When an account template is associated to an application and Entitlements require account is enabled, the new account creation triggers automatically for the request created to add entitlements. If the request item to create an account is rejected in the approval phase or cancelled in the fulfillment phase, the account should be removed from the UI. However this is not happening.
Issue 1: Issue when items are rejected in approval phase
The Simple Account template is created and associated to an application and enabled Entitlements require account.
The request is created to add entitlements to multiple users for the account template associated application. That approval is rejected for one of the users and accepted for another user:
Since the create account for salva was rejected, we accept this account to not be created in the application. Only the account krao is to be created. When we go into application we can see account salva was created.
The account for salva shows as local user mapping:
Issue 2: Issue when items are cancelled in fulfillment phase
A request is created to add entitlements to two other users. In the request, items are accepted in approval phase. Items are cancelled for one user in fulfillment phase:
In the application we could see the cancelled account is created as well:
For 6.9.1 update to 6.9.1P18 or 6.9.1 P19 to get the fix
For 7.0.0 or later, upgrade to 7.0.1 P01 or 7.0.1 P02
As a workaround we have a script named DeleteStaleCreateAccounts.sql (attached to the article) to delete the accounts created.
Before running the script, do the following:
Take a full backup of AVUSER schema (that is, the whole RSA Via Lifecycle and Governance database).
Within the DeleteStaleCreateAccount script is the following SELECT statement. Run just this statement to find the list of accounts that are going to be deleted, and make sure it does not contain anything we need to preserve in the database.
SELECT operand_name AS account_name, operand_id AS oid
FROM t_av_change_request_details crds
WHERE crds.operand_type = 'AC'
AND crds.full_operation = 'CreateAccount'
AND crds.state in ('RJ', 'CA')
AND NOT exists (-- Exclude accounts that had not been completely rejected
SELECT 1 FROM t_av_change_request_details cri
WHERE ((cri.operand_type = 'AC' AND cri.operand_id = crds.operand_id)
(cri.value_type = 'AC' AND cri.value_id = crds.operand_id))
AND cri.state NOT IN ('RJ', 'CA'))
AND NOT exists (-- Exclude collected accounts
SELECT 1 FROM t_av_accounts acc
where acc.id = crds.operand_id
AND acc.adc_id > 0) ;
Make sure that accounts we want to delete are listed by the above query.