User status changes

Bizz · May 12, 2025, 2:12pm

Dear community,

I need some advice regarding user statuses.
I’m using the following four:
ACTIVE
PENDING_START_DATE
LEAVE
DISABLED

When I set an identity to any of the last three statuses, the account in the Active Directory managed system is set to Disabled , which is the desired behavior.
However, if I then manually trigger a synchronization to AD, the target accounts get unlocked.
How is that possible?

Thank you in advance.
Jan

pradeep.bhalla · May 24, 2025, 1:03am

Hi Jan,

We currently have a policy map script (enabled.groovy) configured for AD (via PowerShell) that manages account enablement based on user status changes in OpenIAM. Specifically, it disables the AD account when a user’s status changes from:

ACTIVE to LEAVE

ACTIVE to DISABLED

ACTIVE to PENDING_START_DATE

This is the expected and correct behavior based on the logic defined in the script.

(We’ve attached the script here for reference.)

The issue arises when a user sync is manually triggered from AD to OpenIAM. In such cases, previously disabled users in both OpenIAM and AD appear to get re-enabled.

This happens because:

In the AD user sync transformation script, the status is set to ACTIVE for all incoming users.

Additionally, the “Provision to Target Systems” checkbox is likely enabled in the AD user sync configuration.

As a result:

During the sync, the user’s status in OpenIAM is overwritten to ACTIVE.

Since provisioning is enabled, this status update triggers a provisioning request to AD — which ends up re-enabling the user account.

Recommended Fix

To avoid this unintended behavior:

Disable the “Provision to Target Systems” checkbox in the AD user sync configuration.

This will ensure that status updates during sync do not trigger re-provisioning to AD.

We can help you update the AD user sync transformation script so that it:

Checks the current user status in AD.

Avoids changing the status to ACTIVE if the user is already disabled.

This will prevent accidentally reactivating disabled accounts during sync.

Please let us know the exact use case you’re trying to achieve, and we’ll help you tailor the script accordingly.

pradeep.bhalla · May 24, 2025, 1:05am

enabled.txt (1.6 KB)

Topic		Replies	Views
Adding an identity to a user after onboarding an application Application Onboarding	4	32	May 23, 2025
Provisioning Status Identity Life Cycle Management	2	21	May 25, 2025
5. Automated User Provisioning Getting Started with OpenIAM	1	19	December 11, 2024
Blog Post: Automating User Management by Integrating OpenIAM and Workday Identity Life Cycle Management	0	13	December 19, 2024
JDBC Synchronization not creating a User Identity entry Identity Governance & Administration (IGA)	5	39	May 8, 2025

User status changes

Related topics