userExecute (Command)

17 Dec 2024
14 Minutes à lire

Partager
Sombre
Lumière
PDF

userExecute (Command)

Mis à jour le 17 Dec 2024
14 Minutes à lire

Partager
Sombre
Lumière
PDF

The content is currently unavailable in French. You are viewing the default English version.

Résumé de l’article

Avez-vous trouvé ce résumé utile ?

Merci pour vos commentaires

The userExecute command executes user–related administrative operations.

Table: userExecute commands (SOAP administration)
Command	Description
USERCMD_COPY_PERMISSION	Used when performing a bulk copy of administrative privileges (see USERCMD_COPY_PERMISSION).
USERCMD_CREATE	Creates a new user account (see USERCMD_CREATE).
USERCMD_DELETE	Deletes a user account (see USERCMD_DELETE).
USERCMD_DISABLE	Disables the user account of the specified user (see USERCMD_DISABLE).
USERCMD_ENABLE	Enables the user account of the specified user (see USERCMD_ENABLE).
USERCMD_GET_ADMIN_DOMAINS	Displays the domains an administrator belongs to (see USERCMD_GET_ADMIN_DOMAINS).
USERCMD_GET_DEPENDING_PERMISSION	Used when performing a bulk copy of administrative privileges.
USERCMD_GET_PERMISSION	Displays the administrative privileges that have been assigned a specified user (see USERCMD_GET_PERMISSION).
USERCMD_LINK_USER	Links a user to another user's authenticator (see USERCMD_LINK_USER).
USERCMD_MOVE	Renames a user account or moves it to another location in the organizational structure (see USERCMD_MOVE).
USERCMD_RESET_LAST_AUTH_TIME	Resets the date and time the user was last authorized (see USERCMD_RESET_LAST_AUTH_TIME).
USERCMD_RESET_PASSWORD	Resets the static password for the specified user (see USERCMD_RESET_PASSWORD).
USERCMD_SET_ADMIN_DOMAINS	Adds an administrator to a list of domains (see USERCMD_SET_ADMIN_DOMAINS).
USERCMD_SET_EXPIRATION	Sets the expiry date of a user account (see USERCMD_SET_EXPIRATION).
USERCMD_SET_PASSWORD	Sets the static password for the specified user (see USERCMD_SET_PASSWORD).
USERCMD_SET_PERMISSION	Sets the administrative privileges for the specified user (see USERCMD_SET_PERMISSION).
USERCMD_UNLINK_USER	Unlinks a user from another user's authenticator (see USERCMD_UNLINK_USER).
USERCMD_UNLOCK	Unlocks the user account of the specified user (see USERCMD_UNLOCK).
USERCMD_UPDATE	Updates a user account.
USERCMD_VIEW	Displays user account information (see USERCMD_VIEW).

Parameters

Table: userExecute global input parameters
Parameter name	Data type	Description
sessionID	String	The session identifier of the current administrative session. The logon command returns this identifier after a successful logon (see logon (Command)).
cmd	UserCmdIDEnum	The operation to be executed. See Table: userExecute commands (SOAP administration).
attributeSet	UserAttributeSet	A set containing zero or more attribute fields.
adminDomainInfoList	AdminDomainList

Table: userExecute global output parameters
Parameter name	Data type	Description
results	UserResults	Result structure containing return and status codes and a list of zero or more result attribute fields.

The following field attributes are available for the operations of this command:

