During the VPN access troubleshooting session, We found that the two of the existing user accounts are not showing in the RSA database. Is there any way for us to identify how it got deleted?
If the account was deleted by an admin (or you are searching for any administrator 'activity type')
1) create an internal database account
2) run administration activity real time monitor
3) delete the account
4) note the activity key in the real time log
5) run an administration activity report and focus on that activity
real time monitor
administration activity report template settings
Perhaps the account was in ldap and it was not deleted, just lost, moved, or missing.
If the account was a user on an ldap connection, run Security Console, Setup, Identity Sources, Cleanup Unresolvable Users, uncheck the grace period and hit next. Any lost or orphaned ldap users would show up here.
Users in the list means the RSA server can no longer match up the GUID to any users on existing ldap connections, so then you'd look at AD (or whichever database you have) and find out why RSA cannot find them, or the GUID may have changed (user was deleted and added back would change the GUID) or you have a user search filter in the Operations Console that doesn't scope to that user.
Retrieving data ...