Chapter 3. Managing user accounts using the IdM Web UI

Identity Management (IdM) supports three user account states:

You can delete user entries permanently from the IdM database.

A new administrator can only be created by a user with administrator rights, such as the default admin user. If you accidentally delete all administrator accounts, the Directory Manager must create a new administrator manually in the Directory Server.

Usually, you need to create a new user account before a new employee starts to work. Such a stage account is not accessible and you need to activate it later.

At this point, you can see the user account in the Stage Users or Active Users table.

If you click on the user name, you can edit advanced settings, such as adding a phone number, address, or occupation.

You must follow this procedure to activate a stage user account, before the user can log in to IdM and before the user can be added to an IdM group.

If the activation is successful, the IdM Web UI displays a green confirmation that the user has been activated and the user account has been moved to Active users. The account is active and the user can authenticate to the IdM domain and IdM Web UI. The user is prompted to change their password on the first login.

Additionally, at this stage, you can add the active user account to user groups.

You can disable active user accounts. Disabling a user account deactivates the account, therefore, user accounts cannot be used to authenticate and using IdM services, such as Kerberos, or perform any tasks.

Disabled user accounts still exist within IdM and all of the associated information remains unchanged. Unlike preserved user accounts, disabled user accounts remain in the active state and can be a member of user groups.

If the accounts are disabled successfully, you can verify this in the Status column in the Active users table.

With IdM you can enable disabled active user accounts. Enabling a user account activates the disabled account.

If the change is successful, you can verify this in the Status column in the Active Users table.

Preserving user accounts enables you to remove accounts from the Active users tab, yet keeping these accounts in IdM.

Preserve a user account if an employee leaves the company. If you want to disable user accounts for a couple of weeks or months (parental leave, for example), disable the account. For details, see Disabling user accounts in the Web UI. The preserved accounts are not active and users cannot use them to access your internal network, however, the account stays in the database with all the data.

You can move the restored accounts back to the active mode.

The user account is moved to Preserved users.

If you need to restore preserved users, see the Restoring users in the IdM Web UI.

IdM (Identity Management) enables you to restore preserved user accounts back to the active state. You can restore a preserved user to an active user or a stage user.

The IdM Web UI displays a green confirmation and moves the user accounts to the Active users tab.

Deleting users is an irreversible operation, causing the user accounts to be permanently deleted from the IdM database, including group memberships and passwords. Any external configuration for the user, such as the system account and home directory, is not deleted, but is no longer accessible through IdM.

You can delete:

The following procedure describes deleting active users. Similarly, you can delete user accounts on:

The users accounts are permanently deleted from IdM.