity that in the base config there is no even filter for users where Last authentication = never that would be enough for me. It gives only after/before, is on/not is on in the drop-down list.