After data collection and unification, RSA Identity Governance & Lifecycle fails to identify some users as terminated or deleted even though an Identity Data Collector (IDC) either collected the IS_TERMINATED attribute or identified the user as deleted in the raw data.
Additionally, Provisioning - Termination rules may not correctly identify all terminated or deleted users and fail to de-provision accounts and entitlements related to the user.
Users that are terminated in the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_TERMINATED flag unset and users that are missing (deleted) from the raw data still exist in the T_MASTER_ENTERPRISE_USERS table with the IS_DELETED flag unset.
This issue typically only affects a subset of all users and may appear to occur randomly or transiently.
This is a known issue reported in engineering ticket ACM-103555 and found in the following RSA Identity Governance & Lifecycle versions and patch levels:
RSA Identity Governance & Lifecycle 7.1.1 P03, P04 and P05
RSA Identity Governance & Lifecycle 7.2.0
The issue may occur in configurations where all three of the following conditions are true:
Multiple Identity Data Collectors (IDCs) exist and may collect attributes for the same users but only one of the IDCs is configured with Create Users = Yes.
The IDC that creates users typically runs after the other IDCs.
The IDC that creates users joins to the other IDCs on the USER_ID attribute.
This issue does not occur randomly, but due to the complexity of the possible collection and unification run orders it is difficult to predict which users will be affected.
This issue is fixed in the following patches
RSA Identity Governance & Lifecycle 7.1.1 P06
RSA Identity Governance & Lifecycle 7.2.0 P01
The fix includes a code change that prevents this issue from occurring as well as a migration script that corrects any incorrect records.
A detection script called IdentifyProblemUsers_ACM-103555.sql is attached to this RSA Knowledge Base Article and can be run to identify this issue and list the USER_ID of any users that may have been affected.
Download and run the attached IdentifyProblemUsers.sql detection script in SQL*Plus or SQL Developer as avuser.
NOTE: If you use a SQL tool other than SQL*Plus or SQL Developer, see the Notes section below for modifications needed to the detection script before it will run.
If the script returns the following output, then you do not have this issue:
PL/SQL procedure successfully completed.
If the script returns any records, then you may have this issue and some of the users in the list may be affected. Note that not all users returned in the list will be affected and the script does not identify which users actually are affected. Please contact RSA Identity Governance & Lifecycle Support for assistance on remediating this issue and mention this RSA Knowledge Base Article ID 000038590 for reference.
Problem Master Enterprise User ID: TestUser1
If you use a SQL tool other than SQL*Plus or SQL Developer, please make the following modifications to IdentifyProblemUsers.sql before executing the program. That is because the set serveroutput command is a SQL*Plus command and not part of the PL/SQL programming language. Using this command with a non-SQL*Plus tool, will result in the following error:
PL/SQL: ORA-00922: missing or invalid option
set serveroutput on size unlimited
TYPE NumList IS TABLE OF NUMBER;
TYPE NumList IS TABLE OF NUMBER;