7 MyID Operator Client error codes

OA10001

Unable to communicate with app - ensure that MyID UMC app (MyIdClientService) is running

The web page has been unable to communicate with the MyID Client Service.

Make sure the MyID Client Service is installed and running.

See the Installing the MyID Client Service section in the Installation and Configuration Guide.

Make sure that the browser you are using supports websockets connections to ws://localhost. See the Supported browsers section in the MyID Operator Client guide.

OA10002

Invalid credentials

The credentials you have supplied for authentication are not valid.

Supply valid credentials for logon.

OA10003

You do not have sufficient security questions configured

The person attempting to log on must have sufficient security questions set up on their account. The number of required security phrases is specified by the Number of security questions for self-service authentication configuration option.

Use the Change Security Phrases or Change My Security Phrases workflows to provide the required security phrases. See the Setting security phrases section in the Operator's Guide.

Alternatively, you can set a lower value for the Number of security questions for self-service authentication option. See the Setting the number of security phrases required to authenticate section in the Administration Guide.

OA10004

Your username or security response is incorrect, or you may not have permission to access this client.

The person attempting to log on has mistyped their username or security responses.

Try again.

Note: If the number of failed attempts exceeds the configuring maximum (by default, three) the person may be locked out and will have to have their security phrases unlocked. See the Configuring the number of attempts to enter security phrases section in the Administration Guide.

OA10005

The registration link is invalid

The registration job ID is not a valid job ID.

This can also occur if there is a problem with the request that is being collected, or the request is not at the ‘Awaiting Issue’ status; for example, if it has been canceled.

Carry out the request again.

OA10006

Logoncode OTPs are disabled on the server

The Allow Logon Codes option is not set on the server, or the person's role does not have access to the Password logon mechanism.

Set the Allow Logon Codes option, make sure the person has access to the Password logon mechanism, then try again.

See the Setting the configuration options and the Configuring roles for registering FIDO authenticators sections in the FIDO Authenticator Integration Guide for details.

OA10007

Your OTP has been entered incorrectly, is locked, has expired, or you do not have permission to perform this operation. Please try again.

The registration code was incorrect, or has been entered incorrectly too many times, or you do not have access to the Register FIDO Security Key operation.

Retry entering the registration code. If it continues to fail, it may be locked. Request another FIDO authenticator.

Check that your have access to the Register FIDO Security Key operation; see the Configuring roles for registering FIDO authenticators section in the FIDO Authenticator Integration Guide for details.

OA10008

Your session has timed out or is invalid, please try again

You may have waited too long to complete the registration process.

Try again.

If you have already used your registration code, you must request the FIDO authenticator again, which will send you a new registration code.

OA10009

Error registering FIDO in browser

The ServerDomain app setting may configured incorrectly. Note that ServerDomain is case sensitive and must be consistent with the casing of the DNS Name in the web server's TLS certificate.

Set the ServerDomain in the app settings file.

See the Adding the access token to the web service configuration file section in the FIDO Authenticator Integration Guide for details.

OA10010

Error authenticating FIDO in browser.

A cause of this is if the FIDO credential was registered on a website running a different origin to the website that is performing the authentication – at registration, FIDO credentials become locked to the origin on which they were registered.

This may also occur if the web.oauth2 Fido:Config:Origin is configured incorrectly in the authentication service app settings file. Note that Origin is case sensitive and must be consistent with the casing of the DNS Name in the web server's TLS certificate

Set the Origin in the app settings file.

See the Adding the access token to the web service configuration file section in the FIDO Authenticator Integration Guide for details.

OA10011

FIDO authentication failed, please try again. You may not have permission to access this client.

This may occur when the credential profile for a FIDO authenticator was set up to require user verification, but the FIDO authenticator does not support that feature.

This may also occur when you are attempting to log on with a FIDO authenticator without providing a username, but the credential profile was not set up with the Require Client Side Discoverable Key option, and consequently the FIDO authenticator does not have the key required for logon without a username.

Try a different FIDO authenticator, try a credential profile that has been set up with less stringent requirements, or try a credential profile that sets up the client side discoverable key; see the Setting up credential profiles for FIDO authenticators section in the FIDO Authenticator Integration Guide for details.

OA10012

FIDO registration failed, the FIDO token used to register was not trusted. Try a different FIDO token if you have one. <details>

The FIDO authenticator you have tried to register failed the attestation check.

Try a different FIDO authenticator.

OA10013

FIDO registration failed, user mismatch

The FIDO authenticator cannot be registered as there is a problem matching the user.

Try registering the authenticator to a different user.

OA10014

FIDO registration failed, the credential profile is invalid

The credential profile is not valid, or the person for whom the FIDO authenticator was requested has changed roles, and can no longer receive the originally-requested credential profile.

Request a FIDO authenticator using a different credential profile, and try again.

