When a Provisioning - Termination Rule is configured to revoke user entitlements and disable and/or delete accounts, no change requests are created to revoke the user entitlements. Only change requests to disable and/or delete accounts are created. In the RSA Identity Governance & Lifecycle user interface go to
Rules >
Definitions >
Create Rule >
Type: Provisioning - Termination >
Actions.
This occurs when the following Rule Actions are defined:
- Disable accounts (excludes shared and service accounts)
- Revoke user entitlements (excludes shared and service accounts)
- Delete accounts (excludes shared and service accounts)
- Revoke user entitlements (excludes shared and service accounts)
- Disable accounts (excludes shared and service accounts)
- Delete accounts (excludes shared and service accounts)
- Revoke user entitlements (excludes shared and service accounts)
For example the following Provisioning - Termination Rule defines all three actions:
Image description
In this case the expected behavior is that three change requests would be created for each terminated user. One to disable account(s), one to delete account(s) and one to revoke user entitlements. The problem is that when the users are terminated, collections and unification are run, and the rule processed, only two change requests are created: one to disable account(s) and one to delete account(s). A request to revoke user entitlements is not created. If the rule was defined to only disable accounts or only delete accounts along with revoking user entitlements, then the expected behavior would be that two change requests would be created. One to disable/delete accounts and one to revoke user entitlements. But in this case only one change request would be created to disable/delete accounts. A request to revoke user entitlements would not be created.
If a Provisioning - Termination Rule is defined to only revoke user entitlements, a change request to revoke the entitlements is created as expected.
This is a known issue reported in engineering ticket ACM-95904.
This issue occurs when a user has accounts. If the user does not have any accounts and only has user entitlements, then a change request to revoke entitlements is created as expected.
This issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:
- RSA Identity Governance & Lifecycle 7.0.2 P13
- RSA Identity Governance & Lifecycle 7.1.0 P09
- RSA Identity Governance & Lifecycle 7.1.1 P03
- RSA Identity Governance & Lifecycle 7.2.0