Symantec IGA

We have a Task called ServiceDeskUnlockAccount.  It is used by our Service Desk to unlock users accounts at various endpoints.  I have used TEWS to run ServiceDeskUnlockAccountQuery and ServiceDeskUnlockAccountSearch to return various values, and I can determine which endpoints are locked.  The problem is when I try to submit the actual ServiceDeskUnlockAccount task.  It returns a Transaction ID, but it does not actually unlock the endpoint for the user.  

It appears you define "selected for unlock" in the user accounts tab section, but there are various fields in the SOAP call with no information about what needs to be entered.  One of which is <wsdl:UnAssign>?</wsdl:UnAssign> which I have tried Yes, Y, T, True, 1, etc.  Has anyone successfully used this SOAP call and unlocked a user's endpoints?

TEWS typically just gives you the transaction ID on submission. As TEWS is asynchronous, it doesn't wait around for the return code or result.

That said, can you upload the portion of the WSDL related to this task for inspection?

Here is my working Unlock Account Query:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdl="http://tews6/wsdl" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soapenv:Header/>
   <soapenv:Body>
      <wsdl:TaskContext>
         <wsdl:admin_id>myUserName</wsdl:admin_id>
         <wsdl:admin_password>myPassWord</wsdl:admin_password>
         <wsdl:transaction_id>New</wsdl:transaction_id>
      </wsdl:TaskContext>
      <wsdl:ServiceDeskUnlockAccountQuery>
         <wsdl:ServiceDeskUnlockAccountSearch>
            <wsdl:Subject index="0">
               <wsdl:OID>uid=SDTest1,ou=People,o=org</wsdl:OID>
            </wsdl:Subject>
            <wsdl:Filter xsi:nil="true"/>
         </wsdl:ServiceDeskUnlockAccountSearch>
     </wsdl:ServiceDeskUnlockAccountQuery>
   </soapenv:Body>
</soapenv:Envelope>

And here is my response:

<soapenv:Envelope xsi:schemaLocation="http://schemas.xmlsoap.org/soap/envelope/ http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns="http://tews6/wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soapenv:Body>
      <ServiceDeskUnlockAccountQueryResult>
         <ImsStatus version="6.0">
            <transactionId>cd02af03-ed985bd6-16339fcb-2f2e490</transactionId>
         </ImsStatus>
         <ServiceDeskUnlockAccountUserProfileTab>
            <_PCT_USER_ID_PCT_>SDTest1</_PCT_USER_ID_PCT_>
         </ServiceDeskUnlockAccountUserProfileTab>
         <ServiceDeskUnlockAccountObjectProfileTab>
            <_PCT_USER_ID_PCT_>SDTest1</_PCT_USER_ID_PCT_>
         </ServiceDeskUnlockAccountObjectProfileTab>
         <ServiceDeskUnlockAccountUserAccountsTab>
            <AllAccounts>
               <currentvalue index="0">
                  <AccountType>Code=ADS&amp;FriendlyName=ActiveDirectory</AccountType>
                  <EndPointName>myEndPointName</EndPointName>
                  <LockedState>Code=1&amp;FriendlyName=TRUE</LockedState>
                  <Password/>
                  <SuspendedState>Code=0&amp;FriendlyName=FALSE</SuspendedState>
                  <UniqueName>Account=SDTest1,ADSOrgUnit=!UserAccounts,EndPoint=myEndPointName,Namespace=ActiveDirectory,Domain=im,Server=Server</UniqueName>
                  <UserAccountName>SDTest1</UserAccountName>
               </currentvalue>
           </AllAccounts>
         </ServiceDeskUnlockAccountUserAccountsTab>
      </ServiceDeskUnlockAccountQueryResult>
   </soapenv:Body>
</soapenv:Envelope>

So based on this response I attempt to perform the unlock on the locked endpoint like this:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soapenv:Body>
      <admin_id>myUserName</admin_id>
      <admin_password>myPassWord</admin_password>
      <transaction_id>New</transaction_id>
      <submit_action>true</submit_action>

      <ServiceDeskUnlockAccount xmlns="http://tews6/xsd/task">
         <ns1:ServiceDeskUnlockAccountSearch xmlns:ns1="http://tews6/xsd/search">
            <ns1:Subject index="0">
               <ns1:UID xsi:nil="true"/>
               <ns1:UniqueName xsi:nil="true"/>
               <ns1:OID xsi:type="xsd:string">uid=SDTest1,ou=People,o=org</ns1:OID>
               <ns1:Name xsi:nil="true"/>
            </ns1:Subject>
            <ns1:Filter xsi:nil="true"/>
         </ns1:ServiceDeskUnlockAccountSearch>
         <ServiceDeskUnlockAccountUserAccountsTab>
            <SelectedForUnlock>
               <add index="0">
                  <UserAccountName>Account=SDTest1,ADSOrgUnit=!UserAccounts,EndPoint=myEndPointName,Namespace=ActiveDirectory,Domain=im,Server=Server</UserAccountName>
                  <EndPointName>myEndPointName</EndPointName>
               </add>
            </SelectedForUnlock>
  </ServiceDeskUnlockAccountUserAccountsTab>
      </ServiceDeskUnlockAccount>
   </soapenv:Body>
</soapenv:Envelope>

This gets a response of a new Transaction ID, but the account is not actually being unlocked

If you go search for that transaction ID in View Submitted Tasks, what is the state of the TEWS task that you submitted? Did it complete? Did it fail?

The Status was Completed.  Event 1:
Modify user "SD Test1 (SDTest1)"

in the details of the first one it has 3 events inside all source POLICYXPRESS with the following descriptions:

POLICYXPRESS After:ModifyUserEvent - Event enqueued for Add Action 'organizationalStatus' 2018-06-25 08:46:21.0
POLICYXPRESS After:ModifyUserEvent - Policy 'organizationalStatus' evaluated 2018-06-25 08:46:21.0
POLICYXPRESS After:ModifyUserEvent - Rule 'organizationalStatus' was evaluated 2018-06-25 08:46:21.0

Event 2:
Modify User "SD Test1 (SDTest1)": Generated By Policy Xpress

in the details:

orgIdmGenericMV003 old value: \\\\\ new value: \\\\\

The event that is missing here, that we can see when we use the same ServiceDeskUnlockAccount task in the tool is:
Event Name:  AccountUnlockEvent

Event Description: "Account "SDTest1" unlocked: User "SDTest1"

Task peformed by: myUserName

Primary object: Active Directory Account SDTest1

Attributes Changed:
Attribute: Locked

Old Value: TRUE

New Value: FALSE

This is the event that is not being triggered by the SOAP call

Hi Michael,

Personnaly I used the "Axis\optional\UnlockAccounts.java" sample with success.
(See IM installation location: IAM Suite\Identity Manager\tools\samples\WebService\).
"Axis2\optional\UnlockAccounts.java" is also provided.
I am assuming you are trying to code an XML request (we have no sample).
I suggest you to look at those axis(2) samples to build your XML tags properly.

Regards,

Philippe.

Hello,

I looked at this example file, but it includes a number of imports that I do not have such as:

import tews6.wsdl.ModifyUserEndpointAccountsTaskContextDocument.ModifyUserEndpointAccountsTaskContext;

This appears to be part of a task called Modify User Endpoint Accounts, which is not a task my organization has the web service turned on for.