While using a Bulk Loader task to execute any "Modify-User" type of task, there are no limits in which attribute can be modified. The Bulk Loader task does not pass through screen validation. Therefore, password, state, or any other user attribute can be modified even though it is NOT present in the screen of the used "Modify-User" task or if it is present but set as Read-Only.
Environment
IDM 14.4 and later
Cause
This represents a flawed design and above all a substantial risk for the clients using Bulk Client (which requires Bulk Loader task to have WebServices enabled - hence accessible by TEWS as well).
Resolution
By default, the feature will be enabled and this is going to be updated in the documentation to reflect this.
The Upcoming IDM release 14.5.1 will have these code changes.