Admin Operations

This section describes how to perform administration operations on a user. These operations includes:

  • Changing the user status
  • Resetting the password

Update user status

To change the status of user (enable,disable, terminate), first find the user that you need to manage using the either the header search or advanced search in the webconsole. Using the administrative actions dropdown shown below, select the new status; each status is explained below.

user status list

ActiveChanges the user status of a user to Active in OpenIAM. Active users can login and perform common operations. Active can be used to reverse the impact of a Deactivate
DisableChanges the Account status to Disable in both OpenIAM and target systems (if this feature is supported). Disabled users are not able to login to OpenIAM or the target systems.
DeletePhysically removes a user from OpenIAM and target systems. In some applications a delete operation will be translated to an end-date.
DeActivateUsers status is updated to Deactivated in OpenIAM. Based on the configure, Deactivating a user can result in either a delete or disable operation in the target system. The default is a delete. While DeActivating a user, Administrators have the option to:
  • Select the target applications
  • Determine if this operation should be performed now or at a future date.
DeceasedChanges the user status in OpenIAM to Deceased and deletes all access in connected systems. The user will remain in the OpenIAM system and will maintain their last organizational memberships. This status is used to align with an HR feed status to indicate termination due to death.
EnableClears the Account status value so that users can login to OpenIAM. This operation is the reverse of disable. It can also be used to clear a Locked flag.
Terminate UserChanges the user status to Terminated in OpenIAM. An end-date will be set on all entitlements across applications. and in connected applications.
Leave with PayLeave with Pay disables a user in OpenIAM. Optionally, the policy maps can be configured to also disable the users in the target system. This status is used to align with the HR system values.
Leave of AbsenceLeave of Absence disables a user in OpenIAM and target systems. This status is used to align with the HR system values.
Reset Challenge questionForces the user to set their challenge questions when they login.
Reset AccountResets a locked user so that they can login. This operation will clear the Locked account status. User will be in Pending initial login state. As part of this operation, users will be forced to the following on their next login attempt.
  • Change their password
  • Reset their security questions
  • Review the IT policy if the feature is enabled

Reset password

Administrators can initiate a password reset using the steps described below.

  • Login to the webconsole
  • Find the user that needs a password reset using either the header search or the advanced search
  • From the side menu, select Reset password as shown in the diagram below.

Select password reset

  • The reset password link will display the screen shown below. On this screen are several options which are described below:

Reset password

Reset password actionSelect between:
  • Fill password manually
  • Sending a one-time link over email.
Sending a one-time link requires this user to have an email address. However, the admin will not have perform any addition steps. If the admin selects Fill password manually, the admin will have additional control over the process. They will be able to determine, which applications should participate in the password change, if the password will be the delivered over email, of if the password should be auto-generated.
Managed systemThis drop down is used to control which systems should be updated when the password is changed. In most cases, you should use the Check all option to include all applications that this user has an account in.
PasswordThis is the temporary password being provided by the Admin. The password policy is shown to ensure that a valid password is provided.
Confirm passwordEnter the password again. This field is used to ensure that the correct password has been captured by the system.
Send password by emailAs mentioned above, by checking this box, the password provided by the admin will be sent to the user over email.
Auto generate passwordEliminates the need to enter a password. The system is automatically generate a password and e-mail it to the user.

When the user logs in for the first time after the admin has reset their account, they will be asked to change their password. This new password will be synched across all connected systems that the user has an account in.

Unlock account

The authentication process is controlled by the authentication policy and rules. One of these of parameters is the Authentication failure count. If a user attempts to login with the wrong set of credentials then account will be locked when the number of failed attempts equals the Authentication failure count parameters.

To unlock your OpenIAM account, you can got to Reset Password as described above. When you click on Reset password, the system will prompt you if the account has been locked shown below.

Select user entitlements

Click on Yes, and the account will be unlocked. When the user logs in for the first time, they will be asked to change their password. This new password will be synched across all connected systems that the user has an account in.

Adding / removing entitlements

Administrators can add or remove entitlements for a user using the steps described below.

  • Login to the webonconsole
  • Find the user that needs to be modified using either the header or advanced search
  • From the side menu, select User entitlements as shown in the image below. Select user entitlements

The entitlement management interface will be shown next. From this screen, you can view the complete list of entitlements in different perspectives: Resource (application view), Groups, Role, and Organization. Select the appropriate tab to change the perspective.

  • To Add / remove an entitlement, select the Edit button from the screen below.

Select user entitlements

Adding an entitlement

After entering Edit mode:

  • Click on Add from the screen below, followed by the type of entitlement that you would like to add: Role, Group, Resource, Organization Select user entitlements
  • Next, select the entitlement as shown in the screen below. You should first select the application / managed system that the entitlement belongs to. Optionally, you can also set the start and end dates for this access.

Select user entitlements

  • Save the entitlement. At this point you will see the entitlement being added to the entitlement viewer as well as any related target systems.

Removing an entitlement

After entering Edit mode:

  • Select the entitlement you want to delete by clicking on the entitlement name. This will highlight the row as shown below. Select user entitlements
  • Next click on Delete selected to remove the selected entitlements. This will remove the entitlements membership from OpenIAM and from associated target systems.