This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

Correct Termination Rule behavior in RSA Identity Governance and Lifecycle 7.x

Article Number

000035205

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle 
RSA Version/Condition: 7.x
 

Issue

​A Termination–Provisioning Rule set with actions to disable and delete the account(s) for each terminated user with associated accounts results in a pair of Change Requests.  
  • What is the correct behavior on the part of the Termination Rule?
  • What happens to all the users whose attribute is changed to  IS_TERMINATED=1/yes status during one of the collection periods in previous runs?  




 

Resolution

The Termination Rule only catches those users who have  'Is_Terminated' attribute changed to 'True' as of the latest IDC/Unification run.  Any Users who had the status of their 'Is_Terminated' attribute changed previous to the latest run are no longer within the view of the Termination Rule.

This behavior is by design.

NOTE - This behavior of Termination Rule is by design irrespective of the actions taken.  Actions such as Disable/Delete Account do not have any affect on this behavior and are shown here only as an example of Rule configuration with actions.

For example, let's say you have created a Termination Rule with the following configuration (where no filter is used on a condition):
 
Image descriptionImage description

When you run an Identity Data Collector (IDC) that collects users whose termination status is changed (Is_Terminated=1), and then run the Termination Rule (Provisioning-Termination) for the first time (with or without filter), the rule will identify the terminated users as follows:
 
Image descriptionImage description

The result above shows that the rule has identified nine terminated users:
Processing Summary:
  • Number of terminated users found:9
  • Number of deleted users found:0

After this, if you update the Rule Definition with the condition updated as Is_terminated=yes (shown below) and run the same rule again, users will not be identified as terminated. 
Image descriptionImage description
The result of the Rule run will show as: 
 
Processing Summary:
  • Number of terminated users found:0
  • Number of deleted users found:0

These users will not be identified as terminated, since it is a different/next run and does not reflect as the updated status for "Is_terminated" attribute.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 12:07 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.