We currently allow Help Desk agents the right to unlock users through the Admin->Resources properties page. That page also contains the “Use External Authentication” checkbox. We are having an issue in which Helpdesk sometimes unchecks that box, despite our attempt to train the agents not to do this.
Is there any way to continue to allow them to unlock user accounts, but disable the ability to set External Authentication at the individual user level? We do need some users to *not* use External Authentication, but we do not want Helpdesk to set that value.
Unfortunately there is no way to restrict individual users or a group of users from having the right to disable "External Authentication" attribute in the Resource properties page. Once you give them the access right to edit Resources, then they have access to change of a Resource's properties.
However, CA Support can conceive of two options that may help mitigate this agent (user) error:
(1) Share the alternative instructions for activating locked Resources in the attached Word document with your help desk agents. This alternative method does not require that the agents drill down into the Resource properties page, so they ought not mistakenly disable external authentication when activating locked resources.
(2) We have seen other customers develop a custom "user administration" object with some attributes like the Resource name and / or ID number and a checkbox that agents can set and enable to activate a locked resource. This would require a workflow (PPM process) that is automatically triggered when the checkbox is selected with a GEL script that reads the attributes from the object and uses those as parameters in a XOG unlock resource input file. The GEL script would then make a XOG WRITE SOAP call to unlock the resource. This approach would require some development and testing, so we suggest that you try the first option described above.