Article Number
000038590
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.1 P03, P04 and P05, 7.2.0
Issue
After data collection and unification, RSA Identity Governance & Lifecycle fails to identify some users as terminated or deleted even though an Identity Data Collector (IDC) either collected the IS_TERMINATED attribute or identified the user as deleted in the raw data.
Additionally, Provisioning - Termination rules may not correctly identify all terminated or deleted users and fail to de-provision accounts and entitlements related to the user.
Users that are terminated in the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_TERMINATED flag unset and users that are missing (deleted) from the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_DELETED flag unset.
This issue typically only affects a subset of all users and may appear to occur randomly or transiently.
Cause
This is a known issue reported in engineering ticket ACM-103555 and found in the following RSA Identity Governance & Lifecycle versions and patch levels:
- RSA Identity Governance & Lifecycle 7.1.1 P03, P04 and P05
- RSA Identity Governance & Lifecycle 7.2.0
The issue may occur in configurations where all three of the following conditions are true:
- Multiple Identity Data Collectors (IDCs) exist and may collect attributes for the same users but only one of the IDCs is configured with Create Users = Yes.
- The IDC that creates users typically runs after the other IDCs.
- The IDC that creates users joins to the other IDCs on the USER_ID attribute.
This issue does not occur randomly, but due to the complexity of the possible collection and unification run orders it is difficult to predict which users will be affected.
Resolution
This issue is fixed in the following patches
- RSA Identity Governance & Lifecycle 7.1.1 P06
- RSA Identity Governance & Lifecycle 7.2.0 P01
The fix includes a code change that prevents this issue from occurring as well as a migration script that corrects any incorrect records.
Workaround
A detection script called
IdentifyProblemUsers_ACM-103555.sql is attached to this RSA Knowledge Base Article and can be run to identify this issue and list the USER_ID of any users that may have been affected.
Download and run the attached
IdentifyProblemUsers.sql detection script in SQL*Plus or SQL Developer as
avuser.
NOTE: If you use a SQL tool other than SQL*Plus or SQL Developer, see the Notes section below for modifications needed to the detection script before it will run.
If the script returns the following output, then you do not have this issue:
Started
Completed
PL/SQL procedure successfully completed.
If the script returns any records, then you may have this issue and some of the users in the list may be affected. Note that not all users returned in the list will be affected and the script does not identify which users actually are affected. Please contact RSA Identity Governance & Lifecycle Support for assistance on remediating this issue and mention this RSA Knowledge Base Article ID 000038590 for reference.
Problem Master Enterprise User ID: TestUser1
Notes
If you use a SQL tool other than SQL*Plus or SQL Developer, please make the following modifications to
IdentifyProblemUsers.sql before executing the program. That is because the
set serveroutput command is a SQL*Plus command and not part of the PL/SQL programming language. Using this command with a non-SQL*Plus tool, will result in the following error:
PL/SQL: ORA-00922: missing or invalid option
Change FROM:
set serveroutput on size unlimited
declare
v_count number;
v_idc_id number;
TYPE NumList IS TABLE OF NUMBER;
MeuIds NumList;
begin
dbms_output.put_line('Started');
TO:
declare
v_count number;
v_idc_id number;
TYPE NumList IS TABLE OF NUMBER;
MeuIds NumList;
begin
dbms_output.enable;
dbms_output.put_line('Started');
