Users become locked out if they are unsuccessful at logging in to Identity Manager. To become locked out, the user has to exceed the allowable number of unsuccessful login attempts defined by the Identity Manager account policy.
Only login attempts on an Identity Manager user interface are counted towards an Identity Manager lockout (that is, either the administrator interface, the end-user interface, the command-line interface, or the SPML API interface). Failed login attempts on resource accounts are not counted and will not cause the user to be locked out of their Identity Manager account.
The Identity Manager account policy establishes the maximum number of failed password or question login attempts that can be made.
Users who exceed the maximum number of failed password login attempts are locked out of all Identity Manager application interfaces, including the Forgot My Password interface.
Users who exceed the maximum number of failed question login attempts can authenticate to any Identity Manager application interface except Forgot My Password.
Users who are locked out of Identity Manager due to excessive failed password login attempts will not be able to log in until an administrator unlocks the account or until the lock expires.
An administrator can unlock an account if the administrator has administrative control of the user’s member organization, as well as the Unlock User capability.
If a Lock Timeout value is set in the Identity Manager Account Policy, a lock placed on an account will eventually expire. The Lock Timeout value for failed password login attempts is set by the Account lock created by failed password-logins expires in value.
Users who are locked out of the Forgot My Password interface due to excessive failed question login attempts will not be able to log in to that interface until an administrator unlocks the account, or until the locked user (or a user with appropriate capabilities) changes or resets the user’s password, or until the lock expires.
An administrator can unlock an account if the administrator has administrative control of the user’s member organization, as well as the Unlock User capability.
If a Lock Timeout value is set in the Identity Manager Account Policy, a lock placed on an account will eventually expire. The Lock Timeout value for failed question login attempts is set by the Account lock created by failed question-logins expires in value.
An administrator with appropriate capabilities can perform the following operations on a user in locked state:
Update (including resource reprovisioning)
Change or reset password
Disable or enable
Rename
Unlock
To unlock accounts, select one or more user accounts in the list, and then select Unlock Users from the User Actions or Organization Actions list.