OA10015

FIDO registration failed, this token is already registered

The FIDO authenticator is already registered.

Try a different FIDO authenticator.

OA10016

FIDO registration failed, the credential profile is set to Enforce Authenticator Attestation Check, but the token registered does not have metadata available on the server. Try registering a different token.

The manufacturer did not register metadata with the FIDO metadata service, and the file-based metadata does not include information about this token. This token cannot be used with this credential profile.

Either register a different token, register this token to a different credential profile using a credential profile that does not have Enforce Authenticator Attestation Check set, get the token manufacturer to publish the metadata for this token to the FIDO metadata service, or obtain the FIDO metadata and configure it manually on the server using the MDSCacheDirPath setting.

See the Setting up credential profiles for FIDO authenticators or Setting up a local metadata repository section in the FIDO Authenticator Integration Guide for details.

OA10017

FIDO registration failed, there was a problem accessing the FIDO Metadata Server

There was a problem trying to get a metadata TOC payload entry from the FIDO metadata service.

Check that the URLs https://*.fidoalliance.org are accessible from the web server and try again.

OA10018

You do not have any FIDO tokens registered

The person has attempted to authenticate to the MyID authentication service using FIDO, but does not have any registered FIDO authenticators.

Request a FIDO authenticator for the person.

OA10019

Username should not be null or empty

The MyID Username claim was missing in the cookie for the call to logon with FIDO.

Restart the browser and try again.

OA10020

Invalid return URL

The return link from a logon authentication call was invalid.

This may be the result of a redirect attack or a malicious link. Make sure you have gone through the correct procedure.

OA10030

MyID:Database:ConnectionStringCore is not configured

A configuration file error has occurred. You must configure a database connection string.

Check the configuration file settings – ConnectionStringCore must be configured.

See the Configuring the standalone authentication service section in the MyID Authentication Guide.

OA10031

MyID:Database:ConnectionStringAuth is not configured

A configuration file error has occurred. You must configure a database connection string.

Check the configuration file settings – ConnectionStringAuth must be configured.

See the Configuring the standalone authentication service section in the MyID Authentication Guide

OA10032

Unable to find configured JWT signing certificate

No JWT signing certificate was found, but JWT signing is configured.

Check the JWT settings. See the Load balancing section in the MyID Operator Client guide.

OA10033

No JWT signing certificate configured and no RSA signing key containername configured

MyID is configured to use a previously configured RSA keyname but no RSA container name was found.

Check the JWT settings. See the Load balancing section in the MyID Operator Client guide.

OA10034

JWT signing key is configured, but has an incorrect algorithm or key size

MyID has found an RSA key with an incorrect algorithm or key size.

Check the JWT settings. See the Load balancing section in the MyID Operator Client guide.

OA10035

Generated JWT signer certificate, but unable to load it

A server error has occured while attempting to validate the generated signer certificate.

Check the JWT settings. See the Load balancing section in the MyID Operator Client guide.

OA10036

No JWT signing certificate configured and no RSA signing key containername configured, and not configured to generate a JWT signing key

A configuration error has occurred. No authentication method has been set.

Check the JWT settings. See the Load balancing section in the MyID Operator Client guide.

OA10037

You do not have permission to perform this operation. Your permissions could not be verified

A valid access token has not been supplied to authorize this extension grant. The token may be missing, may not contain the required claims.

Check that your system is providing the correct data for the extension grant.

OA10038

You do not have permission to perform this operation

This can happen if the caller does not have scope over the object (request, device or person) in the context of the operation being performed.

Check the roles that the person has and check the permissions these roles give in Edit Roles.

OA10039

You do not have permission to perform this operation on the identified object or the identified object does not exist

This can happen if the caller does not have scope over the object (request, device or person) in the context of the operation being performed.

Check the roles that the person has and check the permissions these roles give in Edit Roles.

OA10040

Your assigned roles do not have permission to collect this request’s credential profile

The credential profile does not include any of your roles in the Can Collect option.

Edit the credential profile to add one of your roles to the Can Collect options for the profile.

OA10041

Authorization failure, missing data

Data required to perform the extension grant is missing. This should not be seen through the MyID Operator Client but may occur if integrating third party systems to perform token operation extension grants if they do not supply the required data.

Check that your system is providing the data required to perform the extension grant.

OA10042

This item is not in the correct state to perform this operation

You have attempted to carry out an operation that requires a particular status; for example, collecting a card requires a job status of Awaiting Issue. If this error occurs, the status is no longer correct for the operation; this may occur when multiple operators attempt to carry out an operation on the same item.

Go back and attempt the operation again from the beginning; if the item is not in the correct status, you should not be offered the opportunity to carry out the operation.

OA10043

Your assigned roles do not have permission to unlock this device

When the configuration flag Constrain Credential Profile Unlock Operator is set, when unlocking devices for other users you require the Can Unlock permission for the credential profile of that device.

