test

Sun Identity Manager 8.1 Business Administrator's Guide

Disabling, Enabling, & Unlocking User Accounts

This section describes how to disable and enable Identity Manager user accounts. It also describes how to help users who have become locked out of their Identity Manager accounts.

ProcedureTo Disable User Accounts

When you disable a user account, you alter that account so that the user can no longer log in to either Identity Manager or to his assigned resource accounts.

Note that administrators can disable user accounts from the Administrator interface, but they cannot lock user accounts. Accounts can only become locked if the user exceeds the allowable number of unsuccessful login attempts defined by the Identity Manager account policy

Note –

If an assigned resource does not have native support for account disabling, but does support password changes, then Identity Manager can be configured to disable user accounts on that resource by assigning new, randomly generated passwords.

Use the following steps to ensure that this functionality works correctly:

  1. Open the “Identity System Parameters” page in the Edit Resource Wizard. (See Managing Resources for instructions on how to open the wizard.)

  2. In the “Account Features Configuration” table verify that both the Password feature and the Disable feature do not have check marks in the Disable? column. (To display the Disable feature, select Show All Features.)

    If the Disable feature does have a check mark in the Disable? column, accounts in the resource cannot be disabled.

Disabling Single User Accounts

To disable a user account, select it in the User List, and then select Disable from the User Actions drop-down menu.

On the displayed Disable page, select the resource accounts to disable, and then click OK. Identity Manager displays the results of disabling the Identity Manager user account and all associated resource accounts. The accounts list indicates that the user account is disabled.

Disabling Multiple User Accounts

You can disable two or more Identity Manager user accounts at the same time. Select more than one user account in the list, and then select Disable from the User Actions list.

Note –

When you choose to disable multiple user accounts, you cannot select individually assigned resource accounts from each user account. Rather, this process disables all resources on all user accounts you select.

ProcedureTo Enable User Accounts on a Resource Through Password Resets

User account enabling reverses the disabling process.

Depending on selected notification options, Identity Manager also displays the password on the administrator’s results page.

The user can then reset his password (through the authentication process), or a user with administrator privileges can reset it.

Note –

If an assigned resource does not have native support for account enabling, but does support password changes, then Identity Manager can be configured to enable user accounts on that resource through password resets.

To ensure that this functionality works correctly, do the following:

  1. Open the “Identity System Parameters” page in the Edit Resource Wizard. (See Managing Resources for instructions on how to open the wizard.)

  2. In the “Account Features Configuration” table, verify that both the Password feature and the Enable feature do not have check marks in the Disable? column. (To display the Enable feature, select Show All Features.)

    If the Enable feature does have a check mark in the Disable? column, accounts in the resource cannot be enabled.

Enabling Single User Accounts

To enable a user account, select it in the list, and then select Enable from the User Actions list.

On the displayed Enable page, select the resources to enable, and then click OK. Identity Manager displays the results of enabling the Identity Manager account and all associated resource accounts.

Enabling Multiple User Accounts

You can enable two or more Identity Manager user accounts at the same time. Select more than one user account in the list, and then select Enable from the User Actions list.

Note –

When you choose to enable multiple user accounts, you cannot select individually assigned resource accounts from each user account. Rather, this process enables all resources on all user accounts you select.

Unlocking User Accounts

Users become locked out if they are unsuccessful at logging in to Identity Manager. To become locked out, the user has to exceed the allowable number of unsuccessful login attempts defined by the Identity Manager account policy.

Note –

Only login attempts on an Identity Manager user interface are counted towards an Identity Manager lockout (that is, either the administrator interface, the end-user interface, the command-line interface, or the SPML API interface). Failed login attempts on resource accounts are not counted and will not cause the user to be locked out of their Identity Manager account.

The Identity Manager account policy establishes the maximum number of failed password or question login attempts that can be made.

Failed Password Login Attempts

Users who are locked out of Identity Manager due to excessive failed password login attempts will not be able to log in until an administrator unlocks the account or until the lock expires.

Failed Question Login Attempts

Users who are locked out of the Forgot My Password interface due to excessive failed question login attempts will not be able to log in to that interface until an administrator unlocks the account, or until the locked user (or a user with appropriate capabilities) changes or resets the user’s password, or until the lock expires.

An administrator with appropriate capabilities can perform the following operations on a user in locked state:

To unlock accounts, select one or more user accounts in the list, and then select Unlock Users from the User Actions or Organization Actions list.