I am trying to get a user with linked accounts still be able to unlock accounts of his but not be able to change the password on them.
i.e. user goes into self.service and wants to change password on his accounts, simple or synced
specific accounts, marked by an admin, would NOT have their password replaced.
I have tried to use account properties for this as seen in an earlier example, they are very easy to set and retrieve when you have the userview checked out, but seem almost impossible to reach at other times, as f.ex. in the change password forms....
also, disabling the accountline in the change password form doesn't matter, it still changes the password if the selectall checkbox is marked... even though this account doesn't havea checkbox in the form :P
So I suspect I need to work with the targets here...
I also saw some reference to a protected attribute that supposedly is supposed to stop IdM from changing on a resource, but I havent seen how to use that or even if it is on an account level or the whole resource...
Is there anyone out there that have mangled with this kind of stuff that can give me some hints on how to manage this?
as in my other post, guess I will answer this myself...
I managed to do this by setting properties on the accounts then by using these properties to flag which accounts that has their selected checkbox markable/marked in the password change pages and seeing to that the selectall checkbox wont mark any off the non settable accounts, the rest of the normal provisioning will handle it by removing those targets from the password change list.
i.e. changes were made in Change User Password Form, End User Change User Password Form and User Form Library at the right places to make use of those properties.