Edit the credential profile to add one of your roles to the Can Unlock options for the profile.

OA10044

You cannot perform this operation on yourself

You have attempted to perform and operation that is not allowed for self-service on your own account.

Either perform the operation on another person's account, or get another operator to perform the operation on your account.

OA10045

You cannot perform this operation on others

You have attempted to perform an operation that is allowed for self-service only on another person.

Either perform the operation on your own account, or get the other person to perform the operation on their own account.

OC10001

There are no actions available for your current logon method and the roles that you have been assigned.

You have not been assigned any actions for use in the MyID Operator Client.

Ensure that the roles you have assigned provide MyID Operator Client actions.

See the Roles and groups section in the MyID Operator Client guide.

OC10002

This web browser cannot be used. Please use an alternative web browser.

An unsupported browser has been detected. Due to the browser technology used, you cannot use Internet Explorer to access the MyID Operator Client.

The MyID Operator Client is designed to work on a range of browsers running on Windows 10, excluding Internet Explorer. You are recommended to use Google Chrome, Microsoft Edge (Chromium version) or Mozilla Firefox.

See the Supported browsers section in the MyID Operator Client guide.

OC10003

There has been a problem on server and it is not possible to continue.

The API server is unreachable or has been configured incorrectly.

Confirm that the API server is reachable, and has been configured correctly.

Check the URLs in the web service configuration files; they must use https and be valid URLs. See The rest.core web service configuration file and The web.oauth2 web service configuration file sections in the MyID Operator Client guide for details of the web service configuration files.

The REST-based web services require HTTPS, and will not operate if this is not set up. For more information, see the REST-based web services section in the System Interrogation Utility guide.

OC10004

The server could not be contacted. Please try again.

Connection to the server unavailable. Either the client is not connected to the Internet, or the server is offline.

Confirm that the API server is reachable, and try again.

Confirm that you have the correct server address specified; see the Specifying the server for the MyID Client Service section in the MyID Operator Client guide.

OC10005

The file you have uploaded is not an image. Please upload an image.

You can choose from the following file types:

• JPEG (*.jpg, *.jpeg)

• Bitmap (*.bmp)

• Graphics Interchange Format (*.gif)

• Portable Network Graphics (*.png)

If you select a file of the wrong type, MyID displays an error.

See the Uploading an existing image file section in the MyID Operator Client guide.

OC10006

MyID Client Service error

You have attempted to use a feature provided by the MyID Client Service App (for example, editing a captured image), but the app is not running.

See the Installing the MyID Client Service section in the Installation and Configuration Guide for instructions on installing the MyID Client Service.

OC10007

A problem has occurred when connecting to the camera.

The MyID Image Capture component cannot make a connection to the camera.

The camera might be in use or has a low maximum supported camera resolution.

Confirm that the camera is operating correctly and can support a minimum resolution of 640x480.

Confirm that the camera is not currently in use in another application, then start Image Capture again.

OC10008

Unable to launch the Desktop Application. Please check configuration and try again.

MyID Desktop or the Self-Service App could not be found at the configured path.

Confirm that the application is installed and available at the configured location.

See the MyID Operator Client advanced configuration section in the MyID Operator Client guide.

OC10009

Unable to connect to the Desktop Application. Please try again.

MyID Desktop or the Self-Service App was unable to be started, or is already running, and the MyID Client Service failed to connect to it.

Confirm that MyID Desktop is run in service mode and try again.

OC10010

Unable to launch the Desktop Application. Please try again.

MyID Desktop or the Self-Service App is running but is already servicing a request.

Try again when the current request has been completed.

OC10011

The item is not available. Check the link is valid and you have permission to access this information.

The operation or entity provided in the URL link is not available. Confirm that the link provided is valid and you have permissions for the operation specified.

Confirm that you have permissions to the link provided and try again.

OC10012

The item is not available. Check the link is valid and you have permission to access this information.

The search provided in the URL link is not available. Confirm that the link provided is valid and you have permissions for the search specified.

Confirm that you have permissions to the link provided and try again.

OC10013

Unable to launch the Desktop Application. Please try again.

An incorrect version of MyID Desktop has been detected.

Confirm that the correct version of MyID Desktop is installed, and try again. You may have to upgrade your version of MyID Desktop to the latest version to support the feature you are trying to use.

WS10000

Server error

An internal server error has occurred.

Retry the operation; the cause could be a temporary issue such as a database timeout due to server load.

This error may also occur if you have configured your system to use the web server to store images and have attempted to upload an image using the MyID Operator Client; this is not a supported configuration; see the Displaying images stored on the web server section in the MyID Operator Client guide for details.

If the problem persists, check the System Events and Audit Reporting workflows within MyID, then the rest.core logs for more information. For information on configuring logging, see the MyID REST and authentication web services section in the Configuring Logging guide.

