Why is Disablestate being changed to 16777216 after adding a provisioning role to users?

book

Article ID: 39729

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

Question: 

When Identity Manager users are assigned their first provisioning role, it changes their disabledstate value from 0 to 16777216. This forces the users to change their password on next login. We do not want our users to have forced password changes.

Is this behavior preventable? 

Answer:

What is happening is that when you add a provisioning role to an IM user after the user is already created, the global user is created as part of a modify user task. 

The modify user task does not push the IM user's password down to provisioning manager, so the global user is created without a password. This is why there is a forced password change after the event. It is expected and necessary behavior for Identity Manager and should not be changed. 

Resetting the disabled state flag to 0 will allow users to log into IM, but will not address the fact that the global users have no passwords, which can result in account creation failures when provisioning endpoint accounts. 

 

The only way to prevent this behavior is to add the user's first provisioning role during the user creation event, this will send the user's password down to the global user account and will not force a password change. 

 

Environment

Release: CAIDMB99000-12.6.7-Identity Manager-B to B
Component: