Admin Operations
This section describes how to perform administration operations on a user. These operations includes:
- Changing the user status
- Resetting the password
Update user status
To change the status of user (enable,disable, terminate), first find the user that you need to manage using the either the header search or advanced search in the webconsole. Using the administrative actions dropdown shown below, select the new status; each status is explained below.
| Status | Description |
|---|---|
| Active | Changes the user status of a user to Active in OpenIAM. Active users can login and perform common operations. Active can be used to reverse the impact of a Deactivate |
| Disable | Changes the Account status to Disable in both OpenIAM and target systems (if this feature is supported). Disabled users are not able to login to OpenIAM or the target systems. |
| Delete | Physically removes a user from OpenIAM and target systems. In some applications a delete operation will be translated to an end-date. |
| DeActivate | Users status is updated to Deactivated in OpenIAM. Based on the configure, Deactivating a user can result in either a delete or disable operation in the target system. The default is a delete. While DeActivating a user, Administrators have the option to:
|
| Deceased | Changes the user status in OpenIAM to Deceased and deletes all access in connected systems. The user will remain in the OpenIAM system and will maintain their last organizational memberships. This status is used to align with an HR feed status to indicate termination due to death. |
| Enable | Clears the Account status value so that users can login to OpenIAM. This operation is the reverse of disable. It can also be used to clear a Locked flag. |
| Terminate User | Changes the user status to Terminated in OpenIAM. An end-date will be set on all entitlements across applications. and in connected applications. |
| Leave with Pay | Leave with Pay disables a user in OpenIAM. Optionally, the policy maps can be configured to also disable the users in the target system. This status is used to align with the HR system values. |
| Leave of Absence | Leave of Absence disables a user in OpenIAM and target systems. This status is used to align with the HR system values. |
| Reset Challenge question | Forces the user to set their challenge questions when they login. |
| Reset Account | Resets a locked user so that they can login. This operation will clear the Locked account status. User will be in Pending initial login state. As part of this operation, users will be forced to the following on their next login attempt.
|
Reset password
Administrators can initiate a password reset using the steps described below.
- Login to the webconsole
- Find the user that needs a password reset using either the header search or the advanced search
- From the side menu, select
Reset passwordas shown in the diagram below.
- The reset password link will display the screen shown below. On this screen are several options which are described below:
| Parameter | Description |
|---|---|
| Reset password action | Select between:
Fill password manually, the admin will have additional control over the process. They will be able to determine, which applications should participate in the password change, if the password will be the delivered over email, of if the password should be auto-generated. |
| Managed system | This drop down is used to control which systems should be updated when the password is changed. In most cases, you should use the Check all option to include all applications that this user has an account in. |
| Password | This is the temporary password being provided by the Admin. The password policy is shown to ensure that a valid password is provided. |
| Confirm password | Enter the password again. This field is used to ensure that the correct password has been captured by the system. |
| Send password by email | As mentioned above, by checking this box, the password provided by the admin will be sent to the user over email. |
| Auto generate password | Eliminates the need to enter a password. The system is automatically generate a password and e-mail it to the user. |
When the user logs in for the first time after the admin has reset their account, they will be asked to change their password. This new password will be synched across all connected systems that the user has an account in.
Unlock account
The authentication process is controlled by the authentication policy and rules. One of these of parameters is the Authentication failure count. If a user attempts to login with the wrong set of credentials then account will be locked when the number of failed attempts equals the Authentication failure count parameters.
To unlock your OpenIAM account, you can got to Reset Password as described above.
When you click on Reset password, the system will prompt you if the account has been locked shown below.
Click on Yes, and the account will be unlocked. When the user logs in for the first time, they will be asked to change their password. This new password will be synched across all connected systems that the user has an account in.
Adding / removing entitlements
Administrators can add or remove entitlements for a user using the steps described below.
- Login to the webonconsole
- Find the user that needs to be modified using either the header or advanced search
- From the side menu, select
User entitlementsas shown in the image below.
The entitlement management interface will be shown next. From this screen, you can view the complete list of entitlements in different perspectives: Resource (application view), Groups, Role, and Organization. Select the appropriate tab to change the perspective.
- To Add / remove an entitlement, select the
Editbutton from the screen below.
Adding an entitlement
After entering Edit mode:
- Click on
Addfrom the screen below, followed by the type of entitlement that you would like to add: Role, Group, Resource, Organization
- Next, select the entitlement as shown in the screen below. You should first select the application / managed system that the entitlement belongs to. Optionally, you can also set the start and end dates for this access.
- Save the entitlement. At this point you will see the entitlement being added to the entitlement viewer as well as any related target systems.
Removing an entitlement
After entering Edit mode:
- Select the entitlement you want to delete by clicking on the entitlement name. This will highlight the row as shown below.
- Next click on
Delete selectedto remove the selected entitlements. This will remove the entitlements membership from OpenIAM and from associated target systems.