WS10001

Unable to convert WSQ image to 378 biometric format

The supplied WSQ image is either corrupt or invalid or the Aware components are not installed on the server.

Check that the WSQ image is valid.

Check that the Aware components are installed on the server.

See the Aware Fingerprint Capture guide provided with the Aware Fingerprint Capture module.

WS10002

Unable to retrieve the values for the specified selection box.

A problem has occurred with a dynamic drop-down list, where the contents of one list depend on another; MyID was unable to call the stored procedure specified for the dependent list. This feature may have been implemented on a custom system using Project Designer.

Check that your linked picklists are configured correctly in Project Designer; if your custom system was provided by Intercede, contact customer support, quoting the error reference WS10002.

WS10003

Unable to retrieve the requested session information.

There is an API method that allows you to retrieve information about the currently authenticated session. This error appears when there is a problem determining the session.

Re-authenticate and try again.

WS20000

Server configuration error

There is a problem with the server configuration.

Check the System Events, Audit Reporting workflows within MyID, then the rest.core logs for more information. For information on configuring logging, see the MyID REST and authentication web services section in the Configuring Logging guide.

WS20001

Server configuration error - DataDictionary is inconsistent

The MyID Project Designer configuration is incorrect, preventing the server from starting correctly.

If you are using MyID Project Designer to develop your own custom configuration, use Project Designer to correct the configuration and reapply the project configuration.

Check the logs for information about the faulty data. For information on configuring logging, see the MyID REST and authentication web services section in the Configuring Logging guide.

WS20002

Server configuration error - SearchCriteria is inconsistent

The definition of the search criteria is incorrect.

This requires a database fix.

You must contact customer support quoting reference SUP-327 and provide details of which search operation is experiencing this error.

You will also be asked to provide log files; for information on configuring logging, see the MyID REST and authentication web services section in the Configuring Logging guide.

WS30000

Minimum data not supplied

There has been a problem with the processing of information entered on the form.

Check the data you have entered and try again.

WS30001

Invalid data supplied

There has been a problem with the processing of information entered on the form.

Check the data you have entered and try again.

WS30002

Validation problem, the value for <field name>, <details>

This error occurs when the <field name> field contains a value that is not allowed. This is a generic error; you are more likely to see a more specific error that gives a reason for the validation problem.

Check the values you have entered for the specified field and try again.

WS30003

Invalid person id specified

The person you have specified does not exist; for example, the person may have been removed by another operator. Alternatively, you have specified a person over whom you do not have permission.

Check the data you have entered and try again.

WS30004

Validation problem, the value for <field name>, invalid role specified

You have selected a role that is not allowed.

Check the roles you have selected and try again.

WS30005

Validation problem, the value for <field name>, must be no more than <number> characters

The value you have entered for the specified field is too long.

Provide a shorter value for the field and try again.

WS30006

Validation problem, the value for <field name>, invalid value for search criteria

The value you have entered for the specified field is not allowed as part of the search criteria.

Check the search criteria you have entered and try again.

WS30007

Validation problem, the value for <field name>, must contain a value

You have not entered a value for the specified field.

Enter a value for the specified field and try again.

WS30008

Validation problem, the value for <field name>, is not a selectable value

You have provided a value for the specified field that is not available in the drop-down list.

Check the value you have entered for the specified field and try again.

WS30009

Validation problem, the value for <field name>, <details>

You have entered a value for the specified field that contains a value that is not allowed. The <details> provide more information about why this value was not allowed; for example, "must be a date in the past" or "must be alphanumeric".

Check the value you have entered for the specified field and try again.

WS30010

Validation problem, the value for <field name>, fails Validation rule <rule>

You have entered a value for the specified field that contains a value that is not allowed. There is no description for this validation rule; it may be a custom validation rule.

Check the values you have entered for the specified field and try again.

WS30011

Validation problem, the value for <field name>, can only be 0 or 1

You have entered a value for the specified field other than 0 or 1, and this field only allows those values.

Enter a value of 0 or 1 in the specified field and try again.

WS30012

Validation problem, the value for <field name>, must be a number

You have entered a value for the specified field that is not a number.

Enter a number in the specified field and try again.

WS30013

Validation problem, the value for <field name>, must be a valid uuid

A field has been supplied to the server that is not a valid UUID (universally unique identifier).

If you are using the MyID Operator Client, retry the operation. If the problem persists, contact customer support, quoting reference SUP-328.

You will be asked to provide log files; for information on configuring logging, see the MyID REST and authentication web services section in the Configuring Logging guide.

WS30014

Validation problem, the value for <field name>, must be a date or datetime

You have entered a value for the specified field that is not a valid date or time and date value.

Check the value you have entered and try again.

WS30015

Validation problem, the value for <field name>, is mandatory

You have not entered a value for the specified field; this field is mandatory.

Enter a value for the specified field and try again.

