I’ve been trying to simplify a leaver process and cutdown on the amount of workflow customizations that we use, to this end I’ve been testing the termination rule to handle removing any AD groups assigned to the leavers prior to deleting the accounts.
This is a required step in our leaver process in case there are any errors in the HR feed or the employee re-joins the company within an allowed timeframe, Allowing the AD account to be then re-enabled and reused.
However, this rule fails as the account is also deleted when the groups are removed.
Apparently, this is by design https://community.rsa.com/docs/DOC-109920
If the account no longer has any access and is not mapped to an active user, it would become an orphaned account. This rule deletes the account(s) both for security reasons and to prevent the creation of an orphaned account.
Does anyone agree with RSA definition of an orphan account?
I’ve never come across this as a definition of an orphaned account. If an account is attached to a user then it’s not an orphan, the fact that they’re terminated is irrelevant.
I can’t think of anywhere else in IGL that uses this definition for orphan accounts.
The Admin guides definition of Orphaned accounts is "An account with no users mapped to it".
So, if what is in this knowledge article is RSA’s new definition of what an Orphaned account is, then the Admin Guide will need to be changed as will the Applications as they use the old definition.
Personally, I don’t think having two definitions of orphan accounts is the way to go.
https://community.rsa.com/ideas/3556