When Identity Manager users are assigned their first provisioning role, it changes their disabledstate value from 0 to 16777216. This forces the users to change their password on next login. We do not want our users to have forced password changes.
Is this behavior preventable?
What is happening is that when you add a provisioning role to an IM user after the user is already created, the global user is created as part of a modify user task.
The modify user task does not push the IM user's password down to provisioning manager, so the global user is created without a password. This is why there is a forced password change after the event. It is expected and necessary behavior for Identity Manager and should not be changed.
Resetting the disabled state flag to 0 will allow users to log into IM, but will not address the fact that the global users have no passwords, which can result in account creation failures when provisioning endpoint accounts.
The only way to prevent this behavior is to add the user's first provisioning role during the user creation event, this will send the user's password down to the global user account and will not force a password change.