Admin operations

This section describes how to perform administration operations on a user. These operations include:

  • Changing the user status
  • Resetting the password
  • Unlock account
  • Adding/removing entitlements

Update user status

To change the status of a user (enable, disable, terminate), first find the user that you need to manage using either the header search or advanced search in the webconsole. Using the administrative actions drop-down shown below, select the new status. Each status is explained below.

user status list

StatusDescription
ActiveChanges the user status of a user to Active in OpenIAM. Active users can log in and perform common operations. Active can be used to reverse the impact of a Deactivate.
DisableChanges the account status to Disable in both OpenIAM and target systems (if this feature is supported). Disabled users are not able to log in to OpenIAM or the target systems.
DeletePhysically removes a user from OpenIAM and the target systems. In some applications a delete operation will be translated to an end-date.
DeactivateUser status is updated to Deactivated in OpenIAM. Based on the configuration, deactivating a user can result in either a delete or disable operation in the target system. The default is a delete. When deactivating a user, administrators have the option to:
  • Select the target applications
  • Determine if this operation should be performed now or at a future date
DeceasedChanges the user status in OpenIAM to Deceased and deletes all access in connected systems. The user will remain in the OpenIAM system and will maintain their last organizational memberships. This status is used to align with an HR feed status to indicate termination due to death.
EnableClears the account status value so that users can log in to OpenIAM. This operation is the reverse of Disable. It can also be used to clear a Locked flag.
Terminate userChanges the user status to Terminated in OpenIAM. An end-date will be set on all entitlements across all connected applications.
Leave with payLeave with pay disables a user in OpenIAM. Optionally, the policy maps can be configured to also disable the users in the target system. This status is used to align with the HR system values.
Leave of absenceLeave of absence disables a user in OpenIAM and target systems. This status is used to align with the HR system values.
Reset challenge questionForces the user to reset their challenge questions when they log in.
Reset accountResets a locked user so that they can log in. This operation will clear the Locked account status. The user will be in the Pending initial login state. As part of this operation, users will be forced to do the following on their next log-in attempt.
  • Change their password
  • Reset their security questions
  • Review the IT policy if the feature is enabled

Reset password

Administrators can initiate a password reset using the steps described below.

  1. Log in to the webconsole.
  2. Find the user that needs a password reset using either the header search or the advanced search.
  3. From the side menu, select Reset password as shown in the diagram below.

Select password reset

  1. The reset password link will display the screen shown below. On this screen are several options which are described below:

Reset password

ParameterDescription
Reset password actionSelect between:
  • Fill password manually
  • Sending a one-time link over email
Sending a one-time link requires the user to have an email address. However, the admin will not have to perform any additional steps. If the admin selects Fill password manually, the admin will have additional control over the process. They will be able to determine which applications should participate in the password change, if the password will be delivered over email, or if the password should be auto-generated.
Managed systemThis drop-down is used to control which systems should be updated when the password is changed. In most cases, you should use the Check all option to include all applications that this user has an account in.
PasswordThis is the temporary password provided by the admin. The password policy is shown to ensure that a valid password is provided.
Confirm passwordEnter the password again. This field is used to ensure that the correct password has been captured by the system.
Send password by emailAs mentioned above, by checking this box the password provided by the admin will be sent to the user over email.
Auto generate passwordEliminates the need to enter a password. The system automatically generates a password and emails it to the user.

When the user logs in for the first time after the admin has reset their account, they will be asked to change their password. This new password will be synched across all connected systems that the user has an account in.

Unlock account

The authentication process is controlled by the authentication policy and rules. One of these parameters is the Authentication failure count. If a user attempts to log in with the wrong set of credentials then the account will be locked when the number of failed attempts equals the authentication failure count parameters.

To unlock your OpenIAM account, use the reset password feature as described above. When you click on Reset password, the system will prompt you if the account has been locked as shown below.

Select user entitlements

Click on Yes and the account will be unlocked. When the user logs in for the first time, they will be asked to change their password. This new password will be synched across all connected systems that the user has an account in.

Adding/removing entitlements

Administrators can add or remove entitlements for a user using the steps described below.

  1. Log in to the webonconsole.
  2. Find the user that needs to be modified using either the header or advanced search.
  3. From the side menu, select User entitlements as shown in the image below. Select user entitlements

The entitlement management interface will be shown next. From this screen, you will view the complete list of entitlements in different perspectives: Resource (application view), Groups, Role, and Organization. Select the appropriate tab to change the perspective.

  1. To add/remove an entitlement, select the Edit button as shown in the screen below.

Select user entitlements

Adding an entitlement

After entering Edit mode:

  1. Click on Add from the screen below, followed by the type of entitlement that you would like to add: Role, Group, Resource, Organization. Select user entitlements
  2. Next, select the entitlement as shown in the screen below. You should first select the application/managed system that the entitlement belongs to. Optionally, you can also set the start and end dates for this access.

Select user entitlements

  1. Save the entitlement. At this point you will see the entitlement being added to the entitlement viewer as well as any related target systems.

Removing an entitlement

After entering Edit mode:

  1. Select the entitlement(s) you want to delete by clicking on the entitlement name. This will highlight the row as shown below. Select user entitlements
  2. Next, click on Delete selected to remove the selected entitlement(s). This will remove the entitlement(s) membership from OpenIAM and from the associated target systems.