Administrative actions on User

This section describes how to perform administrative operations on a user, namely updating user and account status.

Updating user status

Administrator is able to change the status of a user or an account (enable, disable, terminate, etc.) as required. To do that, follow the steps below.

  1. Find the user that you need to manage using either the header search or advanced search in the webconsole. Click edit
  2. Using the administrative actions drop-down shown below, select the new status. Each status is explained below.

user status list

Leave of absence

Leave of absence options changes the user status to LEAVE_OF_ABSENCE. Nothing happens to user access here.

Leave with pay

Similarly to Leave of absence, choosing this option in the dropdown changes the user status to USER_LEAVE_WITH_PAY doing nothing to user access.

Both of the actions can then be checked in audit log by going to Administration -> Log viewer.


Terminate user

Changes the user status to Terminated in OpenIAM and deactivates all the user entitlements.

The action also depends on Administration-> System Configuration -> Workflow tab and When user is getting terminated, remove his access (if 'false' then access will be end-dated) flag.

access flag

If the flag is false, then termination action will end-date all the roles and groups of the user. In case the flag is true, then entitlements will be end-dated immediately.

In case the user had roles or groups connected to manual managed system, then for manual managed system resource administrators the task will be create to terminate user in target system because they was terminated.

Terminate task

Admin can also view the log for this event in Log viewer.

Log for terminating user

Here, one can see all the action called in the process of user termination:

  • initiate manual task for termination, explained above.
  • revoke user access.
  • provision modify, changing the user status.
  • provisioning states for events the user had an access to.
  • connector response is how the connect replies to a request on terminating a user.


Changes the user status in OpenIAM to Deceased and deletes all access in connected systems, similarly to Terminated status. This status is used to align with an HR feed status to indicate termination due to death.


Changes the user status of a user to Active in OpenIAM and send the user for provisioning in target system for the user to be able to log in OpenIAM.

The log for the event looks as shown below.

Activate log


Action is responsible for changing account status (secondary status). The user status changes and the provisioning operation 'Disable is sent to all the connected systems. Hence, the user will be disabled in the target system (depending on the policy map). Disabled users are not able to log in to OpenIAM or the target systems.

Audit log for this event looks as follows.

Log disabled

It's not a save operation on connector, but a disable operation.


Clears the account status value so that users can log in to OpenIAM. This operation is the reverse of Disable.

Note that child events for disable and enable actions are names user on leave and rehired user, but you can still implement you own rules for rehire and user on leave, it is simple operation naming in OpenIAM, but it doesn't force any business requirement that you have in your company.


Physically removes a user from OpenIAM and connected provisioning accounts. In some applications, a delete operation will be translated to an end-date.

Log delete


Any user status is updated to Deactivated in OpenIAM and the user can't log into system. The access is end-dated or deleted. For manual systems, the terminate task is created.

Deactivate log

Reset challenge question

Forces the user to reset (change answers to) their challenge questions when they log in next time.

Reset account

Here, the user get the status Pending initial login. Afterwards, the security questions and account status clear up. In case password needs to be change, admin can change it admin can reset is, as shown in the document by this link in Reset password section.

Pop-up windows

In some operations, user can choose the time of action performance.

Operation time

By unflagging Perform now flag you can choose the date of performing delete operation. Currently, this option is available, but not recommended.

Another possible pop-up window allows excluding one of the target systems from provisioning.

Pop up provisioning

This window can pop up in disable, enable and some other actions. In case you chose a target system from the drop-down of user identities, then provisioning will not be performed to the indicated system.