Managing orphaned accounts through Provisioning Manager with the [default user] account

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

In Identity Manager, orphaned accounts (also known as orphan accounts) are endpoint accounts that could not be correlated to a global user. These endpoint accounts are sorted into the [default user] global user where they will remain until you manually move or remove them.

Here are a few example situations, these are problems or error messages you may see that indicate you may have orphan accounts:

* Global users may not have the endpoint accounts associated with their provisioning roles, and when you try to synchronize those users with their roles there is a failure.

The error you'd see in this situation is:

Account for Global User '[USER NAME]' on endpoint '[YOUR ENDPOINT]' update failed: Account already exists, but is associated to another Global User

* Another symptom of this problem would be that you performed an explore and correlate but the Global Users are not getting their accounts. There may not be any error message when this happens, or your explore and correlate may end and state that some of your users were defaulted.

Accounts that are defaulted are correlated to the [global user]. If the Explore and Correlate does not say that the accounts are defaulted but they are not being correlated, the accounts were likely defaulted in an earlier Explore and Correlate and were overlooked.

Environment

Identity Manager 14.x

Resolution

If you are seeing the symptoms noted in the introduction, or suspect that some of your user accounts may be orphaned you can recover them through Provisioning Manager.

In Provisioning Manager under the User's tab, search for the global user object named [default user].

Once here you can right click the default user and select list accounts, if there are many accounts defaulted you may have to choose the specific endpoint you want to see from the list accounts menu. For these instructions I will be recovering the OrphanedAccountsDemo account located on JenEndpointTest of the endpoint type JenEndpoint.

Right click on the orphaned account once it is listed, and select Remove Account from User. Do not delete the account because depending on your endpoint settings this may also delete the account from the endpoint itself.

At this stage you may also choose to select Copy Object(s) and instead of removing the account you can paste it into the Global User it belongs to.

Once the account has been removed from the [default user] you can perform another Explore and Correlate or synchronize your global user with their roles. Unless there are other underlying issues this will associate the account with the correct global user.

If the endpoint account continues to default, there may be a problem with your correlation rules or the global user you would like to have associated with the endpoint account may not exist.

Additional Information:

When performing an Explore and Correlate, if the option to correlate using existing global users is selected then all user accounts will be defaulted if no appropriate global user exists to correlate to. If you would like your explore and correlate to create new global users for you, select create global users as needed instead.

Once an account has been associated with a global user - including [default user], they will never re-correlate unless the account is removed from the user as explained in the instructions above.

Additional Information

The above steps will work fine for a small number of users, if there are a large number of users that end up assigned to the Default User please review KB 262653 How to delete inclusions to [default user] Global User in bulk using ldapdelete? for details on clearing this in bulk.