Andrea Scanzani

Identity collection fail due to duplicate accounts

Discussion created by Andrea Scanzani on Sep 29, 2020

Hello everyone,

 

I would like to describe our current way of dealing with leavers (accounts to be ceased) and the issue we're facing:

 

We have created an identity collector, IDC_CESSATI, which reads from a custom view created from “PV_users” and adopts the following logic: if the termination-date field of the user’s record is less than today's date, it sets the "department" field to the fictitious value "Ceased", which is the marker that triggers a rule which we need to cease users on IGL and that runs when detects a change in the “department” filed.

 

We also have two other collectors, which collect user information from Active Directory, including the user’s department. We use these infomrations, among other things, to intercept changes in the department field of AD, and to trigger a specific rule in case a change in department is detected.

 

In the unification config of the identity collectors we have specified that the department field must be taken from IDC Cessati. The problem we are facing is the following: once a department change has taken place on Active directory, this is correctly acquired by the other  two AD collectors, but the change on the DB PV_USERS view becomes effective only following the unification, so IDC Cessati(which read form custom view) is reading the old data. In this way, therefore, we cannot make the change of department on Active Directory effective on IGL.

 

We cannot read the department field from the other  two AD collectors, or the user termination logic described in the first step would not be effective. Moreover, the use of the "Ceased" flag on the user's department field causes problems in receiving the office changes that occur on the Active directory

 

After speaking with RSA it was suggested to use a custom RSA IGL attribute (e.g. Leaverflag) to store the status of the leaver – this also gives you options to trigger different events for different types of leavers. We’ve tried this approach using the same logic described above(i.e. focusing on user's termination date of the custom view ve created ) in non-production environment and it but we get the attached error, ehich seems to be caused by the presence of duplicate account on IGL.

 

We would like your support to be able to realize this new logic based on a new flag (e.g. Leavers) to identify the discontinued consultants (i.e. those who have a lower end of relationship date than today on active directory), trying to solve the problem of duplicate accounts.

 

Thanks in advance for the support

Attachments

Outcomes