Admin DISABLED STATE // Password Policy

book

Article ID: 132212

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction


We're running a Policy Server and we'd like to know which uses cases
bring the user to be administratively disabled after login.

Sm_Api_Disabled_AdminDisabled= 0x00000001 = 1

Environment


Policy Server all versions

Resolution


At first glance, the AdminDisabled is set when an operator disabled

manually the user in the AdminUI :

Policy Server :: Disable Flag : SmAuthReason 
 
  The Sm_Api_Disabled_AdminDisabled bit is usually set by using the 
  Admin UI's disable user button; the Policy Server does not set or 
  clear it during normal operations. 

https://knowledge.broadcom.com/external/article?articleId=49509

But this value can be added to another value for specific reason. 

To illustrate : 

User with DisableFlag = 0. User can login. 
User with DisableFlag = 1. User cannot login because the administrator disabled it manually from the AdminUI. 
User with DisableFlag = 3. User tried x times to login with incorrect credentials, and it has been disabled. 

Looking at the screenshots, you've configured the user to be disabled 
if it tries 5 times to login without the expected credentials. 

You see disable state with value of 3 because the 

Sm_Api_Disabled_AdminDisabled = 0x00000001 = 1 + Sm_Api_Disabled_MaxLoginFail = 0x00000002 = 2