AnsweredAssumed Answered

Identity Collectors for Identities

Question asked by Christopher Smith on Oct 28, 2020
Latest reply on Nov 12, 2020 by Ian Staines



I have a question regarding Identity Collections and how an identity is created/deleted/updated.


We have 2 identity collectors, one for Non-Employees (contractors, service providers etc.).  We have another for our direct hire employees.  Both of these are identity creation collectors, where non-employees and employees both have identities in the RSA database.  Both individuals have a UniqueID (first finial of first name, last name), and an EmployeeID (previous employee/non-employee number plus 1).  EmployeeID is our primary key for users.  We collect this value under UserID


Sometimes non-employees are offered positions as direct hires.  At this point, we have a conversion process to convert over the identity and access.  Previously, we had terminated the contractor identity and made all accounts fresh.  This required a lot of work especially as most of the accounts in our environment are manually provisioned.  This would mean the user would have entirely new accounts, entirely new EmployeeID, and entirely new passwords they would have to remember.  We would like to automate this.


Our thought is if we keep the EmployeeID the same across both collectors.  When the time comes, and the user is added to our employee identity source, we would remove the user from the Non-Employee source.  Both collectors collect prior to unification, and therefore the user's identity would see that the Employee source information is there for a given EmployeeID.


Problem is that previously this had worked in our lower environments, however for some reason, duplicate identities are being created.  The deleted Non-Employee identity and the new active Employee identity.


Is this expected behaviour?  That RSA treats the combination of IDC_ID and EmployeeID as a unique identity instead of just the designated EmployeeID