WS30016

Validation problem, the value for <field name>, is not a valid StatusMapping

The value you have entered for the specified field is not a valid certificate reason (StatusMapping).

Check the value you have entered and try again.

WS30017

Validation problem, the value for 'First Name', and 'Last Name' must be provided.

You have attempted to save a person's record with neither a first name nor a last name. You must include one or both of these values.

Ensure that you have specified one or both of the First Name and Last Name fields, then attempt to save the person's record again.

WS30018

Validation problem, the value for <field name>, is not an allowed value

The value you have entered for the specified field is not permitted.

Check the value you have entered and try again.

WS30019

Validation problem, the value for <field name>, is not correctly encoded binary data

You have attempted to submit a file (for example, an image file) but the binary data file is not encoded correctly.

Check the file you are submitting and try again.

WS30020

The value provided contains one or more characters which are disallowed.

The provided password is not valid.

Provide a password that contains allowed characters and try again.

WS30021

Biometric samples of the required type cannot be found for the user.

Adjudication requires fingerprint samples captured using a 10-Slap enrollment device. Check that you have captured new fingerprints before submitting for adjudication.

See the Adjudication Integration Guide provided with the Adjudication module and the Aware Fingerprint Capture guide provided with the Aware Fingerprint Capture module for details.

WS30022

must be a date in the future

The field failed validation as the provided value can only be a date in the future.

Provide a date in the future and try again.

WS30023

must be a date in the past

The field failed validation as the provided value can only be a date in the past.

Provide a date in the past and try again.

WS40000

Validation problem, the value for 'Distinguished Name', already exists

You have specified a Distinguished Name for the person that is already used for a different person, and your system is configured to require unique DNs.

Enter a unique DN for the person and try again. Alternatively, you can configure your system to allow duplicate DNs; the Allow duplicate DN configuration option determines whether unique DN values are required; see the LDAP page (Operation Settings) section in the Administration Guide for details.

WS40001

Validation problem, the value for ‘Logon’, already exists

You have specified a Logon name for the person that is already used for another person. Logon names must be unique.

Enter a unique logon name and try again.

WS40002

The specified Credential Profile could not be found

The credential profile you selected is no longer available.

Select a different credential profile and try again.

WS40003

Duplicate group name is not allowed (a group with this name already exists for this parent)

You have specified a group name that already exists. Groups that are located under the same parent group must have unique names.

Enter a new group name and try again.

WS40004

Unable to get default roles for group

When adding a person, default roles are retrieved from that person's group – this operation has failed.

Retry the operation. Make sure that the group you have selected is valid.

WS40005

The item referenced was not found

You have selected an item (for example, a person, device, or request) that does not exist, has been removed by another operator, or over which you do not have permission.

Retry the operation. If the problem persists, check that you have sufficient privilege to access the item.

Check the MyID System Events workflow and the rest.core logs for more information. For information on configuring logging, see the MyID REST and authentication web services section in the Configuring Logging guide.

WS40006

The required group, <group name>, is not available

You have specified a group that is not available.

Check the group name and try again.

WS40007

The user location in the directory could not be matched to an existing group

When importing a person to the MyID database from a directory, the person could not be matched to a group in MyID.

Try one of the following:

• Manually pick a MyID group for the user to be imported into and save the record again.

• Use the Edit Groups workflow in MyID Desktop and import the LDAP groups into MyID.

  See the Importing an LDAP directory branch section in the Operator's Guide for details.

• If you want groups to be automatically imported from LDAP, set the Automatically create MyID groups from the Organizational Unit of imported users configuration option on the LDAP page of the Operation Settings workflow.

WS40008

Directory synchronization is not available with this API due to configuration or role limitations

An attempt has been made to synchronize a person with the directory manually; however, this operation is disabled due to system configuration.

Directory synchronization is controlled by the following configuration:

• If the Background Update configuration option is turned on, people are automatically updated in the MyID database when they are retrieved. In this situation it does not make sense to synchronize the person from LDAP manually. An attempt to trigger a manual synchronization would produce this error; however, the button does not appear.
• If the Background Update configuration option is turned off, if the caller has roles to enable manual directory sync, the operator can request a directory synchronization by clicking the button. In this situation, this error code will not occur.

As the button appears only when it is allowed by system configuration, this error is unlikely to appear. However, if it does appear, it means that a client is out of step with the server configuration. Shut down the client, clear the browser cache, and try the operation again.

WS40009

You must provide a reason for rejecting the specified request.

You have attempted to reject a request without specifying a reason. A reason is mandatory when rejecting a request.

Specify a reason for rejecting the request and try again.

WS40010

You must provide a reason for canceling the specified request.

You have attempted to cancel a request without specifying a reason. A reason is mandatory when canceling a request.

Specify a reason for canceling the request and try again.

