3.7 Enabling, disabling and removing users
You can use the import feature to enable, disable or remove users. To disable or remove a user, add a keyword to the XML import file.
3.7.1 Removing users
In the user node (User for CMS, Applicant for PIV), add an <Actions> node. Within this, add the following to remove the user:
<ApplicantAction>Remove</ApplicantAction>
<StatusMappingID>ID</StatusMappingID>
<RevocationComment>Comment</RevocationComment>
Where ID is the ID of the revocation or suspension code from the StatusMapping table in the database (see section 3.7.5, Status mapping codes), and Comment specifies the comment used when revoking or suspending user certificates, and also appears in the system audit reports.
3.7.2 Disabling users
To disable a user, use the following:
<ApplicantAction>Disable</ApplicantAction>
<StatusMappingID>ID</StatusMappingID>
<RevocationComment>Comment</RevocationComment>
Where ID is the ID of the revocation or suspension code from the StatusMapping table in the database (see section 3.7.5, Status mapping codes), and Comment specifies the comment used when revoking or suspending user certificates, and also appears in the system audit reports.
The user is removed or disabled, and their cards and certificates are canceled or suspended as appropriate.
-
IKB-261 – User certificates not revoked when suspending a user with an ApplicantAction of Disable
When disabling a user using the Lifecycle API, certificates are suspended instead of fully revoked, when the StatusMappingID specified should result in a full revocation. To work around this issue, trigger device revocation before suspending the user account using CancelDevices; see section 3.10.1, Canceling cards.
Alternatively, adding DisallowCertificateSuspension to the settings.xml with a value of 1 will allow the status mapping to be used to determine specific revocation actions that take place; see section 5, Advanced settings for details.
3.7.3 Enabling users
If you omit the <Actions> node, and the user is already in the database and disabled, the import process enables the user again.
3.7.4 Updating users who were imported from LDAP
If you are using the Lifecycle API to update users who were originally imported from LDAP, and you want the changes to be pushed to the directory, you must include the user's Group node to allow the update to determine the LDAP ID.
3.7.5 Status mapping codes
The following table lists the default status mapping codes from the StatusMapping table in the MyID database.
Note: These are the default settings, and may be customized for your own installation. When using the Lifecycle API, you cannot specify the mapping codes with negative IDs – these are reserved for system use.
|
ID |
Status |
Description |
|---|---|---|
|
-11 |
Other Device issued - cancel |
System use only, do not use. |
|
-10 |
Device issued disabled |
System use only, do not use. |
|
-9 |
Automated card update |
System use only, do not use. |
|
-8 |
Automated shared certificate update |
System use only, do not use. |
|
-7 |
Update requested by API |
System use only, do not use. |
|
-6 |
Other Device issued |
System use only, do not use. |
|
-5 |
Revoked/Suspend for timeout at deferred collection |
System use only, do not use. |
|
-4 |
Revoked/Suspend due to timeout in issuance |
System use only, do not use. |
|
-3 |
Revoked/Suspended due to user disabled in LDAP |
System use only, do not use. |
|
-2 |
Revoked due to user removal from LDAP |
System use only, do not use. |
|
-1 |
Revoked due to too many suspensions |
System use only, do not use. |
|
0 |
Unspecified or Automated Processes |
System use only, do not use. |
|
1 |
Lost |
The device has been permanently lost. |
|
2 |
Damaged |
The device has been rendered inoperable and should be permanently replaced. |
|
3 |
Stolen |
The device has been stolen and should be replaced. |
|
4 |
Forgotten |
The device has been misplaced and a temporary replacement is required. |
|
5 |
Permanently Blocked |
The device should no longer be used. |
|
6 |
Compromised |
The device has been compromised. A replacement is required. |
|
7 |
Device holder on leave |
The device holder is away temporarily and the device should no longer work until it is re-enabled. |
|
8 |
Pending Investigation |
The device is being investigated and should be suspended temporarily. The device should no longer work until it is re-enabled. |