Table: userExecute field attributes
Attribute name	Data type	Description
USERFLD_ADMIN_DOMAINS
USERFLD_ADMIN_LEVEL	Unsigned Integer	The administrator level of an administrative user account. Lower-level administrators cannot modify or even view administrator accounts that have an administrator level higher than their own. It has no effect on non-administrative user accounts. The administrator level cannot be set to a higher value than the user account owning the current administrative session. You cannot change the administrator level of your own user account. Supported values: 0–255 The maximum value on OneSpan Authentication Server Appliance is 100.
USERFLD_ADMIN_PRIVILEGES		The administrative privileges assigned to the user account. Can also be used as zero-value input parameter for a query to get a list of all (non‑)administrative users (see Example).
USERFLD_ALWAYS_RETURN_AD_USER
USERFLD_ASSIGNED_DIGIPASS	String	A comma-separated list of the serial numbers of the assigned authenticators and authenticator instances. This attribute is only included in the output if at least one authenticator is assigned to the respective user. The returned list is alphabetically sorted in ascending order.
USERFLD_AUTO_EXECUTE	Boolean	Specifies whether the respective pending operation should be automatically executed on behalf of the maker administrator as soon as it is approved by the checker administrator. Effective only if maker–checker authorization is enabled. Default value: False
USERFLD_BACKEND_AUTH	String	Supported values: Default None If needed Always
USERFLD_CHECKER_DOMAIN	String	The domain of the administrator to approve a pending operation via maker–checker authorization. Mandatory for creating a pending operation of a maker–checker-enabled command (approve request), if maker–checker authorization is enabled. Up to 255 characters.
USERFLD_CHECKER_USERID	String	The user ID of the administrator to approve a pending operation via maker–checker authorization. Mandatory for creating a pending operation of a maker–checker-enabled command (approve request), if maker–checker authorization is enabled. Up to 255 characters.
USERFLD_CONFIRM_NEW_PASSWORD	String	Up to 255 characters.
USERFLD_CREATE_TIME	DateTime	The date and time the user account object was created in the database.
USERFLD_DESCRIPTION	String	Up to 1024 characters.
USERFLD_DISABLED	Boolean
USERFLD_DOMAIN	String	Up to 255 characters.
USERFLD_EMAIL	String	Email address Up to 64 characters.
USERFLD_EXPIRATION_TIME	Datetime	Date and time the user account will expire.
USERFLD_EXPIRED	Boolean	Indicates whether the user account has expired.
USERFLD_GROUP_LIST	String	Reserved for future usage. Up to 1024 characters.
USERFLD_HAS_DP	String	Supported values: Assigned Unassigned
USERFLD_LAST_PASSWORD_SET_TIME	DateTime	Time the password was last set.
USERFLD_LASTAUTH_TIME	DateTime	Time of last successful authentication.
USERFLD_LASTAUTHREQ_TIME	DateTime	Time of last authentication request.
USERFLD_LDAP_DN	String	Distinguished Name
USERFLD_LOCAL_AUTH	String	Supported values: Default. The value from the related policy is used. None. No local authentication is performed. Digipass Only. The user can only authenticate using the authenticator. DIGIPASS/Password. As long as the grace period for the authenticator has not expired, the user can use either the authenticator or the static password to log in. After the grace period has expired, only authentications with an authenticator is allowed. DIGIPASS or Password. Users can use both their authenticator or their static password to authenticate, independent of the grace period. In the context of the authentication scenario, use of this authentication mode is subject to licensing. For provisioning, this authentication mode is license-free.
USERFLD_LOCK_COUNT	Integer	As part of the unlock procedure, the lock count will by default be set to 0.
USERFLD_LOCKED	Boolean
USERFLD_LOGICAL_ADMIN_PRIVILEGES	String	Comma-separated list of the assigned administrative privileges. Each administrative privilege is specified as follows: admin_priv_name [true\|false] For a list of possible values, see SOAP authentication (Overview).
USERFLD_MOBILE	String	Mobile phone number Up to 64 characters.
USERFLD_MODIFY_TIME	DateTime	Date and time of last user account update.
USERFLD_NEW_DOMAIN	String	The new domain when using USERCMD_MOVE to move a user account. Up to 255 characters.
USERFLD_NEW_ORGANIZATIONAL_UNIT	String	The new organizational unit when using USERCMD_MOVE to move a user account. Up to 255 characters.
USERFLD_NEW_PASSWORD	String	Up to 255 characters.
USERFLD_NEW_USERID	String	The new user ID when using USERCMD_MOVE to rename the user ID. When used as input parameter, no specific format is required, but any trailing or leading spaces are removed. When used as output parameter, the resolved user ID will be provided. Up to 255 characters.
USERFLD_OFFLINE_AUTH_ENABLED	String	Supported values: Default Yes No
USERFLD_ORGANIZATIONAL_UNIT	String	Up to 255 characters.
USERFLD_PASSWORD	String	Up to 255 characters.
USERFLD_PENDING_OPERATION_ID	String	Exactly 8 characters. The ID for a pending operation awaiting approval via maker–checker authorization. This identifier is a case-sensitive alphanumeric 8-character string. It is automatically generated and returned; mandatory for the execution of a pending operation of a supported maker–checker-enabled command (approve request), if maker–checker authorization is enabled.
USERFLD_PHONE	String	Phone number Up to 64 characters.
USERFLD_RELIANT_ADMIN_PRIVILEGES	String	The list of administrative privileges depending on a specific set of administrative privileges.
USERFLD_REQUIRED_ADMIN_PRIVILEGES	String	The list of administrative privileges that a specific set of other administrative privileges depend on. Used for administrative privilege bulk assignment.
USERFLD_SEARCH_DOWN_OU_PATH	Boolean	Used to search for users in the specified organizational unit and child organizational units.
USERFLD_SERVICE	Integer	If enabled, this setting converts the user into a service user. Default setting: No
USERFLD_STATUS	Integer	Reserved for future use.
USERFLD_SUCCESSOR_DOMAIN	String	The domain of the successor administrator when using USERCMD_DELETE to delete an administrative user account. This attribute is used together with USERFLD_SUCCESSOR_USERID. Up to 255 characters.
USERFLD_SUCCESSOR_USERID	String	The user ID of the successor administrator when using USERCMD_DELETE to delete an administrative user account. The successor takes ownership of all items assigned that cannot be deleted and may prevent the deletion of the target user, e.g. reports, tasks, or pending operations. Up to 255 characters.
USERFLD_TO_DOMAIN	String
USERFLD_TO_USERID	String	Used when searching for user accounts in a range from USERFLD_USERID to USERFLD_TO_USERID
USERFLD_UPN	String
USERFLD_USE_DP_FROM_USER_DOMAIN	String	Domain of user to link to. Up to 255 characters.
USERFLD_USE_DP_FROM_USER_ID	String	UserID of user to link to. Up to 255 characters.
USERFLD_USE_DP_FROM_USER_LDAP_DN	String
USERFLD_USERID	String	The user identifier as provided by the calling application. When used as input parameter, no specific format is required, but any trailing or leading spaces are removed. When used as output parameter, the resolved user ID will be provided. Up to 255 characters.
USERFLD_USER_INACT_DAYS
USERFLD_USERNAME	String	Full username. Trailing and leading spaces are removed when a new user account is created. Up to 64 characters.
USERFLD_VDP_DELIVERY_METHOD	String	Comma-separated string of at most two delivery methods. The delivery method for Virtual Mobile Authenticator messages. This overrides the general delivery method specified in the user policy. Supported values: Email SMS Voice
USERFLD_VDP_MDC_PROFILE	String	The Message Delivery Component (MDC) profile for Virtual Mobile Authenticator messages. This takes precedence over the MDC profile specified in the user policy.
USERFLD_VDP_SIGN_DELIVERY_METHOD	String	Comma-separated string of at most two delivery methods. The delivery method for virtual signature messages. This overrides the general delivery method specified in the user policy. Supported values: Email SMS Voice
USERFLD_VDP_SIGN_MDC_PROFILE	String	The Message Delivery Component (MDC) profile for virtual signature messages. This takes precedence over the MDC profile specified in the user policy.

