Skip to Content

IDM Self service password reset unlock user from Administrative lock on SAP System

Hi all,

I'm experiencing a problem where a user trough the IDM Self service Password reset on a SAP System will also unlock itself from an administrative lock(state 64) on that same System.

I think the problem is the value of the parameter %MX_DISABLED% which is passed to the sap_abap_handleBoolean script that evaluate it and return 0 or 1 to the attribute islocked of the SeABAPIdentityPassword task, executed during the reset password process.

Did someone experience the same issue? How can I check the value of that parameter?

Best regards.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Feb 09, 2017 at 09:26 AM


    in the SAP standard password reset task the user is unlocked in target system when the user is not disabled in IdM (no attribute mx_disabled exist in the user record in IdM).

    I have experienced the same and have customized the the reset password plugin to check the lock-status in ABAP before submitting the new password and the isLocked-parameter.

    Based on the returned lock value from ABAP you can then stop processing of the password reset.

    Basically easiest is to add one more process that can retrieve the value from ABAP, store the value to context and in the password reset task skip processing (for example using uSkip-function).

    For retrieving the lock value you need to search for how to call RFC in ABAP (examples can be found from this forum).

    regards, Tero

    Add comment
    10|10000 characters needed characters exceeded

    • We read the current lock status into IDM for information purposes anyway. So this would be another way to do it and just use the value in your password hook with a switch task for example.




  • Feb 06, 2017 at 02:45 PM

    hello eight labs,

    Can you be little more clear about your issue?


    Add comment
    10|10000 characters needed characters exceeded