|
9 |
Non-payment of services |
The device should be disabled permanently. |
|
10 |
Device holder leaving or changing role |
The device holder has left their current role and their device should be blocked permanently. |
|
11 |
Device holder details change |
Information about the device holder has been changed and a new device is needed. |
|
12 |
Pending Activation |
The device is temporary suspended pending activation. |
|
15 |
Revocation (other) |
The device has been permanently blocked for a user-defined reason. |
|
16 |
Suspension (other) |
The device has been temporarily suspended for a user-defined reason. |
|
17 |
Found Original |
This temporary device has been revoked because the device holder found their original device. |
|
18 |
Original device Compromised |
The original device has been compromised so this device must also be considered to have been compromised. |
|
19 |
Request device Renewal |
This device is being replaced or refreshed and shall no longer be active on the system; all certificates will be available for the replacement device. |
|
20 |
Batch Failed |
The device was as part of a batch that failed and must be permanently cancelled. |
|
21 |
Bureau Failure |
There was a failure at the bureau and the device must be permanently cancelled. |
|
22 |
Processing Failure |
There was a processing failure and the device must be permanently cancelled. |
|
25 |
Poor print quality |
The device was printed to an unacceptable standard and must be permanently cancelled. |
|
26 |
Printing misaligned |
The printing on the device is not aligned properly and the device must be permanently cancelled. |
|
27 |
Poor lamination quality |
The device was laminated incorrectly and must be permanently cancelled. |
|
28 |
Incorrect layout printed |
The device was printed with the incorrect layout and must be permanently cancelled. |
|
32 |
Cancel device and leave Certificates |
The device is to be cancel but the certificates are to remain active. |
|
33 |
Cancel Certificates and leave device |
The certificates are to be cancelled but the device is to remain active. |
|
47 |
Derived Credential Original Revoked |
Cancels Derived Credentials on notification of the original credential being revoked. |
|
66 |
Derived Credential Notification Listener |
Cancels Derived Credentials on notification of the original credential being revoked. |
|
70 |
Compromised – Reissue Shared Certificates |
A device has been compromised; any certificates shared with other devices will be reissued. |
|
71 |
Credential Profile Update (no revocation) |
There has been an update to the credential profile, but no certificates will be revoked. |
|
72 |
Credential Profile Update (full revocation) |
There has been an update to the credential profile and all certificates will be revoked. |
|
73 |
Details Change – re-issue archived certificates |
The user's details have been changed and all certificates must be re-issued. Non-archived certificates will not be revoked. |
|
74 |
Mobile Issued |
Mobile issued, cancel Certificate Package. |
|
75 |
Reissue credentials |
Credentials are being re-issued. |
|
76 |
8 Hour access |
8 Hour access. |
|
77 |
24 Hour access |
24 Hour access |
|
78 |
2 Day access |
2 Day access. |
|
79 |
1 Week access |
1 Week access. |
|
80 |
Cancel temporary card during replacement |
Cancel temporary card during replacement certificates are revoked and device cancelled. |
|
81 |
Unrestricted access |
Unrestricted access. |
|
82 |
Reissue mobile |
Reissue a partially issued mobile credential. |
|
83 |
User details have changed |
Used when requesting a card update and the user's details have changed, requiring a reprovision of the card. |
|
84 |
There is a problem with the device |
Used when requesting a card update and there is a problem with the card, requiring a reprovision of the card. |
|
85 |
New credential profile needs to be applied |
Used when requesting a card update and significant credential profile changes, for example data model changes, are needed, requiring a reprovision of the card. |
|
86 |
New certificates need to be added to the device |
Used when requesting a card update when there are only certificate changes required. |
3.7.5.1 Status mapping actions for PIV systems
The following table shows the specific actions for certificates and archived certificates for each status mapping code on a PIV system.