USERCMD_CREATE

USERCMD_CREATE creates a new user account.

This command supports maker–checker authorization.

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_CREATE input parameters
Attribute name	Optionality (Regular)	Optionality (Maker–Checker)
Attribute name	Optionality (Regular)	Approve request	Execute
USERFLD_ADMIN_LEVEL	Optional	Optional	n/a
USERFLD_AUTO_EXECUTE	n/a	Optional	n/a
USERFLD_BACKEND_AUTH	Mandatory	Mandatory	n/a
USERFLD_CHECKER_DOMAIN	n/a	Mandatory	n/a
USERFLD_CHECKER_USERID	n/a	Mandatory	n/a
USERFLD_DESCRIPTION	Optional	Optional	n/a
USERFLD_DISABLED	Mandatory	Mandatory	n/a
USERFLD_DOMAIN	Mandatory	Mandatory	n/a
USERFLD_EMAIL	Optional	Optional	n/a
USERFLD_GROUP_LIST	Optional	Optional	n/a
USERFLD_LOCAL_AUTH	Mandatory	Mandatory	n/a
USERFLD_LOCKED	Mandatory	Mandatory	n/a
USERFLD_MOBILE	Optional	Optional	n/a
USERFLD_OFFLINE_AUTH_ENABLED	Optional	Optional	n/a
USERFLD_ORGANIZATIONAL_UNIT	Optional	Optional	n/a
USERFLD_PASSWORD	Optional	Optional	n/a
USERFLD_PENDING_OPERATION_ID	n/a	n/a	Mandatory
USERFLD_PHONE	Optional	Optional	n/a
USERFLD_SERVICE	Optional	n/a	n/a
USERFLD_USERID	Mandatory	Mandatory	n/a
USERFLD_USERNAME	Optional	Optional	n/a
USERFLD_USER_INACT_DAYS	Optional	n/a	n/a

Any trailing and leading spaces are removed from USERFLD_USERID and USERFLD_USERNAME.