WS40011

When creating or approving a request, the job expiry date must be in the future. Either the newly selected request maximum expiry date, or the user maximum expiry date of the request target is in the past.

Either the selected maximum expiry date for the request, or the user maximum expiry date is in the past.

Specify a date for the request that is in the future and try again.

WS40012

The device cannot be replaced because it is not issued

You have specified a device to be replaced, but MyID does not recognize it as an issued device.

Specify a valid issued device and try again.

WS40013

The device cannot be replaced because it is has already expired

You have specified a device to be replaced, but it has already expired.

Specify a currently-issued device to be replaced, or request a new device to replace the original expired device.

WS40014

The device cannot be replaced because it is too close to its expiry date

You have attempted to replace a device, but it will expire soon. You must renew the device instead.

By default, the renewal window is 42 days; this is configured by the Card Renewal Period option on the Devices page of the Operation Settings workflow. You can renew a card if its expiry date is within this window.

Renew the device.

WS40015

The device cannot be replaced because it does not have a credential profile

You have attempted to replace a device, but the credential profile used to issue the device has been removed.

Cancel the device and issue a new one.

WS40016

The device cannot be renewed because its remaining lifetime does not fall within the configured window for renewals

By default, the renewal window is 42 days; this is configured by the Card Renewal Period option on the Devices page of the Operation Settings workflow. You can renew a card if its expiry date is within this window.

Wait for the device to fall within the window for renewals before trying again.

WS50000

Your current authentication level cannot access this information. The logon credential used, roles that logon credential can access and scope available to those roles may limit your access

You do not have permission to perform the requested operation.

Check the roles and scope for the operator who is attempting to carry out this operation. It is possible to have different scopes for different operations; for example, you may be allowed to view all people in the system, but only be allowed to edit people from a particular group.

Check the MyID System Events and Audit Reporting workflows for more information about the operation being attempted.

WS50001

Licence Limit Reached

You have attempted to add a person or request a device but have reached the maximum number of people or devices.

Either remove some people or devices that are no longer required, or request extra licenses from Intercede. See the Requesting licenses section in the Administration Guide for details.

WS50002

You do not have permission to update your own device

The system is configured using the Self-service option (on the Self-Service page of the Security Settings workflow) to prevent you from performing updates to devices that belong to you; for example, you are not allowed to enable a disabled device that belongs to you.

Ask another operator to update the device for you.

WS50003

You do not have permission to update the device you authenticated with

You have attempted to perform an update on the device that you logged on with. This is not allowed.

Ask another operator to update the device for you.

WS50004

The system is not configured to allow you to edit your own information

The system is configured to prevent you from updating your own details.

Ask another operator to edit your information.

WS50005

Searching for people in the database is disabled

You have attempted to search for a person in the MyID database, but MyID is not configured to do so.

You can search the MyID database only if you have configured MyID to do so; you must set the Search a directory configuration option to No or Ask. See the LDAP page (Operation Settings) section in the Administration Guide for details.

WS50006

Searching for people in the directory is disabled

You have attempted to search for a person in an attached directory, but MyID is not configured to do so.

You can search a directory only if you have configured MyID to do so; you must set the Search a directory configuration option to Yes or Ask. See the LDAP page (Operation Settings) section in the Administration Guide for details.

WS50007

Invalid job status change

You have attempted to update a request job to a status that is not permitted.

The MyID Operator Client prevents you from making changes that are not permitted; however, it is possible that another operator has made a change to the status of the request job at the same time.

Retry the operation; if the problem persists, close the Operator Client, clear the browser cache, and try again. If the problem persists further, check the MyID System Events and Audit Reporting workflows.

WS50008

Your assigned roles do not have permission to request the credential profile specified

You have specified a credential profile to which you do not have access.

The credential profiles available depend on the role of the operator and the role of the person for whom you are requesting the device; see the details of the Can Request option in the Constrain credential profile issuer section in the Administration Guide.

WS50009

It is not possible to create requests for yourself or your devices.

This message occurs when an attempt is made by an operator to request their own credentials. It could occur when:

• Attempting to request a replacement for one of their devices.

• Attempting to request a renewal for one of their devices.

• Attempting to request a device for themselves (Note: The button for this is not available in MyID Operator Client).

Ask another operator to carry out the operation.

WS50010

Your assigned roles do not have permission to approve or reject requests for this credential profile

You have attempted to approve or reject a request that uses a credential profile that you are not allowed to validate.

The credential profiles you can validate depend on your role; see the details of the Can Validate option in the Constrain credential profile validator section in the Administration Guide.

WS50011

The person selected does not have a role assigned that can hold the requested credential profile

You have attempted to request a device using a credential profile to which the person does not have access.

The credential profiles available depend on the role of the operator and the role of the person for whom you are requesting the device; see the details of the Can Receive option in the Linking credential profiles to roles section in the Administration Guide.

