Powered by Algolia

    Administrative actions on User

    This section describes how to perform administrative operations on a user, namely updating user and account status.

    Updating user status

    Administrator is able to change the status of a user or an account (enable, disable, terminate, etc.) as required. To do that, follow the steps below.

    1. Find the user that you need to manage using either the header search or advanced search in the webconsole. Click edit
    2. Using the administrative actions drop-down shown below, select the new status. Each status is explained below.

    user status list

    Leave of absence

    Leave of absence options changes the user status to LEAVE_OF_ABSENCE. Nothing happens to user access here.

    Leave with pay

    Similarly to Leave of absence, choosing this option in the dropdown changes the user status to USER_LEAVE_WITH_PAY doing nothing to user access.

    Both of the actions can then be checked in audit log by going to Administration -> Log viewer.

    Logs

    Terminate user

    Changes the user status to Terminated in OpenIAM and deactivates all the user entitlements.

    The action also depends on Administration-> System Configuration -> Workflow tab and When user is getting terminated, remove his access (if 'false' then access will be end-dated) flag.

    access flag

    If the flag is false, then termination action will end-date all the roles and groups of the user. In case the flag is true, then entitlements will be end-dated immediately.

    In case the user had roles or groups connected to manual managed system, then for manual managed system resource administrators the task will be create to terminate user in target system because they was terminated.

    Terminate task

    Admin can also view the log for this event in Log viewer.

    Log for terminating user

    Here, one can see all the action called in the process of user termination:

    • initiate manual task for termination, explained above.
    • revoke user access.
    • provision modify, changing the user status.
    • provisioning states for events the user had an access to.
    • connector response is how the connect replies to a request on terminating a user.

    Deceased

    Changes the user status in OpenIAM to Deceased and deletes all access in connected systems, similarly to Terminated status. This status is used to align with an HR feed status to indicate termination due to death.

    Active

    Changes the user status of a user to Active in OpenIAM and send the user for provisioning in target system for the user to be able to log in OpenIAM.

    The log for the event looks as shown below.

    Activate log

    Disable

    Action is responsible for changing account status (secondary status). The user status changes and the provisioning operation 'Disable is sent to all the connected systems. Hence, the user will be disabled in the target system (depending on the policy map). Disabled users are not able to log in to OpenIAM or the target systems.

    Audit log for this event looks as follows.

    Log disabled

    It's not a save operation on connector, but a disable operation.

    Enable

    Clears the account status value so that users can log in to OpenIAM. This operation is the reverse of Disable.

    Note that child events for disable and enable actions are names user on leave and rehired user, but you can still implement you own rules for rehire and user on leave, it is simple operation naming in OpenIAM, but it doesn't force any business requirement that you have in your company.

    Delete

    Physically removes a user from OpenIAM and connected provisioning accounts. In some applications, a delete operation will be translated to an end-date.

    Log delete

    Deactivate

    Any user status is updated to Deactivated in OpenIAM and the user can't log into system. The access is end-dated or deleted. For manual systems, the terminate task is created.

    Deactivate log

    Reset challenge question

    Forces the user to reset (change answers to) their challenge questions when they log in next time.

    Reset account

    Here, the user get the status Pending initial login. Afterwards, the security questions and account status clear up. In case password needs to be change, admin can change it admin can reset is, as shown in the document by this link in Reset password section.

    Pop-up windows

    In some operations, user can choose the time of action performance.

    Operation time

    By unflagging Perform now flag you can choose the date of performing delete operation. Currently, this option is available, but not recommended.

    Another possible pop-up window allows excluding one of the target systems from provisioning.

    Pop up provisioning

    This window can pop up in disable, enable and some other actions. In case you chose a target system from the drop-down of user identities, then provisioning will not be performed to the indicated system.

    Previous
    Custom user types
    Next
    Configuring Page Templates