Administrative actions on User
This section describes how to perform administrative operations on a user, namely updating user and account status.
Updating user status
Administrator is able to change the status of a user or an account (enable, disable, terminate, etc.) as required. To do that, follow the steps below.
- Find the user that you need to manage using either the header search or advanced search in the webconsole. Click edit
- Using the administrative actions drop-down shown below, select the new status. Each status is explained below.
Leave of absence
Leave of absence options changes the user status to
LEAVE_OF_ABSENCE. Nothing happens to user access here.
Leave with pay
Similarly to Leave of absence, choosing this option in the dropdown changes the user status to
USER_LEAVE_WITH_PAY doing nothing to user access.
Both of the actions can then be checked in audit log by going to Administration -> Log viewer.
Changes the user status to
Terminated in OpenIAM and deactivates all the user entitlements.
The action also depends on Administration-> System Configuration -> Workflow tab and
When user is getting terminated, remove his access (if 'false' then access will be end-dated) flag.
If the flag is
false, then termination action will end-date all the roles and groups of the user. In case the flag is
true, then entitlements will be end-dated immediately.
In case the user had roles or groups connected to manual managed system, then for manual managed system resource administrators the task will be create to terminate user in target system because they was terminated.
Admin can also view the log for this event in Log viewer.
Here, one can see all the action called in the process of user termination:
- initiate manual task for termination, explained above.
- revoke user access.
- provision modify, changing the user status.
- provisioning states for events the user had an access to.
- connector response is how the connect replies to a request on terminating a user.
Changes the user status in OpenIAM to
Deceased and deletes all access in connected systems, similarly to
Terminated status. This status is used to align with an HR feed status to indicate termination due to death.
Changes the user status of a user to
Active in OpenIAM and send the user for provisioning in target system for the user to be able to log in OpenIAM.
The log for the event looks as shown below.
Action is responsible for changing account status (secondary status). The user status changes and the provisioning operation 'Disable is sent to all the connected systems. Hence, the user will be disabled in the target system (depending on the policy map). Disabled users are not able to log in to OpenIAM or the target systems.
Audit log for this event looks as follows.
It's not a
save operation on connector, but a
Clears the account status value so that users can log in to OpenIAM. This operation is the reverse of
Note that child events for disable and enable actions are names user on leave and rehired user, but you can still implement you own rules for rehire and user on leave, it is simple operation naming in OpenIAM, but it doesn't force any business requirement that you have in your company.
Physically removes a user from OpenIAM and connected provisioning accounts. In some applications, a delete operation will be translated to an end-date.
Any user status is updated to
Deactivated in OpenIAM and the user can't log into system. The access is end-dated or deleted. For manual systems, the terminate task is created.
Reset challenge question
Forces the user to reset (change answers to) their challenge questions when they log in next time.
Here, the user get the status
Pending initial login. Afterwards, the security questions and account status clear up. In case password needs to be change, admin can change it admin can reset is, as shown in the document by this link in Reset password section.
In some operations, user can choose the time of action performance.
By unflagging Perform now flag you can choose the date of performing delete operation. Currently, this option is available, but not recommended.
Another possible pop-up window allows excluding one of the target systems from provisioning.
This window can pop up in disable, enable and some other actions. In case you chose a target system from the drop-down of user identities, then provisioning will not be performed to the indicated system.