Why is Disablestate being changed to 16777216 after adding a provisioning role to users?
search cancel

Why is Disablestate being changed to 16777216 after adding a provisioning role to users?

book

Article ID: 39729

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

When Identity Manager users are assigned their first provisioning role, it changes their disabledstate value from 0 to 16777216. This forces the users to change their password on next login. We do not want our users to have forced password changes.

Is this behavior preventable? 

 

Environment

All Identity Manager

Cause

What is happening is that when the initial provisioning role is assigned to an IM User it will trigger the creation of the Provisioning Global User at that time. If the Provisioning Global User is created without a password then the disabledstate will get set to the 16777216 value to force a password reset so that the Provisioning Global User will then get a password.

One possible cause would be if the initial provisioning role was assigned to a new IM User during a Create User but where no password was set during the Create User task so no password would be set on the Provisioning Global User creation.

Another possible cause would be if the initial provisioning role was assigned to an existing IM User during a Modify User task since IM would not be able to retrieve the current password of the IM User to set it on the Provisioning Global User in this case.

Resolution

The only way to prevent this behavior is to make sure that the IM user password is being set within the same task that is assigning the initial provisioning role as this will send the user's password down to the global user account and will not force a password change. 

Additional Information

The following KB Article may be helpful in using PX Policy (has to be of type=UI) to set a password:

https://knowledge.broadcom.com/external/article/12996