Users are provisioned to RSA from AD, then tokens assigned.
When a user is removed from AD, is there a way to automatically unassign tokens?
You want to run a 'Clean-up' job from the AM Security Console - Setup - Identity Sources. Either Now or Scheduled.
Follow up - how can run a report that shows all tokens assigned to an <unknown> user?
Thanks, Jay Guillette!Regards,
Nope, that doesn't do it, that cleans up users that don't exist in our ID Source (Active directory) anymore.
These tokens still show as assigned to an unknown user. This means they aren't being returned to our pool of assignable tokens. Is there a way to see how many tokens are assigned to unknown users and/or automate unassigning them?
You still have hidden unresolvable users in the database.
An identity source cleanup does make tokens assigned to <unknown> go back in the unassigned pile. A token assigned to unknown means it is tied to a userid and GUID we calculated in the past for an AD user, who is now missing. You need to run a cleanup to de-associate the token from unresolvable userids. **In the case that you may have torn down and unconfigured an identity source, it may be impossible to run a cleanup on this orphan data, since the cleanup has to point ot a connected identity source, and if it is missing, cleanup cannot be run. In that case, make a new 'fake' external identity source and link it to the system, all you need to do is name it the same name as the old one. It can even be a duplicate of an existing identity source as this is just temporary. All it requires is a real ldap connection, be named the same as the old one that was removed, and pass the 'test connection' part. Once you have that, then you can run a cleanup on it's name, and it will reveal any orphan data that can be scrubbed.
There is an RFE in process to have a command line ability to cleanup orphans without having to 'trick' the system but that is not available yet.
OK, that makes sense because we migrated everyone from an Internal Database to AD last year.
I think it might be easier to just manually unassign at this point.
Retrieving data ...