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_CREATE output parameters
Attribute name	Returned (Regular)	Returned (Maker–Checker)
Attribute name	Returned (Regular)	Approve request	Execute
USERFLD_ADMIN_LEVEL	Always	n/a	Always
USERFLD_AUTO_EXECUTE	n/a	Always	n/a
USERFLD_BACKEND_AUTH	If defined	n/a	If defined
USERFLD_CREATE_TIME	Always	n/a	Always
USERFLD_DESCRIPTION	If defined	n/a	If defined
USERFLD_DISABLED	Always	n/a	Always
USERFLD_DOMAIN	Always	n/a	Always
USERFLD_EMAIL	If defined	n/a	If defined
USERFLD_EXPIRED
USERFLD_GROUP_LIST	If defined	n/a	If defined
USERFLD_HAS_DP	Always	n/a	Always
USERFLD_LAST_PASSWORD_SET_TIME
USERFLD_LOCAL_AUTH	If defined	n/a	If defined
USERFLD_LOCKED	Always	n/a	Always
USERFLD_MOBILE	If defined	n/a	If defined
USERFLD_MODIFY_TIME	Always	n/a	Always
USERFLD_OFFLINE_AUTH_ENABLED	If defined	n/a	If defined
USERFLD_ORGANIZATIONAL_UNIT	If defined	n/a	If defined
USERFLD_PASSWORD
USERFLD_PENDING_OPERATION_ID	n/a	Always	n/a
USERFLD_PHONE	If defined	n/a	If defined
USERFLD_SERVICE	If defined	n/a	n/a
USERFLD_STATUS	Always	n/a	Always
USERFLD_USE_DP_FROM_USER_DOMAIN	If defined	n/a	If defined
USERFLD_USE_DP_FROM_USER_ID	If defined	n/a	If defined
USERFLD_USER_INACT_DAYS	If defined	n/a	n/a
USERFLD_USERID	Always	n/a	Always
USERFLD_USERNAME	If defined	n/a	If defined

USERCMD_VIEW

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_VIEW input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_USERID	Mandatory

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_VIEW output parameters (resultAttribute)
Attribute name	Returned
USERFLD_ADMIN_LEVEL	Always
USERFLD_ASSIGNED_DIGIPASS	If defined
USERFLD_BACKEND_AUTH	Always
USERFLD_CREATE_TIME	Always
USERFLD_DESCRIPTION	If defined
USERFLD_DISABLED	Always
USERFLD_DOMAIN	Always
USERFLD_EMAIL	If defined
USERFLD_EXPIRED	Always
USERFLD_GROUP_LIST	If defined
USERFLD_HAS_DP	Always
USERFLD_LASTAUTHREQ_TIME	If defined
USERFLD_LOCAL_AUTH	Always
USERFLD_LOCK_COUNT	If defined
USERFLD_LOCKED	Always
USERFLD_MOBILE	If defined
USERFLD_MODIFY_TIME	Always
USERFLD_OFFLINE_AUTH_ENABLED	If defined
USERFLD_ORGANIZATIONAL_UNIT	If defined
USERFLD_PHONE	If defined
USERFLD_STATUS	Always
USERFLD_SERVICE	If defined
USERFLD_USE_DP_FROM_USER_DOMAIN	If defined
USERFLD_USE_DP_FROM_USER_ID	If defined
USERFLD_USER_INACT_DAYS	If defined
USERFLD_USERID	Always
USERFLD_USERNAME	If defined

USERCMD_GET_ADMIN_DOMAINS

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_GET_ADMIN_DOMAINS input parameters
Attribute name	Optionality
USERFLD_USERID	Mandatory
USERFLD_DOMAIN	Mandatory

The same user attributes will always be returned by the results output parameter of this command. The USERCMD_GET_ADMIN_DOMAINS command will fail under any of the following conditions:

The user specified is not an administrator.
The user specified is an administrator from the master domain.

This command will only return a list of domains to which the administrator has access. This list will not include the domain in which the administrator was created.

USERCMD_SET_ADMIN_DOMAINS

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_SET_ADMIN_DOMAINS input parameters
Attribute name	Optionality
USERFLD_USERID	Mandatory
USERFLD_DOMAIN	Mandatory

This command also requires a list of domains to which the administrator should be a member (other than the domain where the administrator was created).

An administrator was created in domainb and is already a member of domaind. The following domain list will add that administrator to both domaina and domainc:
<adminDomainInfoListxmlns="">
  <adminDomains>
    <adminDomain>domaina</adminDomain>
  </adminDomains>
  <adminDomains>
    <adminDomain>domainc</adminDomain>
  </adminDomains>
</adminDomainInfoList>

In this example, the administrator would become an administrator for the domains domaina, domainb, and domainc, and will no longer be an administrator for domaind. The USERCMD_SET_ADMIN_DOMAINS command will fail under any of the following conditions:

The user specified is not an administrator.
The user specified is an administrator from the master domain.
The administrator running the command does not have domain scope over any specified domain.
The administrator and user specified are the same.

