Layer 7 Access Management

Tech Tip : CA Single Sign-On : Admin DISABLED STATE // Password Policy

  • 1.  Tech Tip : CA Single Sign-On : Admin DISABLED STATE // Password Policy

    Posted 05-15-2019 03:54 AM

    Question:

     

    We're running a Policy Server and we'd like to know which uses cases
    bring the user to be administratively disabled after login.

    Sm_Api_Disabled_AdminDisabled= 0x00000001 = 1

     

    Answer:

     

    At first glance, the AdminDisabled is set when an operator disabled
    manually the user in the AdminUI :

     

    Policy Server :: Disable Flag : SmAuthReason

    The Sm_Api_Disabled_AdminDisabled bit is usually set by using the
    Admin UI's disable user button; the Policy Server does not set or
    clear it during normal operations.

     

    https://comm.support.ca.com/kb/policy-server-disable-flag-smauthreason/kb000049509

     

    But this value can be added to another value for specific reason.

     

    To illustrate :

     

    User with DisableFlag = 0. User can login.
    User with DisableFlag = 1. User cannot login because the administrator disabled it manually from the AdminUI.
    User with DisableFlag = 3. User tried x times to login with incorrect credentials, and it has been disabled.

     

    Looking at the screenshots, you've configured the user to be disabled
    if it tries 5 times to login without the expected credentials.

     

    You see disable state with value of 3 because the

     

    Sm_Api_Disabled_AdminDisabled = 0x00000001 = 1 + Sm_Api_Disabled_MaxLoginFail = 0x00000002 = 2

     

    KB : KB000132212