WS50012

The person selected does not have user data approved. The credential profile requires user data to be approved before it can be requested

You have attempted to request a device using a credential profile that requires the person to have the User Data Approved flag set on their account, but the person does not have this flag set.

Either set the User Data Approved flag, or edit the credential profile so that it does not require this flag; see the details of the Require user data to be approved option in the Issuance Settings section in the Administration Guide.

WS50013

The account selected is not compatible with this request (kind is mismatched)

Requests cannot be made for the selected person. This could be due to this account being a special kind of record that represents a non-person entity (for example, for device identities).

If you are trying to request a credential for a non-person, such as a device identity, use MyID Desktop instead; the MyID Operator Client does not currently support requests of this kind.

If you continue to have problems, check the configuration of the credential profile you are using. You can also check the MyID System Events and Audit Reporting workflows.

WS50014

You are not permitted to approve or reject requests that you have made

You have attempted to approve or reject a request that you initiated. You cannot validate these requests.

Ask another operator to validate the request.

WS50015

You are not permitted to approve or reject requests that you will receive

You have attempted to approve or reject a request for your own device. You cannot validate these requests.

Ask another operator to validate the request.

WS50016

The person selected does not have all required information for this credential profile. Check the Person History audit details to identify the missing requisite user data.

You have specified a credential profile that has specific requisite user data requirements; the person you have specified does not meet those requirements.

Select a different credential profile, or update the person's user account to provide the requisite user data.

See the Requisite User Data section in the Administration Guide for details.

WS50017

The person selected does not have a Distinguished Name. This profile requires a Distinguished Name for credential issuance.

You have specified a credential profile that requires a Distinguished Name for issuing its certificates.

Update the person's user account to provide a Distinguished Name.

WS50018

This credential profile can only be requested using a Derived Credential process

You have specified a credential profile that is used for Derived Credentials.

Specify a different credential profile, or request the device using the appropriate process for derived credentials; for example, see the Requesting a Derived Credential section in the Derived Credentials Self-Service Request Portal guide.

WS50019

Requests created using this API must include Smart Card, Virtual Smart Card, Windows Hello for Business or FIDO encoding types

The MyID Operator Client is currently restricted to using credential profiles that are designed for smart cards, VSCs, Windows Hello for Business, or FIDO.

Windows Hello for Business and FIDO are not supported in MyID Professional.

Check the credential profile you are trying to use. Either select a credential profile that is supported by the MyID Operator Client, or, if you need to use a credential profile that is not supported, use MyID Desktop instead.

WS50020

A requested role has been excluded through the application of group role restrictions

You have requested a role for a person that is not available because the person's group does not allow this role.

Either select a different role or amend the group so that it has access to the required role. See the Changing a group section in the Operator's Guide for details.

WS50021

The scope requested for a role is greater than the maximum scope assignable by the current operator

You have requested a scope level that is higher than your own scope. An operator cannot assign a scope higher than their own level.

Request a lower scope level that is at your own level or lower.

WS50022

A requested role is manager controlled and the operator does not hold the role that would permit them to assign it

You have requested a role that is restricted by the Managed By option.

Either select a different role, or update the Managed By option for the required role to contain one of your own roles; this will allow you to assign the role.

See the Controlling the assigning of roles section in the Administration Guide.

WS50023

This type of request is not allowed to be updated

You have attempted to update a request that is not allowed to be updated.

Retry the operation. Further information is available in the MyID System Events and Audit Reporting workflows.

WS50024

Enabling/Disabling a directory person is not allowed

You have attempted to enable or disable a person whose details are stored in a directory. You can enable or disable user accounts for people only if they are stored in the MyID database.

Select a person in the MyID database and try again.

WS50025

You do not have permissions to edit PIV applicants

You have attempted to edit a PIV applicant; this is not possible as you do not have permission to use the Edit PIV Applicant feature.

Check the role and permission assignments of the operator.

WS50026

You do not have permission to add or remove the specified administrator groups

You have attempted to add or remove administration groups but you do not have permission to those groups.

Request permission from an administrator; see the Administrative groups section in the Administration Guide for details.

WS50027

The operator does not have sufficient scope to create a request for this account

You have attempted to create a request for a person, but that person does not sit within your scope.

Check your scope; see the Scope and security section in the Administration Guide for details.

WS50028

You cannot validate or reject a request which does not have an Awaiting Validation status

You have attempted to validate or reject a request, but the request is not awaiting validation, so does not need to be validated or rejected.

Check the status of the request.

WS50029

You cannot cancel a request which has a Completed, Canceled or Failed status

You have attempted to cancel a request, but the request's status is Completed, Canceled or Failed; requests at those statuses do not need to be canceled.

Check the status of the request.

WS50030

The person selected does not have a photo. The credential profile requires the user to have a photo before it can be requested

The Enforce Photo at Issuance option in the credential profile is set to Request and Issuance, which means that you cannot request or issue a card if the cardholder does not have a photo.