The same user attributes used in the input parameters will always be returned by the results output parameter of this command.

USERCMD_DELETE

The USERCMD_DELETE command allows you to delete user accounts. You can only delete user accounts within your own administrative scope.

If the target user account has authenticators assigned, they are unassigned and become available again. Authenticator instances are deleted.

Removable user data, i.e. custom user attributes, stored reports, and offline authentication data, will be deleted.

The target user account can have items assigned that cannot be deleted, which prevents the deletion of the user account, e.g. reports, recurring tasks, or pending operations (maker or checker role). To delete the user account, you can specify a successor user who will take ownership of those items. The successor must be an administrative user account in the same domain as the user to be deleted.

This command supports maker–checker authorization.

Parameters

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_DELETE input parameters
Attribute name	Optionality (Regular)	Optionality (Maker–Checker)
Attribute name	Optionality (Regular)	Approve request	Execute
USERFLD_AUTO_EXECUTE	n/a	Optional	n/a
USERFLD_USERID	Mandatory	Mandatory	n/a
USERFLD_DOMAIN	Mandatory	Mandatory	n/a
USERFLD_CHECKER_USERID	n/a	Mandatory	n/a
USERFLD_CHECKER_DOMAIN	n/a	Mandatory	n/a
USERFLD_PENDING_OPERATION_ID	n/a	n/a	Mandatory
USERFLD_SERVICE	Optional	n/a	n/a
USERFLD_SUCCESSOR_DOMAIN	Optional	Optional	n/a
USERFLD_SUCCESSOR_USERID	Optional	Optional	n/a

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_DELETE output parameters
Attribute name	Returned (Regular)	Returned (Maker–Checker)
Attribute name	Returned (Regular)	Approve request	Execute
USERFLD_AUTO_EXECUTE	n/a	Always	n/a
USERFLD_PENDING_OPERATION_ID	n/a	Always	n/a

Requirements

Required administrative privileges:

Delete User

Additional considerations

The target user, successor user, and checker administrator must all be different user accounts.
If the target user has non-removable items assigned and you do not specify a successor user, the command will fail.
To ensure proper access to the transferred items after the deletion, the successor user should have the same administrative privileges as the user account to be deleted. This is not verified by the command.

USERCMD_UPDATE

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_UPDATE input parameters
Attribute name	Optionality
USERFLD_ADMIN_LEVEL	Optional
USERFLD_BACKEND_AUTH	Optional
USERFLD_DESCRIPTION	Optional
USERFLD_DISABLED	Optional
USERFLD_DOMAIN	Mandatory
USERFLD_EMAIL	Optional
USERFLD_LOCAL_AUTH	Optional
USERFLD_LOCKED	Optional
USERFLD_MOBILE	Optional
USERFLD_OFFLINE_AUTH_ENABLED	Optional
USERFLD_PHONE	Optional
USERFLD_SERVICE	Optional
USERFLD_USER_INACT_DAYS	Optional
USERFLD_USERID	Mandatory
USERFLD_USERNAME	Optional
USERFLD_VDP_DELIVERY_METHOD	Optional
USERFLD_VDP_MDC_PROFILE	Optional
USERFLD_VDP_SIGN_DELIVERY_METHOD	Optional
USERFLD_VDP_SIGN_MDC_PROFILE	Optional

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_UPDATE output parameters
Attribute name	Returned
USERFLD_ADMIN_LEVEL	Always
USERFLD_ASSIGNED_DIGIPASS	If defined
USERFLD_BACKEND_AUTH	Always
USERFLD_CREATE_TIME	Always
USERFLD_DESCRIPTION	If defined
USERFLD_DISABLED	Always
USERFLD_DOMAIN	Always
USERFLD_EMAIL	If defined
USERFLD_LOCAL_AUTH	Always
USERFLD_LOCK_COUNT	If defined
USERFLD_LOCKED	Always
USERFLD_HAS_DP	Always
USERFLD_MOBILE	If defined
USERFLD_MODIFY_TIME	Always
USERFLD_OFFLINE_AUTH_ENABLED	If defined
USERFLD_ORGANIZATIONAL_UNIT	If defined
USERFLD_PASSWORD	Always
USERFLD_PHONE	If defined
USERFLD_SERVICE	If defined
USERFLD_STATUS	Always
USERFLD_USE_DP_FROM_USER_DOMAIN	If defined
USERFLD_USE_DP_FROM_USER_ID	If defined
USERFLD_USER_INACT_DAYS	If defined
USERFLD_USERID	Always
USERFLD_USERNAME	Always
USERFLD_VDP_DELIVERY_METHOD	If defined
USERFLD_VDP_MDC_PROFILE	If defined
USERFLD_VDP_SIGN_DELIVERY_METHOD	If defined
USERFLD_VDP_SIGN_MDC_PROFILE	If defined

