Override malicious user status
The first task in the series of overriding source data is to force-disable a user’s account regardless of the user’s status in the source HR system. The goal is to prevent the user from accessing target systems—in the case of this guide, Active Directory.
What awaits you in this module
-
Pick an active user, i.e., a user whose
statusin the HRIS equals toIn. -
Find the user in midPoint and set the user’s administrative status to Disabled.
-
Verify the effect of you action on the user’s AD account.
About administrative status
The administrative status defines an explicit decision of midPoint administrator about the status of a user. As such, it overrides all other constraints on activation, including the lifecycle state we use in this guide to determine who is eligible to an AD account. For this reason, the administrative status is the go to property for disabling a user under an emergency situation because it does not get overwritten by any mapping like the lifecycle state would in our case.
|
Effective status vs. administrative status
Effective status is a virtual status, a computed combination of all constraints on an object activation.
It cannot be set directly, it depends on the |
1. Set administrative status for a user
For this exercise, let us say that the contract termination specialist Ashley Jackson is the user you need to disarm immediately.
-
In Users > Persons, open Ashley Jackson (user ajackson) for editing.
-
Select Activation on the left.
-
Click Show empty fields if you do not see any fields to edit.
-
In Administrative status, select Disabled.
-
Click Save.
Figure 1. Set administrative status for Ashley Jackson
The effect of this action is immediate. Changing the administrative status of a user triggers update according to the policies and rules you have set all across the ecosystem, meaning the update propagates to the AD server without having to wait for the next scheduled reconciliation.
2. Verify the effect of administrative status change
To confirm the effect of you setting the administrative status, select Audit Log Viewer to head over to the audit log, and see the three related events there (request, resource, execution).
Figure 2. Changing the administrative status to Disabled triggers disabling the user in the target AD application
Click the time stamp on the Resource entry in the audit log to see the exact change your action caused:
Figure 3. The mapping rules in effect translate effective status Disabled to the
roomNumber resource attribute value disabledYou can check directly on the AD resource that your change of the administrative status provisioned Ashley Jackson the disabled value into the roomNumber attribute, effectively barring her from accessing Active Directory.
Figure 4. The attribute
roomNumber with the value disabled has been provisioned to the AD account of the user disabled by the administrative statusHow to revert the changes made by administrative status
Should you need to enable the user and take all the disabling action back, change the Administrative status attribute back to Undefined. The effective status then gets calculated based on all the "usual" policies and rules, and re-enables the user’s account if nothing else says it should not be enabled.
Next steps
In the next module, you will learn how to manage the situation when the information in the HRIS is wrong and you need to address the issue before the HR personnel can handle it the standard way.
Was this page helpful?
YES
NO
Thanks for your feedback