While trying to manually map accounts to a user or users in RSA Identity Governance & Lifecycle 7.1.0, we notice that terminated users are not displayed or returned in search in the selection window. For example, on an RSA Identity Governance & Lifecycle 7.1.0 system, the total number of users that includes terminated users is shown below:
When you try to add users to an account (orphan/active/disabled) and if you select grouping by the Is Terminated attribute, only users with Is Terminate"= No are displayed.
In versions prior to RSA Identity Governance & Lifecycle 7.1.0, the selection of terminated users was possible while manually mapping the accounts to users. However, this is not an allowed use case as it encourages bad security practices. Terminated users should not be allowed to have access to any entitlements that would otherwise be possible after mapping the terminated user(s) to an account.
In RSA Identity Governance & Lifecycle 7.0.2, it was possible to view as well as add terminated users to an account as follows:
However this poses a security threat as the terminated users will still have access to the application(s) via mapped accounts.
This behavior is by design in RSA Identity Governance & Lifecycle 7.1.0.
Terminated and/or deleted users should not have access to the system and their respective account mappings should be removed from the source system to prevent any possible security issues. This cleanup is essential as these users will still be collected if they exist in the source system.
In an RSA Identity Governance & Lifecycle 7.1.0 system, terminated users will neither be displayed nor returned in the search results to avoid adding them to the accounts and hence prevent the security risk.
If you specifically search for a terminated user, the user will not be returned. In the example below xyz is a terminated user.
Searching for xyz will not return a result, as shown below: