RSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2, 7.1.0
Partially orphaned accounts are created after Unification. In the example below, note that UserC3 is not displayed as an orphaned account, yet it is not mapped to any user which is the definition of an orphaned account.
This problem occurs when an Identity Data Collector (IDC) collects multiple attributes for a user, an Account Data Collector (ADC) defines two or more of these attributes in the user resolution rules, and one of the attributes defined in the resolution rules is modified in the data source.
As an example, an IDC collects User Id, Email Address, and Department. An ADC collects AccountName. Three User Resolution rules are defined on these IDC attributes in the ADC definition:
After running the IDC, Unification and ADC, the AccountName resolves to the User Id and correctly maps the users.
If one of the user attributes other than the User Id is modified in the IDC, the problem occurs. In this case, the email address for UserC3 was modified. After running the IDC and Unification, the account is left partially orphaned:
This is fixed in 7.0.2 P12, 7.1.0 P05, and 7.1.1. The fix ensures that unification will not deactivate the affected account mappings and the accounts will no longer appear to be orphaned or partially orphaned.
As a workaround, run the Account Data Collector. This will re-map the user to the account.