USERCMD_LINK_USER

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_LINK_USER input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_ORGANIZATIONAL_UNIT	Optional
USERFLD_USE_DP_FROM_USER_ID	Mandatory
USERFLD_USE_DP_FROM_USER_DOMAIN	Mandatory
USERFLD_USERID	Mandatory

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_LINK_USER output parameters
Attribute name	Returned
USERFLD_ASSIGNED_DIGIPASS	If defined
USERFLD_BACKEND_AUTH	Always
USERFLD_CREATE_TIME	Always
USERFLD_DESCRIPTION	If defined
USERFLD_DISABLED	Always
USERFLD_DOMAIN	Always
USERFLD_EMAIL	If defined
USERFLD_HAS_DP	Always
USERFLD_LOCAL_AUTH	Always
USERFLD_LOCK_COUNT	If defined
USERFLD_LOCKED	Always
USERFLD_MOBILE	If defined
USERFLD_MODIFY_TIME	Always
USERFLD_ORGANIZATIONAL_UNIT	If defined
USERFLD_PASSWORD	Always
USERFLD_PHONE	If defined
USERFLD_STATUS	Always
USERFLD_USE_DP_FROM_USER_DOMAIN	Always
USERFLD_USE_DP_FROM_USER_ID	Always
USERFLD_USERID	Always
USERFLD_USERNAME	If defined

USERCMD_UNLINK_USER

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_UNLINK_USER input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_ORGANIZATIONAL_UNIT	Optional
USERFLD_USERID	Mandatory

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_UNLINK_USER output parameters
Attribute name	Returned
USERFLD_ASSIGNED_DIGIPASS	If defined
USERFLD_BACKEND_AUTH	Always
USERFLD_CREATE_TIME	Always
USERFLD_DESCRIPTION	If defined
USERFLD_DISABLED	Always
USERFLD_DOMAIN	Always
USERFLD_EMAIL	If defined
USERFLD_HAS_DP	Always
USERFLD_LOCAL_AUTH	Always
USERFLD_LOCK_COUNT	If defined
USERFLD_LOCKED	Always
USERFLD_MOBILE	If defined
USERFLD_MODIFY_TIME	Always
USERFLD_ORGANIZATIONAL_UNIT	If defined
USERFLD_PHONE	If defined
USERFLD_PASSWORD	Always
USERFLD_STATUS	Always
USERFLD_USERID	Always
USERFLD_USERNAME	If defined

USERCMD_MOVE

The USERCMD_MOVE command can be used to move user accounts from one organizational unit to another (USERFLD_NEW_ORGANIZATIONAL_UNIT) or from one domain to another (USERFLD_NEW_DOMAIN). It can also be used to change the user id (USERFLD_NEW_USERID). You can even change the organizational unit, domain, and the user ID with one call if you specify all respective parameters at the same time.

You can only move user accounts within your own administrative scope. You cannot use this command to move the user account owning the current administrative session.

Parameters

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_MOVE input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_NEW_DOMAIN	Optional
USERFLD_NEW_ORGANIZATIONAL_UNIT	Optional
USERFLD_NEW_USERID	Optional
USERFLD_USERID	Mandatory

USERFLD_NEW_DOMAIN, USERFLD_NEW_ORGANIZATIONAL_UNIT, and USERFLD_NEW_USERID are all optional, but at least one of them must be specified.

Any trailing and leading spaces are removed from USERFLD_NEW_USERID.

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_MOVE output parameters
Attribute name	Returned
USERFLD_DOMAIN	Always
USERFLD_NEW_DOMAIN	If defined
USERFLD_NEW_ORGANIZATIONAL_UNIT	If defined
USERFLD_NEW_USERID	If defined
USERFLD_ORGANIZATIONAL_UNIT	Always
USERFLD_USERID	Always

Example

Move a user account from the master domain to another domain and another organizational unit in one step:

<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
    <adm:userExecute xmlns:adm="http://www.vasco.com/IdentikeyServer/IdentikeyTypes/Administration" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <sessionID>u-i1U0_TrqlNg~l|_yhnIIdREy1UGla]</sessionID>
      <cmd>USERCMD_MOVE</cmd>
      <attributeSet>
        <attributes>
          <value xsi:type="xsd:string">jane.doe</value>
          <attributeID>USERFLD_USERID</attributeID>
        </attributes>
        <attributes>
          <value xsi:type="xsd:string">master</value>
          <attributeID>USERFLD_DOMAIN</attributeID>
        </attributes>
        <attributes>
          <value xsi:type="xsd:string">myDomainA</value>
          <attributeID>USERFLD_NEW_DOMAIN</attributeID>
        </attributes>
        <attributes>
          <value xsi:type="xsd:string">myOU</value>
          <attributeID>USERFLD_NEW_ORGANIZATIONAL_UNIT</attributeID>
        </attributes>
      </attributeSet>
    </adm:userExecute>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Rename a user account:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
    <adm:userExecute xmlns:adm="http://www.vasco.com/IdentikeyServer/IdentikeyTypes/Administration" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <sessionID>66h.0T_6|ot4hm27nIMUE-ma941oBQl7</sessionID>
      <cmd>USERCMD_MOVE</cmd>
      <attributeSet>
        <attributes>
          <value xsi:type="xsd:string">johnny.doe</value>
          <attributeID>USERFLD_USERID</attributeID>
        </attributes>
        <attributes>
          <value xsi:type="xsd:string">domainA</value>
          <attributeID>USERFLD_DOMAIN</attributeID>
        </attributes>
        <attributes>
          <value xsi:type="xsd:string">john.doe</value>
          <attributeID>USERFLD_NEW_USERID</attributeID>
        </attributes>
      </attributeSet>
    </adm:userExecute>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Requirements

Required administrative privileges:

Move User

Additional considerations

When moving a user account, the respective target organizational unit or target domain must already exist.
When moving a user account with administrative privileges from one domain to another one, the assigned administrative privileges are retained. However, the administrative scope will be adapted accordingly from the source domain to the target domain. Other domains in the administrative scope will not be affected.
When moving a user account with administrative privileges down in the organizational hierarchy, the assigned administrative privileges are retained, except for any privileges that no longer apply to the respective hierarchy level.
- Moving a global administrator account from the master domain to another domain effectively demotes it to a delegated administrator account. The administrative scope is reduced to the target domain.
  The following administrative privileges are revoked:
  - Access Data in All Domains
  - Create Domain
  - Create EMV-CAP Application
  - Delete Domain
- Moving a domain administrator account to an organizational unit effectively demotes it to an organizational unit administrator account. The administrative scope is reduced to the target organizational unit.
  The following administrative privileges are revoked:
  - Access Domain
  - Set Administration Domains
  - Update Domains
When moving a user account with administrative privileges up in the organizational hierarchy, the assigned administrative privileges are retained, but no additional administrative privileges are assigned.
- Moving an organizational unit administrator to a domain changes the administrative scope to the target domain. The user account is not automatically assigned domain administrative privileges!
- Moving a delegated administrator from a domain to the master domain changes the administrative scope to the master domain. The user account is not automatically promoted to a global administrator!
When moving a user account with assigned authenticators to another domain or organizational unit, the assigned authenticators are moved along with the user account.
When moving or renaming a user account with an assigned authenticator with generated offline authentication data (OAD), the existing offline authentication data is invalidated and will be deleted on the server. Upon the next online authentication with the updated user account, new offline authentication data will be generated and retrieved from the server.
Any user accounts linked to the user account being moved are not moved along, but remain in their original domain and/or organizational unit.

USERCMD_GET_PERMISSION

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_GET_PERMISSION input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_ORGANIZATIONAL_UNIT	Optional
USERFLD_USERID	Mandatory

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_GET_PERMISSION output parameters
Attribute name	Returned
USERFLD_DOMAIN	Always
USERFLD_LOGICAL_ADMIN_PRIVILEGES	Always
USERFLD_USERID	Always

USERCMD_SET_PERMISSION

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_SET_PERMISSION input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_LOGICAL_ADMIN_PRIVILEGES	Mandatory
USERFLD_ORGANIZATIONAL_UNIT	Optional
USERFLD_USERID	Mandatory

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_SET_PERMISSION output parameters
Attribute name	Returned
USERFLD_DOMAIN	Always
USERFLD_LOGICAL_ADMIN_PRIVILEGES	Always
USERFLD_USERID	Always

USERCMD_COPY_PERMISSION

Parameters

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_COPY_PERMISSION input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_USERID	Mandatory
USERFLD_TO_USERID	Mandatory
USERFLD_TO_DOMAIN	Mandatory

This command returns no result attributes.

Additional considerations

If the target user account has privileges assigned that the source user account does not have, then the target user account will lose those privileges.
If you specify a user account that does not have any administrative privileges assigned, the command will return an error.