|
ID |
PKI Action |
Archive PKI Action (PIV) |
|---|---|---|
|
-11 |
Revoke. |
Revoke. |
|
-10 |
Suspend. |
Suspend. |
|
-9 |
Do not revoke; allow recovery to new device. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-8 |
Do not revoke; allow recovery to new device. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-7 |
Do not revoke; allow recovery to new device. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-6 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-5 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-4 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-3 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-2 |
Revoke. |
Revoke. |
|
-1 |
Revoke. |
Revoke. |
|
0 |
Revoke. |
Revoke. |
|
1 |
Revoke. |
Revoke. |
|
2 |
Revoke. |
Revoke. |
|
3 |
Revoke. |
Revoke. |
|
4 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
5 |
Revoke. |
Revoke. |
|
6 |
Revoke. |
Revoke. |
|
7 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
8 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
9 |
Revoke. |
Revoke. |
|
10 |
Revoke. |
Revoke. |
|
11 |
Revoke. |
Revoke. |
|
12 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
15 |
Revoke. |
Revoke. |
|
16 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
17 |
Revoke. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
18 |
Revoke. |
Revoke. |
|
19 |
Do not revoke; allow recovery to new device. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
20 |
Revoke. |
Revoke. |
|
21 |
Revoke. |
Revoke. |
|
22 |
Do not revoke. |
Revoke. |
|
25 |
Revoke. |
Revoke. |
|
26 |
Revoke. |
Revoke. |
|
27 |
Revoke. |
Revoke. |
|
28 |
Revoke. |
Revoke. |
|
32 |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
33 |
Revoke. |
Revoke. |
|
66 |
Revoke. |
Revoke. |
|
70 |
Revoke. |
Revoke. |
|
71 |
Do not revoke; allow recovery to new device. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
72 |
Revoke. |
Revoke. |
|
73 |
Do not revoke; allow recovery to new device. |
Revoke. |
|
74 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
75 |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
76 |
Revoke. |
Revoke. |
|
77 |
Revoke. |
Revoke. |
|
78 |
Revoke. |
Revoke. |
|
79 |
Revoke. |
Revoke. |
|
80 |
Revoke. |
Revoke. |
|
81 |
Revoke. |
Revoke. |
|
82 |
Revoke. |
Revoke. |
|
83 |
Revoke. |
Revoke. |
|
84 |
Revoke. |
Revoke. |
|
85 |
Revoke. |
Revoke. |
|
86 |
Revoke. |
Revoke. |
3.7.5.2 Status mapping actions for non-PIV systems
The following table shows the specific actions for certificates and archived certificates for each status mapping code on a non-PIV system.
|
ID |
PKI Action |
Archive PKI Action (non-PIV) |
|---|---|---|
|
-11 |
Revoke. |
Revoke. |
|
-10 |
Suspend. |
Suspend. |
|
-9 |
Do not revoke; allow recovery to new device. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-8 |
Do not revoke; allow recovery to new device. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-7 |
Do not revoke; allow recovery to new device. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-6 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-5 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-4 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-3 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
-2 |
Revoke. |
Revoke. |
|
-1 |
Revoke. |
Revoke. |
|
0 |
Revoke. |
Revoke. |
|
1 |
Revoke. |
Revoke. |
|
2 |
Revoke. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
3 |
Revoke. |
Revoke. |
|
4 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
5 |
Revoke. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
6 |
Revoke. |
Revoke. |
|
7 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
8 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
9 |
Revoke. |
Revoke. |
|
10 |
Revoke. |
Revoke. |
|
11 |
Revoke. |
Revoke. |
|
12 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
15 |
Revoke. |
Revoke. |
|
16 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
17 |
Revoke. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
18 |
Revoke. |
Revoke. |
|
19 |
Do not revoke; allow recovery to new device. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
20 |
Revoke. |
Revoke. |
|
21 |
Revoke. |
Revoke. |
|
22 |
Do not revoke. |
Revoke. |
|
25 |
Revoke. |
Revoke. |
|
26 |
Revoke. |
Revoke. |
|
27 |
Revoke. |
Revoke. |
|
28 |
Revoke. |
Revoke. |
|
32 |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
33 |
Revoke. |
Revoke. |
|
66 |
Revoke. |
Revoke. |
|
70 |
Revoke. |
Revoke. |
|
71 |
Do not revoke; allow recovery to new device. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
72 |
Revoke. |
Revoke. |
|
73 |
Do not revoke; allow recovery to new device. |
Revoke. |
|
74 |
Suspend. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
75 |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
Do not revoke. Certificate is available for live recovery on subsequent devices. |
|
76 |
Revoke. |
Revoke. |
|
77 |
Revoke. |
Revoke. |
|
78 |
Revoke. |
Revoke. |
|
79 |
Revoke. |
Revoke. |
|
80 |
Revoke. |
Revoke. |
|
81 |
Revoke. |
Revoke. |
|
82 |
Revoke. |
Revoke. |
|
83 |
Revoke. |
Revoke. |
|
84 |
Revoke. |
Revoke. |
|
85 |
Revoke. |
Revoke. |
|
86 |
Revoke. |
Revoke. |