Clarity PPM

PPM Insights: New Lock Users Capability in CA PPM 15.3 and Higher

By ulrja01 posted 09-20-2018 08:02 AM


One of many great new features added in CA PPM 15.3 is that you can lock user accounts after 90 days without a successful login. In response to customer requests, CA has created an out-of-the-box capability with which you can lock the account with a single command, and it does not require language programming skill for scripting. This feature is very useful for user license usage housekeeping.

To populate the portlet in an on-premise environment, run the “admin lockuser” command from the command line. This locks any active user accounts that have not had a successful system login during the last 90 days.


 Is this feature also available for SaaS environments?

You can access this feature without the admin command in FedRAMP configurations of CA PPM SaaS. This feature is not available in standard CA PPM SaaS environments.

However, SaaS customers may benefit from the portlet and its query for users locked by the admin account. They may also consider copying the portlet and query and modifying them to look at all locked users, regardless of who locked the user.


 How does it work?

 Add the Locked Users (90 Days Inactivity) portlet in a page or tab. It will show the list of locked users in your system that were locked by the admin account.


Screenshot from lab machine


  • For on-premise environments, run the “admin lockuser” command from the command line.
    • It may take a few seconds or minutes to complete, depending on the number of users to be locked.
    • Wait until “locking idle users successful” appears on your screen.



  • Go back to your Locked Users (90 Days Inactivity) All active users who did not log in during the last 90 days will be locked.

Screenshot from lab machine


Can we roll back locking?

There is no rollback command to undo changes. Locked users must be updated in the CA PPM user interface (Administration -> Organization and Access -> Resources, filtered on a status of Locked) or via web services/script.


 Can we change 90 days to “N” days?

No. 90 days is a hard-coded value and it cannot be changed.


For readers interested in more detail, check out DocOps. I encourage you to participate in the best-in-class CA Communities site, where you have access to your peers, events and support. You can also reach out to CA Services for information about CA PPM release 15.3 upgrades/implementations and individualized business outcome references and analysis. Feel free to post in the comments section of this blog or contact me directly via email and Twitter @janetulrich.

1 view