USERCMD_ENABLE

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_ENABLE input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_USERID	Mandatory

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_ENABLE output parameters
Attribute name	Returned
USERFLD_BACKEND_AUTH
USERFLD_CREATE_TIME
USERFLD_DESCRIPTION	If defined
USERFLD_DISABLED
USERFLD_DOMAIN
USERFLD_EMAIL	If defined
USERFLD_EXPIRED
USERFLD_HAS_DP
USERFLD_LOCAL_AUTH
USERFLD_LOCK_COUNT
USERFLD_LOCKED
USERFLD_MOBILE	If defined
USERFLD_MODIFY_TIME
USERFLD_PHONE	If defined
USERFLD_STATUS
USERFLD_USERID	Always
USERFLD_USERNAME	If defined

USERCMD_DISABLE

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_DISABLE input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_USERID	Mandatory

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_DISABLE output parameters
Attribute name	Returned
USERFLD_BACKEND_AUTH
USERFLD_CREATE_TIME
USERFLD_DESCRIPTION	If defined
USERFLD_DISABLED
USERFLD_DOMAIN
USERFLD_EMAIL	If defined
USERFLD_EXPIRED
USERFLD_HAS_DP
USERFLD_LOCAL_AUTH
USERFLD_LOCK_COUNT
USERFLD_LOCKED
USERFLD_MOBILE	If defined
USERFLD_MODIFY_TIME
USERFLD_PHONE	If defined
USERFLD_STATUS
USERFLD_USERID	Always
USERFLD_USERNAME	If defined

USERCMD_UNLOCK

As part of the unlock procedure, the User Lock Count will be set to 0.

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_UNLOCK input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_USERID	Mandatory

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_UNLOCK output parameters
Attribute name	Returned
USERFLD_BACKEND_AUTH
USERFLD_CREATE_TIME
USERFLD_DESCRIPTION	If defined
USERFLD_DISABLED
USERFLD_DOMAIN
USERFLD_EMAIL	If defined
USERFLD_EXPIRED
USERFLD_HAS_DP
USERFLD_LOCAL_AUTH
USERFLD_LOCK_COUNT
USERFLD_LOCKED
USERFLD_MOBILE	If defined
USERFLD_MODIFY_TIME
USERFLD_PHONE	If defined
USERFLD_STATUS
USERFLD_USERID	Always
USERFLD_USERNAME	If defined

USERCMD_RESET_PASSWORD

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_RESET_PASSWORD input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_USERID	Mandatory

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_RESET_PASSWORD output parameters
Attribute name	Returned
USERFLD_DESCRIPTION	If defined
USERFLD_EMAIL	If defined
USERFLD_MOBILE	If defined
USERFLD_PHONE	If defined
USERFLD_USERID	Always
USERFLD_USERNAME	If defined

USERCMD_SET_PASSWORD

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_SET_PASSWORD input parameters
Attribute name	Optionality
USERFLD_CONFIRM_NEW_PASSWORD	Mandatory
USERFLD_DOMAIN	Mandatory
USERFLD_NEW_PASSWORD	Mandatory
USERFLD_USERID	Mandatory

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_SET_PASSWORD output parameters
Attribute name	Returned
USERFLD_DESCRIPTION	If defined
USERFLD_EMAIL	If defined
USERFLD_MOBILE	If defined
USERFLD_PHONE	If defined
USERFLD_USERID	Always
USERFLD_USERNAME	If defined

USERCMD_SET_EXPIRATION

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_SET_EXPIRATION input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_EXPIRATION_TIME	Mandatory
USERFLD_USERID	Mandatory

This command returns no result attributes.

To reset the expiration date and time, use the null attribute option (see Attribute options).

USERCMD_RESET_LAST_AUTH_TIME

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_RESET_LAST_AUTH_TIME input parameters
Attribute name	Optionality
USERFLD_DOMAIN	Mandatory
USERFLD_USERID	Mandatory

This command returns no result attributes.

USERCMD_GET_DEPENDING_PERMISSION

The following attributes can be specified in the attributeSet input parameter of this command:

Table: USERCMD_GET_DEPENDING_PERMISSION input parameters
Attribute name	Optionality
USERFLD_LOGICAL_ADMIN_PRIVILEGES	Mandatory

The following attributes will be specified in the results output parameter of this command:

Table: USERCMD_GET_DEPENDING_PERMISSION output parameters
Attribute name	Optionality
USERFLD_REQUIRED_ADMIN_PRIVILEGE	Mandatory
USERFLD_RELIANT_ADMIN_PRIVILEGES	Mandatory

Attribute options

You can use different attribute options for each attribute to change the state of the attribute when required.

Table: userExecute attribute options
Attribute option	Description
masked	Used to mask the contents of visible attributes, such as passwords.
null	Used to unset attributes

Cet article vous a-t-il été utile ?

What's Next

userQuery (Command)