Capture a photo for the person and try again.

Alternatively, edit the credential profile to set the Enforce Photo at Issuance option to No.

WS50031

Operation ID <operation> is not a permitted clone of operation <operation>

An API call has been made which violates the cloned operation configuration.

If this occurs when using the MyID Operator Client, contact customer support.

If this occurs when calling the REST API directly, check the op parameter references an allowed cloned operation.

WS50032

The conditions on the Operation with ID <operation ID> prohibit use of the operation for the target entity

An operation has been attempted that is not permitted for the entity that would be affected by the operation.

If this occurs when using the MyID Operator Client, contact customer support.

If calling the API directly, make sure the operation that is being used is permitted for the entity that would be affected by the operation. For example, this error will occur when using the Edit Person operation to attempt to edit a person who holds the PIV Applicant role.

WS50033

The person selected does not have fingerprint biometrics. The credential profile requires that the recipient has fingerprint biometrics enrolled.

You have attempted to request a device for a person who does not have fingerprints stored in the MyID database, the credential profile for the device has the Require Fingerprints at Issuance option set, and the Enforce biometrics at request configuration option (on the Biometrics page of the Operation Settings workflow) is set.

Enroll fingerprints for the person, select a different credential profile that does not have the Require Fingerprints at Issuance option set, or set the Enforce biometrics at request configuration option to No.

WS50034

The person selected does not have facial biometrics. The credential profile requires that the recipient has facial biometrics enrolled.

You have attempted to request a device for a person who does not have fingerprints stored in the MyID database, the credential profile for the device has the Require Facial Biometrics option set, and the Enforce biometrics at request configuration option (on the Biometrics page of the Operation Settings workflow) is set.

Enroll facial biometrics for the person, select a different credential profile that does not have the Require Facial Biometrics option set, or set the Enforce biometrics at request configuration option to No.

WS50035

An existing request has been found that prevents this action. Check requests that are already created and if necessary cancel them.

You have attempted to request a device for a person using a credential profile that has the Block Multiple Requests for Credential Group set, and the person already has an existing request for a device from the same credential group.

Request a device from a different credential profile that is not subject to the same credential group restrictions, or cancel the existing request, if necessary.

See the Block Multiple Requests for Credential Group section in the Administration Guide.

WS50036

The person selected has a maximum credential expiry date that is before the date requested.

You have requested an expiry date for a device that is after the person's maximum credential expiry date.

Choose an expiry date for the device that is before the person's maximum credential expiry date, and try again.

See the Editing a PIV applicant and Requesting a device for a person sections in the MyID Operator Client guide for details.

WS50037

Creating a request is not allowed. <details>

You have attempted to create a request, but it does not meet the criteria set by a customized system. The <details> may provide more information.

Check the requirements of the customized system, adjust the request to meet those requirements, then try again.

WS50038

The selected credential profile is not allowed because the person that requested the job was not allowed to request this credential profile.

The system has checked the permissions on the job (for example, the device request) and the issuer does not have the required permissions to request the credential profile selected.

Select a different credential profile, or cancel the request and create a new device request.

WS50039

You cannot action your own adjudications.

The operator has attempted to generate or update an adjudication request for themselves.

Ask another operator to carry out the adjudication.

WS50040

You do not have permission to perform this operation against the selected item.

You have attempted to perform an action on an item, but your scope does not permit the action. For example, if you have scope that allows you to view a user, and permission to validate requests, but your validate request scope does not allow you to validate requests for that user, you can attempt to validate a request for the user, but the action will not succeed, and this error appears.

Make sure that your scope permits you to carry out the appropriate actions for the target user, then try again.

WS50041

This action cannot be performed because the user has outstanding adjudications.

A person can only have one adjudication that is being processed at once. This error appears when an adjudication request is attempted for a person who has an outstanding unfinished request.

Complete or cancel the existing adjudication.

WS50042

The request task type is not supported by the credential profile.

The system can restrict certain credential profiles being used for certain types of jobs. For example, you cannot issue a VSC to a FIDO authenticator.

Select the correct device type for the credential profile.

WS50043

This credential profile can only be requested from Request Device.

Request Card has been used for to generate a request for a FIDO device. There is a different workflow used to request FIDO device jobs.

Use the correct process for requesting FIDO authenticators.

WS50044

This device requires secondary authorization to cancel it. Please use the MyID Desktop Cancel Credentials workflow.

You have attempted to cancel a device that was issued with a credential profile that had the Validate Cancellation option selected. Validating cancellations is not supported in the MyID Operator Client.

Use the Cancel Credential workflow in MyID Desktop to cancel the device.

WS50045

The device selected cannot be canceled. Please refer to product documentation for further guidance.

You have attempted to cancel a server credential. You cannot cancel server credentials.

Choose a different device and try again.